Limiting connection count
Hi, I'm running a Tor relay on a Raspberry 2 behind a router using port forward. Relay bandwidth is set to 1 MByte / second. Tor is accepting so many connections that my Raspi can't keep up and my router is getting very slow (I assume because of a crappy NAT implementation). Bandwidth is not an issue, its the open connection count. Is there a way to limit the maximum number of connections? I tried to apply a ulimit on open files via systemd, but Tor is then showing a warning. At the moment I run a iptables rule which restricts the connection count to port 9001 (OR port) to 1000. But I'm not sure how this will affect the relay, for example Tor Metrics is showing the relay as offline. BR, Moritz
On 3 Feb 2018, at 22:33, Moritz Kammerer <kammerer.moritz@gmail.com> wrote:
Hi,
I'm running a Tor relay on a Raspberry 2 behind a router using port forward. Relay bandwidth is set to 1 MByte / second. Tor is accepting so many connections that my Raspi can't keep up and my router is getting very slow (I assume because of a crappy NAT implementation). Bandwidth is not an issue, its the open connection count.
There is some extra client load on the network. This means that most relays are connecting to every other relay.
Is there a way to limit the maximum number of connections? I tried to apply a ulimit on open files via systemd, but Tor is then showing a warning.
systemd Limit NOFILE is a supported way to adjust Tor's file descriptor limit. What was the limit? 1000? What was the warning?
At the moment I run a iptables rule which restricts the connection count to port 9001 (OR port) to 1000. But I'm not sure how this will affect the relay, for example Tor Metrics is showing the relay as offline.
If the warning said something like: "You need to have at least 6000 file descriptors to be a good relay" then what it said was true. Each relay needs to be able to connect to every other relay. If other relays can't connect to your relay, it will be marked as down. Try running a bridge, or getting a better NAT box. T
Thanks for clarification. I will try LimitNOFILE = 6000. If that crashes my NAT box, I'm going to run a bridge. Am 03.02.2018 um 12:38 schrieb teor:
On 3 Feb 2018, at 22:33, Moritz Kammerer <kammerer.moritz@gmail.com> wrote:
Hi,
I'm running a Tor relay on a Raspberry 2 behind a router using port forward. Relay bandwidth is set to 1 MByte / second. Tor is accepting so many connections that my Raspi can't keep up and my router is getting very slow (I assume because of a crappy NAT implementation). Bandwidth is not an issue, its the open connection count.
There is some extra client load on the network. This means that most relays are connecting to every other relay.
Is there a way to limit the maximum number of connections? I tried to apply a ulimit on open files via systemd, but Tor is then showing a warning.
systemd Limit NOFILE is a supported way to adjust Tor's file descriptor limit.
What was the limit? 1000? What was the warning?
At the moment I run a iptables rule which restricts the connection count to port 9001 (OR port) to 1000. But I'm not sure how this will affect the relay, for example Tor Metrics is showing the relay as offline.
If the warning said something like: "You need to have at least 6000 file descriptors to be a good relay" then what it said was true. Each relay needs to be able to connect to every other relay.
If other relays can't connect to your relay, it will be marked as down.
Try running a bridge, or getting a better NAT box.
T
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sat, 3 Feb 2018 at 12:50 Moritz Kammerer <kammerer.moritz@gmail.com> wrote:
Thanks for clarification. I will try LimitNOFILE = 6000. If that crashes my NAT box, I'm going to run a bridge.
You could also consider getting a production class router (not some consumer oriented thing), these don't have to be expensive though, ex 60$ for https://mikrotik.com/product/RB750Gr3
At the moment I run a iptables rule which restricts the connection count to port 9001 (OR port) to 1000.
If your setup can not handle at least 6k concurrent connections, I'm afraid it is not suitable for a tor non-exit relay. If you can, run the latest tor source code from git master, it includes important denial of service mitigations that will reduce the load on your relay. https://twitter.com/nusenu_/status/958486010563874817 https://lists.torproject.org/pipermail/tor-relays/2018-January/014357.html -- https://mastodon.social/@nusenu twitter: @nusenu_
participants (4)
-
Moritz Kammerer -
nusenu -
r1610091651 -
teor