Date: Thu, 12 May 2005 19:20:24 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: <freebsd-pf@freebsd.org> Subject: RE: Pf in 4.11 Message-ID: <20050512182025.4E5BA2C@gw2.local.net> In-Reply-To: <42838FA8.9080704@xecu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I assume this is internet facing ? If so, do you really have a 25 megabit full duplex pipe to the net ? You don't appear to have implemented any form of ACK prioritisation, http://www.benzedrine.cx/ackpri.html Its not optional when running links flat out. PRIQ/CBQ are not exactly precision instruments when it comes to packet shaping, HFSC is better IMHO. On a side note, I've recently rolled out a 3.4 ghz xeon running 5.4 for a customer and it iperfed under soak test @ ~800 megabits/sec through a pair of em. 25 megabits wouldn't tax one of P2-350s I have here as crash and burn test servers. Greg > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Christopher McGee > Sent: 12 May 2005 18:17 > To: Richard Tector > Cc: freebsd-pf@freebsd.org > Subject: Re: Pf in 4.11 > > Richard Tector wrote: > > > Christopher McGee wrote: > > > >> The handbook states that pf is available through KAME in 4.11 and > >> from my reading Kame is build into the system. How do you > enable pf > >> and altq on 4.x then. I have had trouble finding any how-to's on > >> this since everything for pf points to 5.x. I just can't justify > >> running 5.x on a production firewall though unless the performance > >> greatly improves over 5.3. > > > > > > I can push over 300Mbit of sustained TCP traffic through a > celeron 1.3 > > routing and firewalling with pf. It runs a 3 month old > RELENG_5 What > > sort of performance issues are you seeing that are stopping > you from > > moving to 5.x? > > > > Regards, > > > > Richard Tector > > When queue1 starts pushing it's maximum bandwidth, queue0(the > default) seems to choke and services become unavailable from > the outside. I cut back queue1 by about 7 mbit/s and it has > cleared it up for the most part. Not completely though. > Here's what I think is the relevant info, let me know if you > need anything else: > > The box: > CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class > CPU) real memory = 1071906816 (1022 MB) avail memory = > 1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the > others are for future projects, like pfsync, and some dmz type stuff. > > pf configuration: > set limit { states 100000, frags 5000 } > set loginterface $ext_if > set block-policy drop > all other options are default > > queue configuration: > altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } > queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, > borrow) queue queue1 bandwidth 12Mb qlimit 5000 the > additional bandwidth that is not included in the queues > should be added to queue1 but when that is done, it causes > problems. At high traffic times, queue will use ALL of its > bandwidth and queue0 usually only uses 3-5megs. > > There is no nat or anything running on this firewall. Public > IP addresses outside and inside. I would rather not revert > to 4.x if possible but I can't have this machine unstable. > > Thanks, > Chris > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050512182025.4E5BA2C>