PF options: set timeout and set limit states
This might look obvious and defaults are fine, but when you start playing with PF
options, take care.
My SIP connections were a bit unstable, so seeking to improve this, after some digging, I came up with
these in /etc/pf.conf
:
Shortly after, a huge overall slowdowns started to appear on the Internet connection, but only during some times of the day. A simple ping during the slowdown produced this:
After some searching I found that the time when it happens corresponds to following NTP pool traffic peaks:
Thanks to ALTQ integrated in PF
, this should normally not be a problem since NTP traffic is placed into
a lower priority queue. But still, during these peaks the Internet usage was nearly impossible. I also
noticed that flushing PF
states with pfctl -F state
repaired the problem, but only for a short time,
it looked like PF
was filling it’s internal counters with something during these NTP traffic peaks,
and when full, any new connection was refused, so there it was, PF state table was full:
When I increased UDP states expire time to improve SIP connection stability, this also affected the incoming
NTP pool requests, which is using UDP port 123, so during the NTP traffic peaks PF
filled it’s state table
to 10000
entries (default setting), and then any new connections were refused, resulting in a huge slowdown
of the Internet connection. A quick fix was to increase default max state table entries with following: