From owner-freebsd-pf@FreeBSD.ORG Thu Aug 13 23:10:22 2009 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C39611065696 for ; Thu, 13 Aug 2009 23:10:22 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-yw0-f180.google.com (mail-yw0-f180.google.com [209.85.211.180]) by mx1.freebsd.org (Postfix) with ESMTP id 7F05B8FC5D for ; Thu, 13 Aug 2009 23:10:22 +0000 (UTC) Received: by ywh10 with SMTP id 10so2899390ywh.7 for ; Thu, 13 Aug 2009 16:10:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=5njWV4LLYzP9rsYGCoxku8MhPCwK0wREqvM+zuwX22s=; b=PXLZuwPfuc33U6YcdBAv5WpcZmjucKrCR0XdTmAR4i4+b/C9YJMvGHQcGx5VtlBdSY wgQFtSb8Dhgtio5OMnRFA792fXTb6JMxn/+qY3TCV5eFf97+H0zqECwJjNpLEF60z+1r i0G6iIxFMyFPgesR5IcfLc8+UhdyhLSQ1JYOM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Ke7TON8Q1EpFJLvKSdg0LATfJ61iEBiOA/pAhV1VVAvAirzHIZpACgiEVv4KuQiEsP ihFevo4wjkd8ftj499ueC7T5F9zR4CbRnQHKZ0Lky6Xq7mi7qYZxE/un5hkULsDsvm+I TepLx4AqEGwcjtz29qkRff2yjPpSE0nYbjQHw= MIME-Version: 1.0 Received: by 10.150.214.7 with SMTP id m7mr1882685ybg.48.1250203480936; Thu, 13 Aug 2009 15:44:40 -0700 (PDT) In-Reply-To: <4A8484E4.6090504@uffner.com> References: <4A8484E4.6090504@uffner.com> Date: Thu, 13 Aug 2009 18:44:40 -0400 Message-ID: From: Chris Buechler To: Tom Uffner Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: packet forwarding/firewall performance question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2009 23:10:22 -0000 On Thu, Aug 13, 2009 at 5:25 PM, Tom Uffner wrote: > I am curious what level of performance I should expect from the > firewall box described below in terms of packets/sec and bytes/sec. > > it is an 800 MHz VIA c3 with a Gigabit switch on the inside interface > and 20 Mbs symetric Fios on the outside. both interfaces are 100 Mbs. > it is running sshd, bsnmpd, sendmail (outbound only), bind9 (serving > local domain info & queries from 5-15 machines on the LAN) and isc-dhcpd. > it acts as a border firewall/router for a small LAN w/ 5 static external > addresses & the rest NATed. > Keeping this on pf since you aren't running -current. With what sounds like a nearly identical box, I've gotten 100 Mb wire speed with 7.x-based pfSense versions, which should be virtually identical to stock FreeBSD performance. I would expect 100 Mb wire speed with CPU to spare, using out of the box settings. > so far in preliminary tests, enabling polling on the network interfaces > reduces my performance slightly both to/from and through the box. That's to be expected, the only benefit of polling is to prevent live lock under extreme load. With only 100 Mb NICs I doubt if you could even get into that scenario with an 800 MHz CPU. > net.inet.ip.fastforwarding doesn't seem to make much difference either > way but i haven't done very thorough testing of it. I believe that has more impact with routing, and little or none when firewalling/NATing. > increasing > net.inet.tcp.sendbuf_max & recvbuf_max may have helped, but again, not > sufficiently tested. I don't think that has any impact on traffic through the system, rather that's for traffic initiated by the system, but not completely sure.