Date: Wed, 18 Jun 2008 22:05:33 +0000 From: Michael Zimmer <drakyri@hotmail.com> To: Alexey Lanetskiy <lan@rcfd.spb.ru>, <freebsd-pf@freebsd.org> Subject: RE: reply-to speed issue Message-ID: <BLU109-W347D6DBE25FA6E82A579E6B1AB0@phx.gbl> In-Reply-To: <1354049605.20080618085913@rcfd.spb.ru> References: <1354049605.20080618085913@rcfd.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't know if this is restricted to reply-to. I have an almost identical=
setup (except, using route-to) and have the same problem. Anyone have any=
ideas?
=20
thanks,
=20
-mike> Date: Wed, 18 Jun 2008 08:59:13 +0400> From: lan@rcfd.spb.ru> To: fr=
eebsd-pf@freebsd.org> Subject: reply-to speed issue> > Hello!> > I have a f=
reebsd box (7-release) acting as gateway.> The topology is very simple. The=
re are 2 ifaces: em0 and em1, pointing to> gateway 1 (gw1) and gw2 correspo=
ndingly. Here is the "picture":> > ,------------.> (internal LAN)---* FreeB=
SD/pf *---(WAN / gw1), $ext_if1, $ext_ip1> | *---(WAN / gw2), $ext_if2, $ex=
t_ip2> `------------'> > There are some servers inside internal LAN, so I h=
ave to respond the> request from WAN to the same iface. Well, I need follow=
ing lines inside my> pf.conf:> > nat on $ext_if1 from !(self) to any -> ($e=
xt_if1:0)> nat on $ext_if2 from !(self) to any -> ($ext_if2:0)> > # example=
of some internal service, hosted inside the LAN> rdr on $ext_if1 proto tcp=
to port $someport tag IF_1 \> -> $ip_internal port $someport> rdr on $ext_=
if2 proto tcp to port $someport tag IF_2 \> -> $ip_internal port $someport>=
> block in all> block out all> > # example of common services, hosted on f=
reebsd box> pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) \> proto tcp f=
rom <ext_white_ftp> \> to $ext_ip1 port { ftp, ftp-data, 45000:50000 } \> f=
lags S/SA keep state> pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) \> p=
roto tcp from <ext_white_ftp> \> to $ext_ip2 port { ftp, ftp-data, 45000:50=
000 } \> flags S/SA keep state> > pass in quick reply-to ($ext_if1 $ext_gw1=
) proto { udp, icmp } \> tagged IF_1 keep state> pass in quick reply-to ($e=
xt_if1 $ext_gw1) proto tcp \> tagged IF_1 flags S/SA keep state> pass in qu=
ick reply-to ($ext_if2 $ext_gw2) proto { udp, icmp } \> tagged IF_2 keep st=
ate> pass in quick reply-to ($ext_if2 $ext_gw2) proto tcp \> tagged IF_2 fl=
ags S/SA keep state> > Now it works. Connections from outside to both hoste=
d @box & hosted @LAN> are estabilishing, data flows, but... strange speed i=
ssue detected.> Let's shut down pf (pfctl -d) and ftp to any of external if=
aces: full> speed of iface in both directions.> Let's enable pf again, but =
use pf.conf without any "reply-to"> ("route-to"s are still at their places)=
: oops, something wrong with> outgoing stream. Look at this numbers: approx=
. 60kBytes/sec w/o "reply-to"> and only 3kBytes/sec with it. Not very nice,=
isn't it...> > Let me say some words about the box itself.> box: SMP syste=
m on single core2duo CPU, 2 em & 1 rl nics.> freebsd: default sysctl setup,=
custom kernel built using GENERIC with> following difference:> options SCH=
ED_ULE> device pf> options ALTQ> options ALTQ_CBQ> options ALTQ_RED> option=
s ALTQ_RIO> options ALTQ_HFSC> options ALTQ_CDNR> options ALTQ_PRIQ> option=
s ALTQ_NOPCC> pf: No queues running, very (less than 10 items) small tables=
, near 120> rules in pf.conf.> > Here the question begins: what is the sour=
ce of such a problem with> "reply-to". What should I test, may be on anothe=
r box or in lab? What> manuals should I learn before configure pf any more =
if there are config> mistakes?> > -- > wbr, Alexey.> > > > ________________=
_______________________________> freebsd-pf@freebsd.org mailing list> http:=
//lists.freebsd.org/mailman/listinfo/freebsd-pf> To unsubscribe, send any m=
ail to "freebsd-pf-unsubscribe@freebsd.org"
_________________________________________________________________
The other season of giving begins 6/24/08. Check out the i=92m Talkathon.
http://www.imtalkathon.com?source=3DTXT_EML_WLH_SeasonOfGiving=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU109-W347D6DBE25FA6E82A579E6B1AB0>