I moved the rules for the NTP traffic to the top and this seems to improve things. But I'll leave it overnight to have some better stats in the morning. Best regards, Maurice
Jumping in since I've also recently added an ntp server in ntppool.org and saw spikes on my states as well as pps.
I've added Net speed: 500Mbit on the server management on site in order to limit connections.
I don't use a private IP and thought about removing keeping state but I decided to keep it.
Rule is as far up as it can be and it's like this:
@70 pass in quick on $ext_if proto udp to $ntp_server port ntp set prio (1,1) keep state (pflow, max-src-states 20, source-track rule, udp.first 30, udp.multiple 30) tag to_internal
On the other hand, I don't have packet loss.
I have an average of 15K states all the time.
Interface is vlan on top of trunk on top of ix(4)
Good luck,
G
No comments:
Post a Comment