From owner-freebsd-pf@FreeBSD.ORG Thu May 12 18:39:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5184C16A4CE for ; Thu, 12 May 2005 18:39:54 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id CB0E843D79 for ; Thu, 12 May 2005 18:39:53 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 31813 invoked from network); 12 May 2005 18:39:53 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 12 May 2005 18:39:53 -0000 Message-ID: <4283A2F9.4060305@xecu.net> Date: Thu, 12 May 2005 14:39:53 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Greg Hennessy References: <20050512182025.4E5BA2C@gw2.local.net> In-Reply-To: <20050512182025.4E5BA2C@gw2.local.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 18:39:54 -0000 Greg Hennessy wrote: >I assume this is internet facing ? If so, do you really have a 25 megabit >full duplex pipe to the net ? > >You don't appear to have implemented any form of ACK prioritisation, > >http://www.benzedrine.cx/ackpri.html > >Its not optional when running links flat out. > >PRIQ/CBQ are not exactly precision instruments when it comes to packet >shaping, HFSC is better IMHO. > >On a side note, I've recently rolled out a 3.4 ghz xeon running 5.4 for a >customer and it iperfed under soak test @ ~800 megabits/sec through a pair >of em. > >25 megabits wouldn't tax one of P2-350s I have here as crash and burn test >servers. > > >Greg > > > > > > >>-----Original Message----- >>From: owner-freebsd-pf@freebsd.org >>[mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Christopher McGee >>Sent: 12 May 2005 18:17 >>To: Richard Tector >>Cc: freebsd-pf@freebsd.org >>Subject: Re: Pf in 4.11 >> >>Richard Tector wrote: >> >> >> >>>Christopher McGee wrote: >>> >>> >>> >>>>The handbook states that pf is available through KAME in 4.11 and >>>>from my reading Kame is build into the system. How do you >>>> >>>> >>enable pf >> >> >>>>and altq on 4.x then. I have had trouble finding any how-to's on >>>>this since everything for pf points to 5.x. I just can't justify >>>>running 5.x on a production firewall though unless the performance >>>>greatly improves over 5.3. >>>> >>>> >>>I can push over 300Mbit of sustained TCP traffic through a >>> >>> >>celeron 1.3 >> >> >>>routing and firewalling with pf. It runs a 3 month old >>> >>> >>RELENG_5 What >> >> >>>sort of performance issues are you seeing that are stopping >>> >>> >>you from >> >> >>>moving to 5.x? >>> >>>Regards, >>> >>>Richard Tector >>> >>> >>When queue1 starts pushing it's maximum bandwidth, queue0(the >>default) seems to choke and services become unavailable from >>the outside. I cut back queue1 by about 7 mbit/s and it has >>cleared it up for the most part. Not completely though. >>Here's what I think is the relevant info, let me know if you >>need anything else: >> >>The box: >>CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class >>CPU) real memory = 1071906816 (1022 MB) avail memory = >>1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the >>others are for future projects, like pfsync, and some dmz type stuff. >> >>pf configuration: >>set limit { states 100000, frags 5000 } >>set loginterface $ext_if >>set block-policy drop >>all other options are default >> >>queue configuration: >>altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } >>queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, >>borrow) queue queue1 bandwidth 12Mb qlimit 5000 the >>additional bandwidth that is not included in the queues >>should be added to queue1 but when that is done, it causes >>problems. At high traffic times, queue will use ALL of its >>bandwidth and queue0 usually only uses 3-5megs. >> >>There is no nat or anything running on this firewall. Public >>IP addresses outside and inside. I would rather not revert >>to 4.x if possible but I can't have this machine unstable. >> >>Thanks, >>Chris >> >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> >> > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Yes, we do have a full 25meg full duplex pipe to the internet. There is no ACK prioritization because this was migrated from ipfw and dummynet and there was none with that setup either. Everything worked fine with that setup, we were just looking for some of the newer features, and unfortunately, we are close to going back to the old setup. As for the queuing method, i've read that cbq is a more refined/reliable than hfsc right now. Anyway, why would ACK prioritization be necessary on the pf/altq setup vs the ipfw/dummynet setup? Chris