Skip site navigation (1)Skip section navigation (2)
Date:      Thu,  2 Oct 2003 07:53:51 -0400 (EDT)
From:      "Jayel" <jarthel@excite.com>
To:        freebsd-net@freebsd.org
Subject:    slow speed on a winxp PC behind FreeBSD 4.8 and 5.1 firewall/gateway
Message-ID:  <20031002115351.C5F3ABFB3@xmxpita.excite.com>

next in thread | raw e-mail | index | archive | help

I've tried both and speeds aren't amazing. I get full speed (my adsl plan is 512/128) on the FBSD box when downloading for a local FTP server. On the WinXP PC, downloading from the same FTP and speed is struggling at 30kbytes/sec (max speed in the FBSD box is 50kbytes/sec) and it sometimes goes down.

When I transferred the ADSL modem and connected the WinXP directly to it, I'm getting full speed from the same FTP server.

Thanks for the replies.

Jayel
------------- Important info regarding my setup------------

I have 3 NICs

xl=connected to ethernet modem
xl1=192.168.1.1
xl2=192.168.2.1

in my kernel, I added the following that may relate to internet connection:

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options IPSTEALTH
options TCP_DROP_SYNFIN
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET

Here are my ipnat and ipf rules.

-----------ipnat-------------------
#getting access to FTP servers
map tun0 192.168.1.0/23 -> 0/32 proxy port 21 ftp/tcp
map tun0 192.168.2.0/23 -> 0/32 proxy port 21 ftp/tcp
map tun0 192.168.2.0/23 -> 0/32 proxy port 210 ftp/tcp
map tun0 192.168.2.0/23 -> 0/32 proxy port 1511 ftp/tcp
map tun0 192.168.2.0/23 -> 0/32 proxy port 2121 ftp/tcp
map tun0 192.168.2.0/23 -> 0/32 proxy port 4165 ftp/tcp
map tun0 192.168.2.0/23 -> 0/32 proxy port 11111 ftp/tcp
map tun0 192.168.2.0/23 -> 0/32 proxy port 29024 ftp/tcp

#map LAN to internet
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10001:20000
map tun0 192.168.1.0/24 -> 0/32

#map DMZ
map tun0 192.168.2.0/24 -> 0/32 portmap tcp/udp 20001:30000
map tun0 192.168.2.0/24 -> 0/32

#Squid
rdr tun0 0.0.0.0/0 port 80 -> 127.0.0.1 port 19980
rdr tun0 0.0.0.0/0 port 80 -> 127.0.0.1 port 19980

#DCC send/accept
rdr tun0 0.0.0.0/0 port 59 -> 192.168.2.2 port 59
rdr tun0 0.0.0.0/0 port 19990 -> 192.168.2.2 port 19990
rdr tun0 0.0.0.0/0 port 19991 -> 192.168.2.2 port 19991
rdr tun0 0.0.0.0/0 port 19992 -> 192.168.2.2 port 19992
rdr tun0 0.0.0.0/0 port 19993 -> 192.168.2.2 port 19993
rdr tun0 0.0.0.0/0 port 19994 -> 192.168.2.2 port 19994

#Emule
rdr tun0 0.0.0.0/0 port 4662 -> 192.168.2.2 port 4662
rdr tun0 0.0.0.0/0 port 4672 -> 192.168.2.2 port 4672


----------IPF-----------------

allow loopback
pass in quick on lo0 from any to any
pass out quick on lo0 from any to any

#drop incomplete packets
block in log quick from any to any with frag
block in log quick from any to any with ipopt
block in log quick from any to any with short

#kill windows dust
block in quick proto udp from any to any port = netbios-ns
block in quick proto udp from any to any port = netbios-dgm
block in quick proto udp from any to any port = netbios-ssn

#block Windows exploits
block in quick proto tcp from any to any port = 135

#allow access from egweneAV subnet to nynaeveAM firewall
block in quick on xl1 all head 100

	#ssh to nynaeveAM firewall
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to 192.168.1.1/32 port = 22 flags S keep state group 100

	#egweneAV subnet to internet
	#DNS
	pass in quick on xl1 proto udp from 192.168.1.0/24 to 210.15.254.240 port = 53 keep state group 100
	pass in quick on xl1 proto udp from 192.168.1.0/24 to 210.15.254.241 port = 53 keep state group 100

	#HTTP
  	pass in quick on xl1 proto tcp from 192.168.1.0/24 to 127.0.0.1/32 port = 19980 flags S keep state group 100
  
  	#FTP servers
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 21 flags S keep state group 100
  
	#Usenet
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 119 flags S keep state group 100
  
	#IRC
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6665 flags S keep state group 100
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6666 flags S keep state group 100
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6667 flags S keep state group 100
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6668 flags S keep state group 100
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6669 flags S keep state group 100
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 7000 flags S keep state group 100

	#Chikka
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to 209.10.203.102 port = 6301 flags S keep state group 100

	#MSN
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to 207.46.104.20 port = 1863 flags S keep state group 100
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6891 flags S keep state group 100
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6892 flags S keep state group 100

	#ICQ
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to 205.188.179.233 port = 5190 flags S keep state group 100

	#Yahoo
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to 216.136.173.168 port = 5050 flags S keep state group 100
	
	#VNC
	pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 5900 flags S keep state group 100

	#allow pings
	pass in quick on xl1 proto icmp from 192.168.1.0/24 to !192.168.1.1/32 icmp-type 8 keep state group 100
  	
  	block in log first quick on xl1 all group 100

#allow access from internet to egweneAV subet
block out quick on xl1 all head 150

	#allow VNC to 192.168.1.1/32
	pass out quick on xl1 proto tcp from 192.168.1.1/32 to 192.168.1.2/32 port = 5900 flags S keep state group 150

	#allow HTTP to pass to 192.168.1.0/24
	pass out quick on xl1 proto tcp from 127.0.0.1/32 port = 19980 to 192.168.1.0/24 keep state group 150
	block in log first on xl1 all group 150

#traffic from firewall to the internet
block out quick on tun0 all head 200
	
	#DNS
	pass out quick on tun0 proto udp from any to 210.15.254.240 port = 53 keep state group 200

	#HTTP
	pass out quick on tun0 proto tcp from any to any port = 80 flags S keep state group 200
	
	#SSH
	pass out quick on tun0 proto tcp from any to any port = 22 keep state group 200
	
	#FTP
	pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state group 200

	#Allow nynaeveAM to sync time with time servers (time.nist.gov)
	pass out quick on tun0 proto tcp from any to any port = 37 flags S keep state group 200

	#allow Ping to go out
	pass out quick on tun0 proto icmp from any to any icmp-type 8 keep state group 200

	block out log first quick on tun0 all group 200

#allow traffic from internet to nynaeveAM firewall
block in quick on tun0 all head 250

	#SSH
	pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state group 250
  
	#allow ports 20001 to 20101 to pass through to 192.168.2.2/32 for FTP connection
	pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port 20000 >< 20102 keep state group 250

	#allows the following ports to pass through 192.168.2.2/32 for DCC connections
	pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port = 59 flags S keep state group 250
	pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port 19989 >< 19995 flags S keep state group 250

	#allow emule connection to come into nynaeveAM
	pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port = 4662 flags S keep state group 250
	pass in quick on tun0 proto udp from any to 192.168.2.2/32 port = 4672 keep state group 250

	#allow FTP data connections into nynaeveAM
	pass in quick on tun0 proto tcp from any port = 20 to any flags S keep state group 250
	
	block in log first quick on tun0 all group 250

#allow access from elayneT subnet to internet
block in quick on xl2 all head 300

	#DNS
	pass in quick on xl2 proto udp from 192.168.2.0/24 to 210.15.254.240 port = 53 keep state group 300
	pass in quick on xl2 proto udp from 192.168.2.0/24 to 210.15.254.241 port = 53 keep state group 300
  
  	#FTP servers
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 21 flags S keep state group 300
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 210 flags S keep state group 300
	
	#Usenet
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.1.1/32 port = 119 flags S keep state group 300

	#allow ports 1025 and above to pass through to 192.168.2.2/32 (should alllow IRC, DCC receive and FTP access to servers not using port=21)
	pass in quick on xl2 proto tcp from 192.168.2.2/32 to !192.168.2.1/32 port 1024 >< 65535 flags S keep state group 300
	
	#HTTP
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to 127.0.0.1/32 port = 19980 flags S keep state group 300
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 443 flags S keep state group 300

	#allow pings
	pass in quick on xl2 proto icmp from 192.168.2.0/24 to any icmp-type 8 keep state group 300

	#delete later
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 22 flags S keep state group 300
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to any port = 6301 flags S keep state group 300
	pass in quick on xl2 proto tcp from 192.168.2.0/24 to any port = 1863 flags S keep state group 300
  	
  	block in log first quick on xl2 all group 300

#allow access from internet to elayneT subnet
block out quick on xl2 all head 350

	#allow VNC to pass to 192.168.2.2/32
	pass out quick on xl2 proto tcp from 192.168.2.1/32 to 192.168.2.2/32 port = 5901 flags S keep state group 350
	
	#allow HTTP to pass to 192.168.2.0/24
	pass out quick on xl2 proto tcp from 127.0.0.1/32 port = 19980 to 192.168.2.0/24 keep state group 350
	
	#allow nynaeveAM to ping any PC within 192.168.2.0/24
	pass out quick on xl2 proto icmp from 192.168.2.1/32 to 192.168.2.0/24 keep state group 350

	block out log first quick on xl2 all group 350

#block any other packets that didn't match
block in quick all
block out quick all 


_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031002115351.C5F3ABFB3>