Hello,
I use the FreeBSD box as the firewall with NAT (ipfw + natd).
When I've upgraded the box from 4.8-20030810-STABLE to 6.0-RELEASE
I've noticed a performance degradation.
I've only one workstation behind the firewall and throughput
of downloading an ISO image through the firewall with 6.0-RELEASE
booted, is only 24Mbps. (When I reboot the machine with 4.8-20030810-STABLE
installation, the throughput is 80Mbps). The firewall_type was "open"
during the download:
# ipfw show
00050 105842 106637407 divert 8668 ip from any to any via xl0
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 211701 213100988 allow ip from any to any
65535 11 665 deny ip from any to any
The "top" utility shows 100% CPU load:
-------------------------------------
last pid: 771; load averages: 0.25, 0.06, 0.02
up 0+00:24:30 14:08:32
27 processes: 2 running, 25 sleeping
CPU states: 8.8% user, 0.0% nice, 59.6% system, 31.6% interrupt, 0.0% idle
Mem: 16M Active, 4752K Inact, 11M Wired, 8144K Buf, 22M Free
Swap: 500M Total, 500M Free
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
229 root 1 105 0 1428K 904K RUN 0:35 40.82% natd
680 plk 1 96 0 6076K 3112K select 0:01 0.00% sshd
688 plk 1 96 0 2100K 1804K select 0:01 0.00% screen
739 root 1 20 0 4420K 2868K pause 0:00 0.00% tcsh
760 root 1 5 0 4416K 2856K ttyin 0:00 0.00% tcsh
694 plk 1 20 0 4416K 2856K pause 0:00 0.00% tcsh
478 root 1 96 0 1328K 904K select 0:00 0.00% syslogd
677 root 1 4 0 6100K 3100K sbwait 0:00 0.00% sshd
690 plk 1 20 0 4916K 3504K pause 0:00 0.00% tcsh
681 plk 1 20 0 3984K 2584K pause 0:00 0.00% tcsh
767 plk 1 20 0 4088K 2688K pause 0:00 0.00% tcsh
598 root 1 96 0 3416K 2692K select 0:00 0.00% sendmail
751 root 1 5 0 1632K 1320K ttyin 0:00 0.00% less
771 plk 1 96 0 2268K 1544K RUN 0:00 0.00% top
685 plk 1 20 0 1928K 1512K pause 0:00 0.00% screen
614 root 1 8 0 1312K 1032K nanslp 0:00 0.00% cron
668 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
665 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
671 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
664 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
667 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
666 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
669 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
670 root 1 5 0 1264K 936K ttyin 0:00 0.00% getty
592 root 1 96 0 3352K 2500K select 0:00 0.00% sshd
602 smmsp 1 20 0 3296K 2724K pause 0:00 0.00% sendmail
449 root 1 111 0 500K 352K select 0:00 0.00% devd
The HW is:
----------
CPU: Pentium II Celeron 400MHz
RAM: 64MB
NIC: 2x 3Com905B
Kernel config:
--------------
machine i386
cpu I586_CPU
cpu I686_CPU
ident FW
maxusers 64
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options HZ=100
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options MROUTING # Multicast routing
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about dropped packets
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_FORWARD_EXTENDED #all packet dest changes
options IPSTEALTH #support for stealth forwarding
options IPDIVERT #divert sockets
options TCPDEBUG
options DUMMYNET
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options INCLUDE_CONFIG_FILE # Include this file in kernel
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security
# Devices
device apic # I/O APIC
...
(I'll send whole config if it is needed)
When I change the IP addresses on inside interface from private to public
and disable NAT, the throughput is again 80Mbps.
Can somebody advise me, if this is some configuration problem
or the requirement of FreeBSD 6.0 kernel has been increased and HW
of my firewall is not enough?
Thanks,
Bohus Plucinsky
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
