URGENT!!!
I have a nimble streaming server behind ipfire firewall, that will receive around to 600 incoming connections visitors for the live streaming that i have organized.
Will ipfire limit number of connections at the same times like … 600 incoming connections in 10 minutes?
I have optimized my server streaming but i don’t want that ipfire will became a limit.
To be sure i have disable IPS inspection.
Please let me know.
Regards.
with the tonight stream when i have reached the 200viewers at 1050kb/s with a bandwidth peak of 350mbps the connections was completely lost …
The streaming vps was set with all the best practices of an overload system out connections… and I’m suspecting that could be IPFIRE to create problems.
Ipfire Staff, please you can advice me about possible problems that the firewall can create in a situation of 200/300 incoming connections??
Please let me know.
How do you know? Or did you have a glance into the crystal ball?
For this reason i’m asking to the staff…
because i don’t see os system overload …
Therefore if you don’t have the cristall ball you can’t help me 
Could ipfire create a bottleneck making the filtering job?
thank you.
HOW TO AVOID THIS PACKET DROPS???
4041 is the today stream port and 8081/10001 the old one.
From MY OFFICE IP - 998 packets
To 192.168.30.12 (LAN IP OF THE VPS)- 803 packets
Service: sunproxyadmin (tcp/8081) (DROP_FORWARD) - 803 packets
To PUBLIC SERVER IP - 195 packets
Service: houston (tcp/4041) (DROP_INPUT) - 88 packets
Service: sunproxyadmin (tcp/8081) (DROP_INPUT) - 35 packets
Service: scp-config (tcp/10001) (DROP_INPUT) - 72 packets
and
From MY OFFICE IP - 1056 packets
To PUBLIC SERVER IP - 1056 packets
Service: houston (tcp/4041) (DNAT) - 1051 packets
Service: scp-config (tcp/10001) (DNAT) - 5 packets
Hi JJ!
Disclaimer: I’m not one of the experts (sorry!)
You may want to look at Quality of Service - https://wiki.ipfire.org/configuration/services/qos
It might help the experts:
Really thank you 
{
"profile": {
"bogomips": 6825.25,
"cpu": {
"arch": "x86_64",
"count": 8,
"family": 15,
"flags": [
"fpu",
"vme",
"de",
"pse",
"tsc",
"msr",
"pae",
"mce",
"cx8",
"apic",
"sep",
"mtrr",
"pge",
"mca",
"cmov",
"pat",
"pse36",
"clflush",
"mmx",
"fxsr",
"sse",
"sse2",
"ht",
"syscall",
"nx",
"lm",
"constant_tsc",
"nopl",
"xtopology",
"cpuid",
"tsc_known_freq",
"pni",
"cx16",
"pcid",
"x2apic",
"aes",
"hypervisor",
"lahf_lm",
"cpuid_fault",
"pti",
"ssbd",
"md_clear"
],
"model": 6,
"model_string": "Common KVM processor",
"speed": 3411.48,
"stepping": 1,
"vendor": "GenuineIntel"
},
"devices": [
{
"deviceclass": "c0300",
"driver": "uhci_hcd",
"model": "7020",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "8086"
},
{
"deviceclass": "60400",
"driver": null,
"model": "0001",
"sub_model": "0000",
"sub_vendor": "0000",
"subsystem": "pci",
"vendor": "1b36"
},
{
"deviceclass": "60100",
"driver": null,
"model": "7000",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "8086"
},
{
"deviceclass": "20000",
"driver": "e1000",
"model": "100e",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "8086"
},
{
"deviceclass": "60400",
"driver": null,
"model": "0001",
"sub_model": "0000",
"sub_vendor": "0000",
"subsystem": "pci",
"vendor": "1b36"
},
{
"deviceclass": "60000",
"driver": null,
"model": "1237",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "8086"
},
{
"deviceclass": "68000",
"driver": "piix4_smbus",
"model": "7113",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "8086"
},
{
"deviceclass": "20000",
"driver": "e1000",
"model": "100e",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "8086"
},
{
"deviceclass": "10180",
"driver": "ata_piix",
"model": "7010",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "8086"
},
{
"deviceclass": "30000",
"driver": null,
"model": "1111",
"sub_model": "1100",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "1234"
},
{
"deviceclass": "10000",
"driver": "virtio-pci",
"model": "1004",
"sub_model": "0008",
"sub_vendor": "1af4",
"subsystem": "pci",
"vendor": "1af4"
},
{
"deviceclass": null,
"driver": "usb",
"model": "0001",
"subsystem": "usb",
"vendor": "1d6b"
},
{
"deviceclass": null,
"driver": "usb",
"model": "0001",
"subsystem": "usb",
"vendor": "0627"
},
{
"deviceclass": "9/0/0",
"driver": "hub",
"model": "0001",
"subsystem": "usb",
"vendor": "1d6b"
},
{
"deviceclass": "3/0/0",
"driver": "usbhid",
"model": "0001",
"subsystem": "usb",
"vendor": "0627"
}
],
"hypervisor": {
"vendor": "KVM"
},
"network": {
"blue": false,
"green": true,
"orange": false,
"red": true
},
"system": {
"kernel_release": "4.14.173-ipfire",
"language": "en",
"memory": 1991324,
"model": "Standard PC (i440FX + PIIX, 1996)",
"release": "IPFire 2.25 (x86_64) - core142",
"root_size": 33554432,
"vendor": "QEMU",
"virtual": true
}
},
"profile_version": 0,
"public_id": "3da230eedead754fc91291927b07d07c2f1464d0"
}
“model_string”: “Common KVM processor”,
“hypervisor”: { “vendor”: “KVM” },
You use virtualization and propably share cpu cores that result in CPU waiting for IO = 100%.
FYI - (and a picky item) from the Service Status Information it looks like IPS is still running…
Get rid of the VM and use a stand alone box for IPFire. VM is great for testing but I wouldn’t suggest using for this.
Thank you. Ips is disabled when the stream is on. And activated when finish.
Yes is a proxmox host, but if completely free…
The cpu is 90% free…
I can’t run ipfire standalone in a datacenter.
How I can apply manual settings to increase performance of ipfire??
On the host I’m using this settings and the streaming vm is working correctly.
That’s uninteresting in the case of “CPU waiting for IO” = 100% and you encounter that status many timers a day. The last time I’ve personally seen this is years ago and was hardware related. In your case it’s propably the CPU of the host doing other things with higher priority than your vm. But this is not good for ipfire.
Do you have any warnings or error messages in the kernel system log?
so… i have poweroff ipfire and connected directly to the public ip the streaming vps…
i hope to have better performance…
today streaming day … i will write if i win or lose
Could be nice to have qemu-guest-agent for ipifre running as vps…
I know that need time and a lot of job… but in a virtualized world have the full compatibility is a must have …
Hello,
it is not at all impossible to push a lot of packets through a virtual firewall. However, it will need some CPU time and of course use a lot of resources of the hypervisor.
If those resources are not available in realtime, clients and server applications will start retransmitting packets which will congest the line without much useful data traveling through it.
In order to have someone look at this properly, I would suggest that you get in touch with Lightning Wire Labs, have your environment assessed and then see what can be done.
Thank you for the support.
For your information I send you some screenshot of yesterday ip fire status on the hypervisor
.
