From owner-freebsd-questions Thu Aug 8 1:43:29 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEC2237B400 for ; Thu, 8 Aug 2002 01:43:25 -0700 (PDT) Received: from mailf.telia.com (mailf.telia.com [194.22.194.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id E003343E5E for ; Thu, 8 Aug 2002 01:43:19 -0700 (PDT) (envelope-from listsub@rambo.simx.org) Received: from rambo.simx.org (jenny.twenty4help.se [62.20.102.59]) by mailf.telia.com (8.12.5/8.12.5) with ESMTP id g788hHpd010526; Thu, 8 Aug 2002 10:43:17 +0200 (CEST) X-Original-Recipient: freebsd-questions@FreeBSD.ORG Message-ID: <3D522F8C.8060605@rambo.simx.org> Date: Thu, 08 Aug 2002 10:45:00 +0200 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Patrick Thomas Cc: freebsd-questions@FreeBSD.ORG Subject: Re: need tunings for a loaded freeBSD firewall References: <20020807135406.O28830-100000@utility.clubscholarship.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Patrick Thomas wrote: > Hello, > > My firewall is: > > CPU: Pentium III/Pentium III Xeon/Celeron (631.29-MHz 686-class CPU) > > and it is running 4.4-RELEASE. I have made no special tunings to this > system other than rebuilding the kernel with superfluous things like USB > and PCMCIA removed. > > The firewall has two interfaces and handles about 2megabits/second of > traffic on average. Recently, for reasons I cannot discern, it is choking > on traffic. Most ftp transfers run at 5-8 Kb/s (as opposed to 300-500 K) > and pings with large packet sizes drop a lot of packets. > > Small (normal) pings and general interactive response seem to be ok, but > again, file transfers are horrible, and pings with large sizes drop a lot > of packets. > > When I first noticed the problem, I had roughly 400 ipfw rules loaded > (almost all of them "count" rules for different IPs) and when I ran > netstat -m, it told me 75% of mb_map in use > > Now I have rebooted the firewall, and only a small number of ipfw rules > are in place, and immediately after booting, it says 51% of mb_map in use. > > BUT, at no time were any requests for memory denied, or delayed, and there > have been no protocol drain routines called for. This is what netstat -m > looks like about 10 mins after booting: > > # netstat -m > 360/624/2304 mbufs in use (current/peak/max): > 360 mbufs allocated to data > 244/370/576 mbuf clusters in use (current/peak/max) > 896 Kbytes allocated to network (51% of mb_map in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines > > > So .... any suggestions ? What are the general tunings that should be > done to a simple FreeBSD firewall (again, I have done nothing but remove > things like USB from the kernel) > > Also, do the problems I describe seem consistent with the netstat -m I > have pasted here ? > > Any help/comments appreciated. > > --pt What kind of nic's do you use? I had similar problems with a firewall, allthough it had a much higher throughput then 2MBit/s. I solved it by rewriting some ipfw rules and change nic's. When switching the 3Com 905's to a couple of Intel Etherexpress Pro 10/100 the performance increased and the load on the machine decreased. -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message