From owner-freebsd-performance@FreeBSD.ORG  Mon Jul 30 08:21:08 2007
Return-Path: <owner-freebsd-performance@FreeBSD.ORG>
Delivered-To: freebsd-performance@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 23F2616A41A
	for <freebsd-performance@freebsd.org>;
	Mon, 30 Jul 2007 08:21:08 +0000 (UTC)
	(envelope-from patpro@patpro.net)
Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27])
	by mx1.freebsd.org (Postfix) with ESMTP id BB70B13C468
	for <freebsd-performance@freebsd.org>;
	Mon, 30 Jul 2007 08:21:07 +0000 (UTC)
	(envelope-from patpro@patpro.net)
Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1])
	by smtp1-g19.free.fr (Postfix) with ESMTP id D5A0B1AB2FE
	for <freebsd-performance@freebsd.org>;
	Mon, 30 Jul 2007 10:21:06 +0200 (CEST)
Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223])
	by smtp1-g19.free.fr (Postfix) with ESMTP id B2EB21AB2E7
	for <freebsd-performance@freebsd.org>;
	Mon, 30 Jul 2007 10:21:06 +0200 (CEST)
Received: from [192.168.0.2] (unknown [192.168.0.2])
	by boleskine.patpro.net (Postfix) with ESMTP id 5261F1CC5C
	for <freebsd-performance@freebsd.org>;
	Mon, 30 Jul 2007 10:20:57 +0200 (CEST)
Resent-Message-Id: <BE6EC6D0-53C0-44E7-ADF4-7A19C5A70415@patpro.net>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Resent-Date: Mon, 30 Jul 2007 10:21:05 +0200
Message-Id: <F36A5298-D761-4D71-9EC7-1A77D004DB86@patpro.net>
Content-Transfer-Encoding: 7bit
Resent-To: freebsd-performance@freebsd.org
From: Patrick Proniewski <patpro@patpro.net>
Resent-From: Patrick Proniewski <patpro@patpro.net>
Date: Mon, 30 Jul 2007 09:56:02 +0200
To: freebsd-performance@freebsd.org
X-Mailer: Apple Mail (2.752.2)
Subject: DSL/ethernet network perf problem with pf
X-BeenThere: freebsd-performance@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Performance/tuning <freebsd-performance.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-performance>
List-Post: <mailto:freebsd-performance@freebsd.org>
List-Help: <mailto:freebsd-performance-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2007 08:21:08 -0000

Hello,

I'm running a FreeBSD 6.2 on a Tyan motherboard. The board has 3  
ethernet ports (fpx0, em0, em1). It uses `pf` to share/protect an  
internet access over xDSL plugged in fxp0 to 2 LANs on em0/1.
When pf is loaded, my transfert rate for a file on the internet  
reaches about 150-200 KB/s max, but I can download 2 or 3 files each  
at 120-150 KB/s at the same time.

If i disable pf (by unloading the kernel module), my transfert rate  
jumps to 650-700 KB/s

Here is my pf.conf :

# macros
int_if = "em0"
int_if_sec = "em1"
ext_if = "fxp0"
wif_if = "ath0"

tcp_services = "{ 22, 113, 80, 443, 25, 53, 554 }"
udp_services = "{ 53 }"
admin_tcp_services = "{ 311, 625, 5900, 5988 }"
admin_udp_services = "{ 3283 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

# Tables: similar to macros, but more flexible for many addresses.
table <admin_nets> persist { --some ip's-- }
table <friends> persist { --some ip's-- }
table <spammers> persist file "/etc/pf.liste_ip_spamer"
table <sshscan> persist file "/etc/pf.liste_ip_ssh_scan"
table <webspam> persist file "/etc/pf.liste_ip_webspam"
table <openarena> persist { --some ip's-- }

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $int_if_sec:network to any -> ($ext_if)

# filter rules
block log all
block in log quick proto tcp from <spammers> to any port smtp
block in log quick proto tcp from <sshscan> to any port ssh
block in log quick proto tcp from <webspam> to any port http

pass quick on lo0 all

block drop in  log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) port  
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port  
$udp_services keep state

##### admin
pass in log on $ext_if inet proto tcp from { <admin_nets>,  
<friends> } to { ($ext_if), 192.168.0.2 } port $admin_tcp_services  
flags S/SA keep state
pass in log on $ext_if inet proto udp from { <admin_nets>,  
<friends> } to { ($ext_if), 192.168.0.2 } port $admin_udp_services  
keep state
##### friends
#pass in log on $ext_if inet proto tcp from <friends> to ($ext_if)  
flags S/SA keep state
#pass in log on $ext_if inet proto udp from <friends> to ($ext_if)  
keep state
##### OpenArena
pass in on $ext_if inet proto tcp from <openarena> to ($ext_if) port  
56789 flags S/SA keep state
pass in on $ext_if inet proto udp from <openarena> to ($ext_if) port  
56789 keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass in  on $int_if_sec from $int_if_sec:network to any keep state
pass out on $int_if_sec from any to $int_if_sec:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


any idea how I can reach 650-700 KB/s with pf enabled ?
regards,

patpro