From owner-freebsd-pf@freebsd.org Tue Oct 11 08:40:49 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 812F4C0C3D0 for ; Tue, 11 Oct 2016 08:40:49 +0000 (UTC) (envelope-from Kamil.Choudhury@anserinae.net) Received: from mxe.anserinae.net (mxe.anserinae.net [45.32.7.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 596468B5 for ; Tue, 11 Oct 2016 08:40:49 +0000 (UTC) (envelope-from Kamil.Choudhury@anserinae.net) Received: by mxe.anserinae.net (Postfix, from userid 58) id 2EC6B64645; Tue, 11 Oct 2016 08:35:32 +0000 (UTC) Authentication-Results: mxe.anserinae.net; dkim=pass (1024-bit key; unprotected) header.d=anserinae.net header.i=@anserinae.net header.b=ruPUJARV X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on abpsvc01.infra.prod.anserinae.net X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 Received: from exchange.infra.prod.anserinae.net (awpsvc02.infra.prod.anserinae.net [10.0.0.12]) by mxe.anserinae.net (Postfix) with ESMTP id 2D7F46258F for ; Tue, 11 Oct 2016 08:35:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anserinae.net; s=arcdkim; t=1476174931; bh=5TZFdRaSeIsd0cKstf9TESC6Of00GwRk07pz1YZ3b3M=; h=From:To:Subject:Date; b=ruPUJARVvmaEoxbu8Rr155ESTUffFNRSCSspJv2VqDJlX7iQNNXR3krdwSVHFdOe2 w6n9u6WTkCExHeNlH80gWawaQYjDJrVJKuFSVpO5hypmtT6QwiYoISL0GvW6SJuRSr NxDuBrIt9Scxlh7554saLSKlXSaeO8WZKe94Zk08= Received: from JANUS.anserinae.net ([fe80::908d:ec50:f618:6c9d]) by janus.anserinae.net ([fe80::908d:ec50:f618:6c9d%15]) with mapi id 14.03.0174.001; Tue, 11 Oct 2016 08:34:54 +0000 From: Kamil Choudhury To: "freebsd-pf@freebsd.org" Subject: Slow NAT on 10.3-RELEASE Thread-Topic: Slow NAT on 10.3-RELEASE Thread-Index: AdIjmmj3wS8DlGgbSOWtnjkN5hkhFw== Date: Tue, 11 Oct 2016 08:34:53 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 08:40:49 -0000 Hey freebsd-pf:=20 I'm on FreeBSD 10.3-RELEASE, and attempting to route all traffic from jail1= to the=20 internet out of router.vtnet0 using PF. It *works*, but not well: boundary'= s=20 NAT tops out at a blistering 20KBps on a 100Mbps internet connection.=20 Here's the topology I'm working with:=20 client1.tap0 <--1--> tap1.intermediate1.tap0 <--2--> tap0.boundary.vtnet0= -> internet .vtnet0-->internet .vtnet0--> internet .vlan0 | +--> jail1 (10.0.0.33) There are layers of PF firewalls; stripped of all nonsense here are their p= f.confs: [client1] if_ext =3D "vtnet0" set skip on lo0 scrub in nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0) pass in all pass out all pass in quick on tap0 reply-to (tap0 192.168.53.1) proto tcp from any to an= y keep state (floating) pass out quick on $if_ext route-to (tap0 192.168.53.1) from 10.0.0.0/24 to = any keep state (floating) [intermediate] if_ext =3D "vtnet0" set skip on lo0 scrub in pass in all pass out all pass in quick on tap1 reply-to (tap1 192.168.2.1) proto tcp from any to any= keep state (floating) pass out quick on $if_ext route-to (tap1 192.168.2.1) from 10.0.0.0/24 to a= ny keep state (floating) [boundary] if_ext =3D "vtnet0" set skip on lo0 scrub in rdr on $if_ext proto tcp from any to $if_ext port 25 -> 10.0.0.33 nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0) pass in all pass out all Diagnostics:=20 iperf from jail1 to boundary.tap0 is about 50-60Mbps, so I am ruling out=20 configuration issues on Links 1 and 2.=20 All hosts can ping everyone, and ping packets to the internet from jail1 go= =20 out the door to the internet from boundary1. It looks, therefore, like rout= ing is set up correctly as well on all the hosts.=20 All of these hosts are virtualized on Vultr (haven't tried on DO or EC2).=20 Links 1 and 2 are OpenVPN connections, FWIW. I've seen some mention of checksum issues on NAT limiting performance, but = that=20 seems to have been fixed as of 10.2 in an errata. Have I stumbled upon an a= ctual=20 problem, or have I misconfigured something?=20 Thanks in advance,=20 Kamil