Date: Fri, 22 Dec 2017 20:11:59 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-net@freebsd.org, freebsd-jail@FreeBSD.org Cc: Kristof Provost <kristof@sigsegv.be>, Eugene Grosbein <eugen@grosbein.net> Subject: Re: performance issue within VNET jail Message-ID: <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> In-Reply-To: <DB5DE737-7171-4953-AF98-45F1BE7AF09E@sigsegv.be> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <B6446660-9FD2-4C28-A3A2-8AC99624C7FF@sigsegv.be> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <DB5DE737-7171-4953-AF98-45F1BE7AF09E@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Kristof Provost <kristof@sigsegv.be> wrote: > I run a very similar setup (although on CURRENT), and see no = performance issues from my jails. In utter despair I did upgrade one server to CURRENT (#327076) today, = but that hasn't been successful :-( Ok, right now I do know: (#) there is *no* performance loss (TCP) when: (-) fetching files from outside through PF/extIF to host (-) fetching files from partner server host via IPSEC tunnel = bound to extIF (ESP) to host (-) fetching files from partner server host via IPSEC tunnel = bound to extIF (ESP) to jail via bridge (-) fetching files from partner server jail via bridge and then = via IPSEC tunnel bound to extIF (ESP) to host (-) fetching files from partner server jail via bridge and then = via IPSEC tunnel bound to extIF (ESP) and then via bridge to jail (#) there is a *dramatic* performance loss (TCP) when: (-) fetching files from outside through PF/extIF via bridge to = jail (#) I did try to tweak the following settings *without* success: (-) sysctl net.inet.tcp.tso=3D0=20 (-) sysctl net.link.bridge.pfil_onlyip=3D0 (-) sysctl net.link.bridge.pfil_bridge=3D0 (-) sysctl net.link.bridge.pfil_member=3D0=20 (-) reducing mtu to 1400 (1490 before) on all interfaces extIF, = bridge, epairXs (-) deactivating "scrub in all" and "scrub out on $extIF all = random-id" in /etc/pf.conf (-) setting "set require-order yes" and "set require-order no" = in /etc/pf.conf [1] [1] I do see more a lot of out-of-order packages within a jail "netstat = -s -p tcp" after those slow downloads, but not after downloads via IPSEC = tunnel from partner host. That leads me to the conclusions: (#) the bridge is not to blame (#) it's either the PF/NATing or something else, right? Thanks for your suggestions so far, but I am lost here. Any ideas? Regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8C8A172B-4D4F-4066-8B94-EF5F59E2D345>