From owner-freebsd-pf@FreeBSD.ORG Wed Jun 18 05:59:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B12F106564A for ; Wed, 18 Jun 2008 05:59:21 +0000 (UTC) (envelope-from lan@rcfd.spb.ru) Received: from rcfd.spb.ru (73.38.leased.lanck.net [62.152.73.38]) by mx1.freebsd.org (Postfix) with ESMTP id D9D848FC1F for ; Wed, 18 Jun 2008 05:59:18 +0000 (UTC) (envelope-from lan@rcfd.spb.ru) Received: from [10.1.2.156] (HELO localhost) by rcfd.spb.ru (CommuniGate Pro SMTP 5.2.0) with ESMTP id 2903738 for freebsd-pf@freebsd.org; Wed, 18 Jun 2008 08:59:14 +0400 Date: Wed, 18 Jun 2008 08:59:13 +0400 From: Alexey Lanetskiy X-Mailer: The Bat! (v3.85.03) Professional Organization: FHCC X-Priority: 3 (Normal) Message-ID: <1354049605.20080618085913@rcfd.spb.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: reply-to speed issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alexey Lanetskiy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jun 2008 05:59:21 -0000 Hello! I have a freebsd box (7-release) acting as gateway. The topology is very simple. There are 2 ifaces: em0 and em1, pointing to gateway 1 (gw1) and gw2 correspondingly. Here is the "picture": ,------------. (internal LAN)---* FreeBSD/pf *---(WAN / gw1), $ext_if1, $ext_ip1 | *---(WAN / gw2), $ext_if2, $ext_ip2 `------------' There are some servers inside internal LAN, so I have to respond the request from WAN to the same iface. Well, I need following lines inside my pf.conf: nat on $ext_if1 from !(self) to any -> ($ext_if1:0) nat on $ext_if2 from !(self) to any -> ($ext_if2:0) # example of some internal service, hosted inside the LAN rdr on $ext_if1 proto tcp to port $someport tag IF_1 \ -> $ip_internal port $someport rdr on $ext_if2 proto tcp to port $someport tag IF_2 \ -> $ip_internal port $someport block in all block out all # example of common services, hosted on freebsd box pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \ proto tcp from \ to $ext_ip1 port { ftp, ftp-data, 45000:50000 } \ flags S/SA keep state pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \ proto tcp from \ to $ext_ip2 port { ftp, ftp-data, 45000:50000 } \ flags S/SA keep state pass in quick reply-to ($ext_if1 $ext_gw1) proto { udp, icmp } \ tagged IF_1 keep state pass in quick reply-to ($ext_if1 $ext_gw1) proto tcp \ tagged IF_1 flags S/SA keep state pass in quick reply-to ($ext_if2 $ext_gw2) proto { udp, icmp } \ tagged IF_2 keep state pass in quick reply-to ($ext_if2 $ext_gw2) proto tcp \ tagged IF_2 flags S/SA keep state Now it works. Connections from outside to both hosted @box & hosted @LAN are estabilishing, data flows, but... strange speed issue detected. Let's shut down pf (pfctl -d) and ftp to any of external ifaces: full speed of iface in both directions. Let's enable pf again, but use pf.conf without any "reply-to" ("route-to"s are still at their places): oops, something wrong with outgoing stream. Look at this numbers: approx. 60kBytes/sec w/o "reply-to" and only 3kBytes/sec with it. Not very nice, isn't it... Let me say some words about the box itself. box: SMP system on single core2duo CPU, 2 em & 1 rl nics. freebsd: default sysctl setup, custom kernel built using GENERIC with following difference: options SCHED_ULE device pf options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ options ALTQ_NOPCC pf: No queues running, very (less than 10 items) small tables, near 120 rules in pf.conf. Here the question begins: what is the source of such a problem with "reply-to". What should I test, may be on another box or in lab? What manuals should I learn before configure pf any more if there are config mistakes? -- wbr, Alexey.