Ierrs on Network Interface - Pfsense/Freebsd

Question

We're using PfSense as an internal router/firewall (no connection to WAN). Using the Web-GUI, under Status ---> Interfaces, there's one particular interface where I have some errors:

In/out errors    3513/0

I then SSHed to the firewall to validate the info provided by the WebGUI and here's the output:

# netstat -ni -I bce2
Name    Mtu Network       Address                  Ipkts Ierrs     Opkt  Oerrs  Coll
bce2   1500 <Link#3>      00:23:7d:cd:a2:a2   1404522323  3513 749797131     0     0
bce2   1500 10.42.1.0/24  10.42.1.24                   6     -         6     -     -

As you can see, both present the same info (errors on incoming packets). I switched cables, changed network card, changed port on switch and I still see the errors. My 2 questions really are:

1) Is there any way I could get more info on the nature of these errors? or is this all I can get?

2) Should I be worried about this? As you can see, the errors are a VERY LOW percentage of all the total incoming packets. In other words, is this normal on a high-traffic gigabit interface?

Thanks! JFA

Answer 1

1) There may be dosens of possible reasons. Most possible: you've got some buffer overruns.

Analyze:

• dmesg
• sysctl dev.bce
• vmstat -z (USED/LIMIT)
• netstat -s (Errors/Buffers)

You can also try some tuning described here: FreeBSD performance tuning: Sysctl parameter, loader.conf, kernel

But these are intended for advanced sysadmins only, use them on your own risk!

2) Maybe. With time, when the load increases this percentage will rise, too.