From owner-freebsd-questions@FreeBSD.ORG Mon Apr 7 14:10:58 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7B3A21B9 for ; Mon, 7 Apr 2014 14:10:58 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3725A280 for ; Mon, 7 Apr 2014 14:10:57 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 2ab060a9; for ; Mon, 7 Apr 2014 09:10:57 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpsa id 1396879855-65068-54435/5/1; Mon, 7 Apr 2014 14:10:55 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Date: Mon, 7 Apr 2014 09:10:55 -0500 From: Mark Felder To: freebsd-questions@freebsd.org Subject: Re: FreeBSD 10-R, Xen 4.1 guest, pf/NAT performance question In-Reply-To: References: Message-Id: <6876ba1714363dcbbdaf6b23f294fa2a@mail.feld.me> X-Sender: feld@FreeBSD.org User-Agent: Roundcube Webmail/0.9.5 Sender: feld@feld.me X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 14:10:58 -0000 On 2014-04-07 07:57, seanrees@gmail.com wrote: > Hi there freebsd-questions, > > I've been batting my head against this problem for a few days now and > not > having much progress, so I'm hoping to get pointers at what to look at > next. > > I've got a FreeBSD 10-R guest in Xen 4.1 (I am just a customer of the > Xen > provider; I don't run the Xen hypervisor myself). I use this instance > to > terminate a VPN, for which I also NAT VPN clients with PF. I am seeing > unusually slow packet forwarding performance: 0.5mbit internet -> vpn > client, 2.0 mbit vpn client -> internet. (the numbers should be closer > to > 10mbit/5mbit). > > This guest is a duplicate of another Xen instance I have in another > data > centre. I manage the configurations and packages centrally and aside > from > IP address differences, the machines are configured identically. The > differences: it's 30ms closer to me and runs in Xen 3.4. I see > performance > from this machine in the 10mbps range. > > I've eliminated the obvious: > - The problem VPS is fine network wise; can download tarballs from > the > Internet at 100mbps. > - VPS -> Home is fine; can download at ~10mbps; the problem is > isolated > to forwarding Home -> VPS -> Internet and back. > - I excluded OpenVPN as the cause by replicating the setup with ssh > -w; > same performance. > - SSH port forwarding (ssh -L) is fast; indicating to me the issue is > somewhere in the PF/kernel. > - I checked TCP options by capturing traffic at varying points; these > seem fine. I see a good deal of TCP retransmits but the window sizes > stay > the same. > > Any thoughts on what to check next? > Have you turned off TSO? ifconfig xn0 -tso or sysctl net.inet.tcp.tso=0