Drop packet under heavy load incoming connections, also to ip's set as allowed

Really thank you

{
"profile": {
    "bogomips": 6825.25, 
    "cpu": {
        "arch": "x86_64", 
        "count": 8, 
        "family": 15, 
        "flags": [
            "fpu", 
            "vme", 
            "de", 
            "pse", 
            "tsc", 
            "msr", 
            "pae", 
            "mce", 
            "cx8", 
            "apic", 
            "sep", 
            "mtrr", 
            "pge", 
            "mca", 
            "cmov", 
            "pat", 
            "pse36", 
            "clflush", 
            "mmx", 
            "fxsr", 
            "sse", 
            "sse2", 
            "ht", 
            "syscall", 
            "nx", 
            "lm", 
            "constant_tsc", 
            "nopl", 
            "xtopology", 
            "cpuid", 
            "tsc_known_freq", 
            "pni", 
            "cx16", 
            "pcid", 
            "x2apic", 
            "aes", 
            "hypervisor", 
            "lahf_lm", 
            "cpuid_fault", 
            "pti", 
            "ssbd", 
            "md_clear"
        ], 
        "model": 6, 
        "model_string": "Common KVM processor", 
        "speed": 3411.48, 
        "stepping": 1, 
        "vendor": "GenuineIntel"
    }, 
    "devices": [
        {
            "deviceclass": "c0300", 
            "driver": "uhci_hcd", 
            "model": "7020", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "8086"
        }, 
        {
            "deviceclass": "60400", 
            "driver": null, 
            "model": "0001", 
            "sub_model": "0000", 
            "sub_vendor": "0000", 
            "subsystem": "pci", 
            "vendor": "1b36"
        }, 
        {
            "deviceclass": "60100", 
            "driver": null, 
            "model": "7000", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "8086"
        }, 
        {
            "deviceclass": "20000", 
            "driver": "e1000", 
            "model": "100e", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "8086"
        }, 
        {
            "deviceclass": "60400", 
            "driver": null, 
            "model": "0001", 
            "sub_model": "0000", 
            "sub_vendor": "0000", 
            "subsystem": "pci", 
            "vendor": "1b36"
        }, 
        {
            "deviceclass": "60000", 
            "driver": null, 
            "model": "1237", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "8086"
        }, 
        {
            "deviceclass": "68000", 
            "driver": "piix4_smbus", 
            "model": "7113", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "8086"
        }, 
        {
            "deviceclass": "20000", 
            "driver": "e1000", 
            "model": "100e", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "8086"
        }, 
        {
            "deviceclass": "10180", 
            "driver": "ata_piix", 
            "model": "7010", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "8086"
        }, 
        {
            "deviceclass": "30000", 
            "driver": null, 
            "model": "1111", 
            "sub_model": "1100", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "1234"
        }, 
        {
            "deviceclass": "10000", 
            "driver": "virtio-pci", 
            "model": "1004", 
            "sub_model": "0008", 
            "sub_vendor": "1af4", 
            "subsystem": "pci", 
            "vendor": "1af4"
        }, 
        {
            "deviceclass": null, 
            "driver": "usb", 
            "model": "0001", 
            "subsystem": "usb", 
            "vendor": "1d6b"
        }, 
        {
            "deviceclass": null, 
            "driver": "usb", 
            "model": "0001", 
            "subsystem": "usb", 
            "vendor": "0627"
        }, 
        {
            "deviceclass": "9/0/0", 
            "driver": "hub", 
            "model": "0001", 
            "subsystem": "usb", 
            "vendor": "1d6b"
        }, 
        {
            "deviceclass": "3/0/0", 
            "driver": "usbhid", 
            "model": "0001", 
            "subsystem": "usb", 
            "vendor": "0627"
        }
    ], 
    "hypervisor": {
        "vendor": "KVM"
    }, 
    "network": {
        "blue": false, 
        "green": true, 
        "orange": false, 
        "red": true
    }, 
    "system": {
        "kernel_release": "4.14.173-ipfire", 
        "language": "en", 
        "memory": 1991324, 
        "model": "Standard PC (i440FX + PIIX, 1996)", 
        "release": "IPFire 2.25 (x86_64) - core142", 
        "root_size": 33554432, 
        "vendor": "QEMU", 
        "virtual": true
    }
}, 
"profile_version": 0, 
"public_id": "3da230eedead754fc91291927b07d07c2f1464d0"

}

status1363×1430 126 KB

system1363×1069 158 KB

net internal1029×605 53 KB

“model_string”: “Common KVM processor”,
“hypervisor”: { “vendor”: “KVM” },

You use virtualization and propably share cpu cores that result in CPU waiting for IO = 100%.

FYI - (and a picky item) from the Service Status Information it looks like IPS is still running…

status11000×476 55.4 KB

Get rid of the VM and use a stand alone box for IPFire. VM is great for testing but I wouldn’t suggest using for this.

Thank you. Ips is disabled when the stream is on. And activated when finish.

Yes is a proxmox host, but if completely free…
The cpu is 90% free…

I can’t run ipfire standalone in a datacenter.

How I can apply manual settings to increase performance of ipfire??

On the host I’m using this settings and the streaming vm is working correctly.

That’s uninteresting in the case of “CPU waiting for IO” = 100% and you encounter that status many timers a day. The last time I’ve personally seen this is years ago and was hardware related. In your case it’s propably the CPU of the host doing other things with higher priority than your vm. But this is not good for ipfire.

Do you have any warnings or error messages in the kernel system log?

so… i have poweroff ipfire and connected directly to the public ip the streaming vps…

i hope to have better performance…
today streaming day … i will write if i win or lose

Could be nice to have qemu-guest-agent for ipifre running as vps…
I know that need time and a lot of job… but in a virtualized world have the full compatibility is a must have …

Hello,

it is not at all impossible to push a lot of packets through a virtual firewall. However, it will need some CPU time and of course use a lot of resources of the hypervisor.

If those resources are not available in realtime, clients and server applications will start retransmitting packets which will congest the line without much useful data traveling through it.

In order to have someone look at this properly, I would suggest that you get in touch with Lightning Wire Labs, have your environment assessed and then see what can be done.

@ms sorry but as far as i can read, the issue is occuring into a VPS, not on “metal hardware”…

Thank you for the support.
For your information I send you some screenshot of yesterday ip fire status on the hypervisor

.

v3 - Proxmox Virtual Environment (5)927×354 20.8 KB

v3 - Proxmox Virtual Environment (4)1067×756 62.7 KB

v3 - Proxmox Virtual Environment (3)1058×785 66.6 KB

And this screenshots was the general hypervisor status when ipfire was under load.
The main host have 1gbps in/out badnwidth…

v3 - Proxmox Virtual Environment (7)901×636 49.8 KB

v3 - Proxmox Virtual Environment (6)915×693 61.9 KB

here the down.

v3 - Proxmox Virtual Environment (8)901×636 53.7 KB

Hello.
Whiteout IP fire, I have reached 900 Mbps out with 420 viewers for 12 hours without problems.

Anyone can advice me any simple interface firewall like ipfire to run without lag with proxmox?

How can you run this without a firewall?

As I said, you seem to be running a more complex setup there. The hypervisor will be your bottleneck.

It will require more information on your setup and workload in order to remove that.

Hi. I used the embed proxmox hypervisor firewall opening only the public stream port.
Others ports where the VPS receive my encoded video stream are locked to my source static IP. The only world visibile port is the stream port where the viewers connect to see the live video.

Inside the stream software platform i deny access to all non Italy ip’s and with hotlink protection and play locked to the specified domain , generating a time scheduled string code to append to the stream url.

In this way the only visibile port is the stream port, only italian ip can try to see the stream, the stream is webpage password protected and the video stream link player expire every 60 second from the first time compiled page.

It’s like to use the geo ip block of ipfire and lock incoming connections only for a specified source ip.

https://pve.proxmox.com/wiki/Firewall

v3 - Proxmox Virtual Environment (9)742×185 19.8 KB

Also i have configured TCP BBR congestion control directly on the VPS

and enabled multiqueue to 8 cpu thread on the hypervisor for the VPS virtual ethernet card

Qemu KVM Virtual Machines908×335 59.3 KB

it remains in the sense that if I could use ipfire for these situations, it would be great in order to better manage the security