From owner-freebsd-pf@FreeBSD.ORG Thu May 12 18:35:26 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42C3A16A4CE for ; Thu, 12 May 2005 18:35:26 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 9D83D43D55 for ; Thu, 12 May 2005 18:35:25 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 22653 invoked from network); 12 May 2005 18:35:25 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 12 May 2005 18:35:25 -0000 Message-ID: <4283A1EC.7080002@xecu.net> Date: Thu, 12 May 2005 14:35:24 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chris Dionissopoulos References: <42838344.4050608@xecu.net> <428384A1.80608@thekeelecentre.com> <42838FA8.9080704@xecu.net> <00b401c5571e$b0f46810$0100000a@R3B> In-Reply-To: <00b401c5571e$b0f46810$0100000a@R3B> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 18:35:26 -0000 Chris Dionissopoulos wrote: > My 2 cents: > > 1. 5000 qlimit packets is a HUGE value: > This means, that your buffer is 5000 x 1000( avg. mtu) = 5mbytes. > For 20Mbps queue-speed, it takes 32000 ms (32sec) to fill and then > letting altq decide for adding or not (0.1-500 ms) delays. > Doesn't makes sense, eh? > Try a more reasonable value of 50 for speeds 10-100MBps. > > 2.Try enabling red (or rio) in "queue1". This early detects "queue1" > congestion and drops packets before queue rate limit reached. > > > Tell us, if you have a better 'queue0' behavior with these changes. > > Chris. > >> >> When queue1 starts pushing it's maximum bandwidth, queue0(the >> default) seems to choke and services become unavailable from the >> outside. I cut back queue1 by about 7 mbit/s and it has cleared it >> up for the most part. Not completely though. Here's what I think is >> the relevant info, let me know if you need anything else: >> >> The box: >> CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class CPU) >> real memory = 1071906816 (1022 MB) >> avail memory = 1039392768 (991 MB) >> fxp0-6, only 0, and 1 are being used, the others are for future >> projects, like pfsync, and some dmz type stuff. >> >> pf configuration: >> set limit { states 100000, frags 5000 } >> set loginterface $ext_if >> set block-policy drop >> all other options are default >> >> queue configuration: >> altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } >> queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, borrow) >> queue queue1 bandwidth 12Mb qlimit 5000 >> the additional bandwidth that is not included in the queues should be >> added to queue1 but when that is done, it causes problems. At high >> traffic times, queue will use ALL of its bandwidth and queue0 usually >> only uses 3-5megs. >> >> There is no nat or anything running on this firewall. Public IP >> addresses outside and inside. I would rather not revert to 4.x if >> possible but I can't have this machine unstable. >> >> Thanks, >> Chris >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > ____________________________________________________________________ > http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. > http://www.freemail.gr - free email service for the Greek-speaking. The reason the queue size was changed was because the queue was getting filled very quickly and there were TONS of dropped packets. I will try RED and see if it gives me better results. I'll let you know.