Results 1 to 6 of 6
  1. #1
    Untanglit
    Join Date
    Jul 2009
    Location
    Itajubá-MG-Brazil
    Posts
    26

    Exclamation Untangle for more than 10000 hosts

    Hello friends, how are you?

    We are testing untangle as an option for our university. Currently we have about 10000 hosts and our internet is a 1 gbit connection with real ips and some fake ips using nat. We are using this server with these hardware specifications and untangle 1401:

    1x - Intel(R) Xeon(R) CPU E5-2430 0 @ 2.20GHz (family: 0x6, model: 0x2d, stepping: 0x7)
    96 GB RAM
    1x - Ethernet controller: Intel Corporation 82572EI Gigabit Ethernet Controller (Fiber) (rev 06)
    4x - Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
    1x - Samsung SSD 850 EVO 500GB

    We are using all the free apps with except vpns, intrusion detect and captive portal.

    We notice a very slow performance and a lot of disk usage. The /var/log/messages and /var/log/syslog and growing so fast (more than 100gb by day) and the rsyslog service is using too much cpu.

    So, after untag the firewall rules (pass, because the block ones I'm unable to untag), also changed bypass and other logs at the advanced option but the log is growing at the same way.

    I found a problem with conntrack and I rise the limits for the:

    net.netfilter.nf_conntrack_max = 524288
    net.nf_conntrack_max = 524288

    If somebody could help us to setup this correctly I'll be glad. We are very interest on the product.

    Thanks

    M.Sc. José Renato Castro Milanez
    Analista de Tecnologia da Informaçăo/TI Analist
    Diretoria de Tecnologia da Informaçăo/Information Technology Direction
    Universidade Federal de Itajubá/Federal University of Itajubá
    Itajubá - Minas Gerais - Brasil

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Goodness, you need at least twice the CPU, and probably a RAID 10 made out of four of those SSDs to do this. Untagging firewall rules doesn't change anything, because that module logs everything anyway. rsyslog shouldn't be doing that unless you customized something... Which brings us back to the netfilter changes you made...

    If you want to use Untangle you're going to have to get out of the terminal and stop customizing the OS. Those changes are unsupported because honestly, no one has any information on how the platform works with those modifications.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    Maybe another option can be segment in 2 or 3 devices
    1 for the edge whit routing, nat, vpn, firewall rules (or use your actual L3 firewall)
    2 for antispam, pish, av for email, and all SMTP related (between your email server(s) and the edge in bridge mode)
    3 for web filtering, web antivirus, SSL and app control (and here we put a full license, or call sales and negotiate)

    A nice challenge ahead.
    The world is divided into 10 kinds of people, who know binary and those not

  4. #4
    Untanglit
    Join Date
    Jul 2009
    Location
    Itajubá-MG-Brazil
    Posts
    26

    Default

    Tomorrow I'll upgrade to another hardware. It´s a big one and I´ll give some status.

    Also, the error below I just solved with the sysctl tunning (net.netfilter.nf_conntrack_max = 524288 and net.nf_conntrack_max = 524288 at /etc/sysctl.conf). But after rebooting, the settings are not being applied.

    [ 372.302981] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.303209] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.303367] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.303518] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.303530] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.305460] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.305886] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.306100] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.306155] nf_conntrack: nf_conntrack: table full, dropping packet
    [ 372.306160] nf_conntrack: nf_conntrack: table full, dropping packet
    Last edited by goredaimon; 10-04-2018 at 05:21 AM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    That's what I like to call... a nonerror. It's in the logs, and it's frequent but does it actually mean anything?

    There are some very large sites that do need to tune those values, and it is possible for them to be tuned. However, it's best to let Untangle support assist you while doing so, otherwise you risk breaking things. Untangle isn't Debian, and some of those settings don't quite do what they do on Debian.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untanglit
    Join Date
    Jul 2009
    Location
    Itajubá-MG-Brazil
    Posts
    26

    Default

    The tunning is working like a charm! Without it, I got a lot of dropped packets!

    If you are interest, it´s the same approach from pfsense/netgate firewall:

    https://www.netgate.com/docs/pfsense...ork-cards.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2