Date: Mon, 30 Jul 2007 09:56:02 +0200 From: Patrick Proniewski <patpro@patpro.net> To: freebsd-performance@freebsd.org Subject: DSL/ethernet network perf problem with pf Message-ID: <F36A5298-D761-4D71-9EC7-1A77D004DB86@patpro.net> Resent-Message-ID: <BE6EC6D0-53C0-44E7-ADF4-7A19C5A70415@patpro.net>
next in thread | raw e-mail | index | archive | help
Hello, I'm running a FreeBSD 6.2 on a Tyan motherboard. The board has 3 ethernet ports (fpx0, em0, em1). It uses `pf` to share/protect an internet access over xDSL plugged in fxp0 to 2 LANs on em0/1. When pf is loaded, my transfert rate for a file on the internet reaches about 150-200 KB/s max, but I can download 2 or 3 files each at 120-150 KB/s at the same time. If i disable pf (by unloading the kernel module), my transfert rate jumps to 650-700 KB/s Here is my pf.conf : # macros int_if = "em0" int_if_sec = "em1" ext_if = "fxp0" wif_if = "ath0" tcp_services = "{ 22, 113, 80, 443, 25, 53, 554 }" udp_services = "{ 53 }" admin_tcp_services = "{ 311, 625, 5900, 5988 }" admin_udp_services = "{ 3283 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }" # Tables: similar to macros, but more flexible for many addresses. table <admin_nets> persist { --some ip's-- } table <friends> persist { --some ip's-- } table <spammers> persist file "/etc/pf.liste_ip_spamer" table <sshscan> persist file "/etc/pf.liste_ip_ssh_scan" table <webspam> persist file "/etc/pf.liste_ip_webspam" table <openarena> persist { --some ip's-- } # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $int_if_sec:network to any -> ($ext_if) # filter rules block log all block in log quick proto tcp from <spammers> to any port smtp block in log quick proto tcp from <sshscan> to any port ssh block in log quick proto tcp from <webspam> to any port http pass quick on lo0 all block drop in log quick on $ext_if from $priv_nets to any block drop out log quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state ##### admin pass in log on $ext_if inet proto tcp from { <admin_nets>, <friends> } to { ($ext_if), 192.168.0.2 } port $admin_tcp_services flags S/SA keep state pass in log on $ext_if inet proto udp from { <admin_nets>, <friends> } to { ($ext_if), 192.168.0.2 } port $admin_udp_services keep state ##### friends #pass in log on $ext_if inet proto tcp from <friends> to ($ext_if) flags S/SA keep state #pass in log on $ext_if inet proto udp from <friends> to ($ext_if) keep state ##### OpenArena pass in on $ext_if inet proto tcp from <openarena> to ($ext_if) port 56789 flags S/SA keep state pass in on $ext_if inet proto udp from <openarena> to ($ext_if) port 56789 keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass in on $int_if_sec from $int_if_sec:network to any keep state pass out on $int_if_sec from any to $int_if_sec:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state any idea how I can reach 650-700 KB/s with pf enabled ? regards, patpro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F36A5298-D761-4D71-9EC7-1A77D004DB86>