From owner-freebsd-current@FreeBSD.ORG  Thu Aug 13 22:04:18 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 62F4B1065695;
	Thu, 13 Aug 2009 22:04:18 +0000 (UTC) (envelope-from tom@uffner.com)
Received: from eris.uffner.com (uffner.com [66.208.243.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 0C0488FC52;
	Thu, 13 Aug 2009 22:04:17 +0000 (UTC)
Received: from xiombarg.uffner.com
	(static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94])
	(authenticated bits=0)
	by eris.uffner.com (8.14.3/8.14.3) with ESMTP id n7DLS6sq036591
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Thu, 13 Aug 2009 17:28:15 -0400 (EDT) (envelope-from tom@uffner.com)
Message-ID: <4A8484E4.6090504@uffner.com>
Date: Thu, 13 Aug 2009 17:25:56 -0400
From: Tom Uffner <tom@uffner.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.8.1.22) Gecko/20090721 SeaMonkey/1.1.17
MIME-Version: 1.0
To: pf@freebsd.org, current@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: packet forwarding/firewall performance question
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2009 22:04:18 -0000

I am curious what level of performance I should expect from the
firewall box described below in terms of packets/sec and bytes/sec.

it is an 800 MHz VIA c3 with a Gigabit switch on the inside interface
and 20 Mbs symetric Fios on the outside. both interfaces are 100 Mbs.
it is running sshd, bsnmpd, sendmail (outbound only), bind9 (serving
local domain info & queries from 5-15 machines on the LAN) and isc-dhcpd.
it acts as a border firewall/router for a small LAN w/ 5 static external
addresses & the rest NATed.

Kernel:  http://www.uffner.com/temp/GATEWAY.txt
dmesg:   http://www.uffner.com/temp/dmesg.txt
rc.conf: http://www.uffner.com/temp/rc.conf.txt
pf.conf: http://www.uffner.com/temp/pf.conf.txt

i'm hoping a few people will give me estimates on what kind of throughput
i should theoretically expect before i provide any actual test data.

also, any suggestions on tuning would be welcome.

so far in preliminary tests, enabling polling on the network interfaces
reduces my performance slightly both to/from and through the box.
net.inet.ip.fastforwarding doesn't seem to make much difference either
way but i haven't done very thorough testing of it. increasing
net.inet.tcp.sendbuf_max & recvbuf_max may have helped, but again, not
sufficiently tested.