Problem: really, really bad performance (<10Mbps) on both NFS (both tcp
and udp) and CIFS through pfSense.
Proximate cause: running a packet capture on the Client shows one
smoking gun - the TCP window size on packets sent from the client is
always ~1444 bytes. Packets arriving from the server show a TCP window
size of ~32k.
The Network:
+------+
|Router|
+--+---+
|
--+----+----+--
| |
+--+---+ +-------+
|Client| |pfSense|
+------+ +--+----+
|
--+---+--
|
+--+---+
|Server|
+------+
- Client and pfSense both have Router as default gateway.
- pfSense has custom outbound NAT rules preventing NAT between
Server subnet and Client subnet, but NAT'ing all other - outbound
connections.
- Router has static route pointing to Server subnet via pfSense.
Hardware:
Router is an OpenBSD system (a CARP cluster, actually) running on
silly-overpowered hardware.
Client is actually multiple systems, ranging from laptops to
high-end servers.
Server is a Xeon E3-1230v3 running Linux, exporting a filesystem
via both NFS (v2, v3 & v4) and CIFS (samba).
pfSense is v2.1.5 (i386) on a dual P-III 1.1GHz, CPU usage
typically peaks at around 5%.
Performance on local Server subnet (i.e. from a same-subnet client) is
very good on all protocols, nearly saturating the gigabit link.
Traffic outbound from the server subnet to the internet (via Router)
moves at a decent pace, this firewall can typically handle ~400Mbps
without any trouble, IIRC synthetic benchmarks previously showed it can
peak at over 800Mbps.
Based on the FUBAR TCP window sizes I've observed, I assume pfSense is
doing something to my TCP connections... but why are only the non-NAT'd
connections affected? I know there's an option to disable pf scrub, but
that's only supposed to affect NFSv3 (AFAIK), and this also affects
NFSv4-over-TCP and CIFS.
--
-Adam Thompson
[email protected]
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
