From owner-freebsd-net@FreeBSD.ORG Thu Oct 2 04:53:56 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C08F16A4B3 for ; Thu, 2 Oct 2003 04:53:56 -0700 (PDT) Received: from xmxpita.excite.com (nn2.excitenetwork.com [207.159.120.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id E17DB43FCB for ; Thu, 2 Oct 2003 04:53:53 -0700 (PDT) (envelope-from jarthel@excite.com) Received: by xmxpita.excite.com (Postfix, from userid 110) id C5F3ABFB3; Thu, 2 Oct 2003 07:53:51 -0400 (EDT) To: freebsd-net@freebsd.org Received: from [202.45.121.254] by xprdmailfe13.nwk.excite.com via HTTP; Thu, 02 Oct 2003 07:53:51 EST X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: ID = cfd4d5fb461afac27928db6a5c77fb23 From: "Jayel" MIME-Version: 1.0 X-Sender: jarthel@excite.com X-Mailer: PHP Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Message-Id: <20031002115351.C5F3ABFB3@xmxpita.excite.com> Date: Thu, 2 Oct 2003 07:53:51 -0400 (EDT) Subject: slow speed on a winxp PC behind FreeBSD 4.8 and 5.1 firewall/gateway X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jarthel@excite.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 11:53:56 -0000 I've tried both and speeds aren't amazing. I get full speed (my adsl plan is 512/128) on the FBSD box when downloading for a local FTP server. On the WinXP PC, downloading from the same FTP and speed is struggling at 30kbytes/sec (max speed in the FBSD box is 50kbytes/sec) and it sometimes goes down. When I transferred the ADSL modem and connected the WinXP directly to it, I'm getting full speed from the same FTP server. Thanks for the replies. Jayel ------------- Important info regarding my setup------------ I have 3 NICs xl=connected to ethernet modem xl1=192.168.1.1 xl2=192.168.2.1 in my kernel, I added the following that may relate to internet connection: options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options IPSTEALTH options TCP_DROP_SYNFIN options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_PPPOE options NETGRAPH_SOCKET Here are my ipnat and ipf rules. -----------ipnat------------------- #getting access to FTP servers map tun0 192.168.1.0/23 -> 0/32 proxy port 21 ftp/tcp map tun0 192.168.2.0/23 -> 0/32 proxy port 21 ftp/tcp map tun0 192.168.2.0/23 -> 0/32 proxy port 210 ftp/tcp map tun0 192.168.2.0/23 -> 0/32 proxy port 1511 ftp/tcp map tun0 192.168.2.0/23 -> 0/32 proxy port 2121 ftp/tcp map tun0 192.168.2.0/23 -> 0/32 proxy port 4165 ftp/tcp map tun0 192.168.2.0/23 -> 0/32 proxy port 11111 ftp/tcp map tun0 192.168.2.0/23 -> 0/32 proxy port 29024 ftp/tcp #map LAN to internet map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10001:20000 map tun0 192.168.1.0/24 -> 0/32 #map DMZ map tun0 192.168.2.0/24 -> 0/32 portmap tcp/udp 20001:30000 map tun0 192.168.2.0/24 -> 0/32 #Squid rdr tun0 0.0.0.0/0 port 80 -> 127.0.0.1 port 19980 rdr tun0 0.0.0.0/0 port 80 -> 127.0.0.1 port 19980 #DCC send/accept rdr tun0 0.0.0.0/0 port 59 -> 192.168.2.2 port 59 rdr tun0 0.0.0.0/0 port 19990 -> 192.168.2.2 port 19990 rdr tun0 0.0.0.0/0 port 19991 -> 192.168.2.2 port 19991 rdr tun0 0.0.0.0/0 port 19992 -> 192.168.2.2 port 19992 rdr tun0 0.0.0.0/0 port 19993 -> 192.168.2.2 port 19993 rdr tun0 0.0.0.0/0 port 19994 -> 192.168.2.2 port 19994 #Emule rdr tun0 0.0.0.0/0 port 4662 -> 192.168.2.2 port 4662 rdr tun0 0.0.0.0/0 port 4672 -> 192.168.2.2 port 4672 ----------IPF----------------- allow loopback pass in quick on lo0 from any to any pass out quick on lo0 from any to any #drop incomplete packets block in log quick from any to any with frag block in log quick from any to any with ipopt block in log quick from any to any with short #kill windows dust block in quick proto udp from any to any port = netbios-ns block in quick proto udp from any to any port = netbios-dgm block in quick proto udp from any to any port = netbios-ssn #block Windows exploits block in quick proto tcp from any to any port = 135 #allow access from egweneAV subnet to nynaeveAM firewall block in quick on xl1 all head 100 #ssh to nynaeveAM firewall pass in quick on xl1 proto tcp from 192.168.1.0/24 to 192.168.1.1/32 port = 22 flags S keep state group 100 #egweneAV subnet to internet #DNS pass in quick on xl1 proto udp from 192.168.1.0/24 to 210.15.254.240 port = 53 keep state group 100 pass in quick on xl1 proto udp from 192.168.1.0/24 to 210.15.254.241 port = 53 keep state group 100 #HTTP pass in quick on xl1 proto tcp from 192.168.1.0/24 to 127.0.0.1/32 port = 19980 flags S keep state group 100 #FTP servers pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 21 flags S keep state group 100 #Usenet pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 119 flags S keep state group 100 #IRC pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6665 flags S keep state group 100 pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6666 flags S keep state group 100 pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6667 flags S keep state group 100 pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6668 flags S keep state group 100 pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6669 flags S keep state group 100 pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 7000 flags S keep state group 100 #Chikka pass in quick on xl1 proto tcp from 192.168.1.0/24 to 209.10.203.102 port = 6301 flags S keep state group 100 #MSN pass in quick on xl1 proto tcp from 192.168.1.0/24 to 207.46.104.20 port = 1863 flags S keep state group 100 pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6891 flags S keep state group 100 pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 6892 flags S keep state group 100 #ICQ pass in quick on xl1 proto tcp from 192.168.1.0/24 to 205.188.179.233 port = 5190 flags S keep state group 100 #Yahoo pass in quick on xl1 proto tcp from 192.168.1.0/24 to 216.136.173.168 port = 5050 flags S keep state group 100 #VNC pass in quick on xl1 proto tcp from 192.168.1.0/24 to !192.168.1.1/32 port = 5900 flags S keep state group 100 #allow pings pass in quick on xl1 proto icmp from 192.168.1.0/24 to !192.168.1.1/32 icmp-type 8 keep state group 100 block in log first quick on xl1 all group 100 #allow access from internet to egweneAV subet block out quick on xl1 all head 150 #allow VNC to 192.168.1.1/32 pass out quick on xl1 proto tcp from 192.168.1.1/32 to 192.168.1.2/32 port = 5900 flags S keep state group 150 #allow HTTP to pass to 192.168.1.0/24 pass out quick on xl1 proto tcp from 127.0.0.1/32 port = 19980 to 192.168.1.0/24 keep state group 150 block in log first on xl1 all group 150 #traffic from firewall to the internet block out quick on tun0 all head 200 #DNS pass out quick on tun0 proto udp from any to 210.15.254.240 port = 53 keep state group 200 #HTTP pass out quick on tun0 proto tcp from any to any port = 80 flags S keep state group 200 #SSH pass out quick on tun0 proto tcp from any to any port = 22 keep state group 200 #FTP pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state group 200 #Allow nynaeveAM to sync time with time servers (time.nist.gov) pass out quick on tun0 proto tcp from any to any port = 37 flags S keep state group 200 #allow Ping to go out pass out quick on tun0 proto icmp from any to any icmp-type 8 keep state group 200 block out log first quick on tun0 all group 200 #allow traffic from internet to nynaeveAM firewall block in quick on tun0 all head 250 #SSH pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state group 250 #allow ports 20001 to 20101 to pass through to 192.168.2.2/32 for FTP connection pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port 20000 >< 20102 keep state group 250 #allows the following ports to pass through 192.168.2.2/32 for DCC connections pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port = 59 flags S keep state group 250 pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port 19989 >< 19995 flags S keep state group 250 #allow emule connection to come into nynaeveAM pass in quick on tun0 proto tcp from any to 192.168.2.2/32 port = 4662 flags S keep state group 250 pass in quick on tun0 proto udp from any to 192.168.2.2/32 port = 4672 keep state group 250 #allow FTP data connections into nynaeveAM pass in quick on tun0 proto tcp from any port = 20 to any flags S keep state group 250 block in log first quick on tun0 all group 250 #allow access from elayneT subnet to internet block in quick on xl2 all head 300 #DNS pass in quick on xl2 proto udp from 192.168.2.0/24 to 210.15.254.240 port = 53 keep state group 300 pass in quick on xl2 proto udp from 192.168.2.0/24 to 210.15.254.241 port = 53 keep state group 300 #FTP servers pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 21 flags S keep state group 300 pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 210 flags S keep state group 300 #Usenet pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.1.1/32 port = 119 flags S keep state group 300 #allow ports 1025 and above to pass through to 192.168.2.2/32 (should alllow IRC, DCC receive and FTP access to servers not using port=21) pass in quick on xl2 proto tcp from 192.168.2.2/32 to !192.168.2.1/32 port 1024 >< 65535 flags S keep state group 300 #HTTP pass in quick on xl2 proto tcp from 192.168.2.0/24 to 127.0.0.1/32 port = 19980 flags S keep state group 300 pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 443 flags S keep state group 300 #allow pings pass in quick on xl2 proto icmp from 192.168.2.0/24 to any icmp-type 8 keep state group 300 #delete later pass in quick on xl2 proto tcp from 192.168.2.0/24 to !192.168.2.1/32 port = 22 flags S keep state group 300 pass in quick on xl2 proto tcp from 192.168.2.0/24 to any port = 6301 flags S keep state group 300 pass in quick on xl2 proto tcp from 192.168.2.0/24 to any port = 1863 flags S keep state group 300 block in log first quick on xl2 all group 300 #allow access from internet to elayneT subnet block out quick on xl2 all head 350 #allow VNC to pass to 192.168.2.2/32 pass out quick on xl2 proto tcp from 192.168.2.1/32 to 192.168.2.2/32 port = 5901 flags S keep state group 350 #allow HTTP to pass to 192.168.2.0/24 pass out quick on xl2 proto tcp from 127.0.0.1/32 port = 19980 to 192.168.2.0/24 keep state group 350 #allow nynaeveAM to ping any PC within 192.168.2.0/24 pass out quick on xl2 proto icmp from 192.168.2.1/32 to 192.168.2.0/24 keep state group 350 block out log first quick on xl2 all group 350 #block any other packets that didn't match block in quick all block out quick all _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!