From owner-freebsd-net@freebsd.org Sun Oct 25 19:21:14 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B5B38D10 for ; Sun, 25 Oct 2015 19:21:14 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0115.outbound.protection.outlook.com [157.56.112.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CFF81105A for ; Sun, 25 Oct 2015 19:21:12 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1038.eurprd06.prod.outlook.com (10.162.123.157) with Microsoft SMTP Server (TLS) id 15.1.306.13; Sun, 25 Oct 2015 17:47:08 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Sun, 25 Oct 2015 17:47:08 +0000 From: James Lodge To: "freebsd-net@freebsd.org" Subject: Re: Jail - PF - NAT - Network Performance Thread-Topic: Jail - PF - NAT - Network Performance Thread-Index: AQHRD0CmbA4uAEGug0il9nIvPZfXmJ58cg8AgAAIzKI= Date: Sun, 25 Oct 2015 17:47:07 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [46.101.56.132] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1038; 5:4RrS236VOOBqHX6zQzca5GsNf1RXwdGspfgRdYE+jMwW6tEXfUA104JiAaTTExtKPtAzr2wBF/Bur1iIQTvNmFRKZoKP1nXbfNEi7Beqt4tmUTlfz1YlLzxUCiIgM+RDptpLmZ7UN2rMOQTMI9u7OQ==; 24:mod9ceg9le8BajG11RxU+9FN+emAH25tg2muYdG02uqrMQm1H9bNR95F5v/0w8ekB2feizogN7NmFB8dyQF+6RMKjiteo/A0/mFoqst7dhM=; 20:2uXSjNL32MHmb/eO3KNt/hkc2oLVMg/m/Nb2QmyS7YFoyJxtt5/Kudg0O2CVjeubfBThjHMcqiw9cV6ZP44YQQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR06MB1038; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(8121501046)(5005006)(3002001)(102215026); SRVR:VI1PR06MB1038; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1038; x-forefront-prvs: 074040B844 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(24454002)(2351001)(66066001)(5003600100002)(102836002)(189998001)(33656002)(74316001)(19580405001)(5002640100001)(77096005)(76576001)(106116001)(106356001)(19580395003)(76176999)(101416001)(2900100001)(11100500001)(50986999)(54356999)(86362001)(2501003)(105586002)(450100001)(87936001)(2950100001)(92566002)(5001960100002)(110136002)(122556002)(74482002)(81156007)(80792005)(5007970100001)(5001920100001)(40100003)(107886002)(5008740100001)(97736004)(10400500002)(5004730100002); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1038; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Lodge.me.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2015 17:47:07.6465 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1038 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Oct 2015 19:21:14 -0000 > On 25 Oct 2015, at 17:46, James Lodge wrote: > I currently have a FreeBSD 10.1 host running on Digital Ocean. I have mul= tiple jails and I'm not using vimage. > > > I'm using PF on the host to NAT traffic from said jails and all is workin= g as expected. I have a jail running OpenVPN and clients can connect and tr= affic is routed to the Internet down the tunnel via PF/NAT. The issue I'm s= eeing is download speeds to the client from the Internet on the external si= de on PF. Upload always seem reasonable, but download is always woeful. I'm= using a Windows machine as the client if that make any odds. > >Yeah, there=92s an issue with checksums and pf/Xen. >Disabling TSO should work for you (sudo sysctl net.inet.tcp.tso=3D0), and = the problem should be completely fixed in the >next release (10.3 or 11.0) > >Regards, >Kristof Thanks Kristof for the quick reply, I was hoping it would be that simple, but Digital Ocean use KVM (from what = I know) as their hypervisor so disabling TSO and LRO seems to have no notic= ed increase in performance.=20 Regards James=