Just a guess but...any chance you have BCM NICs? 7. nov. 2014 00:09 skrev "Adam Thompson" <[email protected]> følgende:
> Well, that would definitely cause a problem if it were the case, but... > 1) TCP window size != MTU, > 2) all switches and Router (but not pfSense) can both handle 9000-byte > frames anyway, > 3) MTU on server and client are both standard, at 1514, > 4) I can confirm no fragmentation is occurring. > > Still don't know why performance is so bad, though. > > -Adam > > > On November 6, 2014 4:58:35 PM CST, Sean <[email protected]> wrote: >> >> Not a TCP expert but the MTU is nearly always 1500 (or just under) hence >> your limit. Sending packets greater than the MTU will lead to >> fragmentation. Fragmentation leads to re-transmissions (depends on do not >> fragment bit?) and performance problems. Performance problems leads to >> frustration and anger. Anger leads to the dark side of the force. >> >> You can increase the MTU to like 9000 or something if you enable jumbo >> frames but you'd need to support it across the board (pfSense, routers, >> switches?, servers, etc.). It's a hassle probably not worth the effort in >> terms of gains. Some people do it as a means to increase iSCSI traffic >> performance but others say the throughput gain is dubious at best. I would >> make sure some doofus didn't enable jumbo frames on your NFS server and if >> so then turn it off and check the MTU setting in the network stack on the >> NFS server as well. >> >> I may not know what the hell i'm talking about though so someone else can >> feel free to jump in and tell me what an idiot I am. >> >> >> >> On Wed, Nov 5, 2014 at 6:47 PM, Adam Thompson <[email protected]> >> wrote: >> >>> Problem: really, really bad performance (<10Mbps) on both NFS (both tcp >>> and udp) and CIFS through pfSense. >>> >>> Proximate cause: running a packet capture on the Client shows one >>> smoking gun - the TCP window size on packets sent from the client is always >>> ~1444 bytes. Packets arriving from the server show a TCP window size of >>> ~32k. >>> >>> >>> The Network: >>> +------+ >>> |Router| >>> +--+---+ >>> | >>> --+----+----+-- >>> | | >>> +--+---+ +-------+ >>> |Client| |pfSense| >>> +------+ +--+----+ >>> | >>> --+---+-- >>> | >>> +--+---+ >>> |Server| >>> +------+ >>> >>> - Client and pfSense both have Router as default gateway. >>> - pfSense has custom outbound NAT rules preventing NAT between >>> Server subnet and Client subnet, but NAT'ing all other - outbound >>> connections. >>> - Router has static route pointing to Server subnet via pfSense. >>> >>> Hardware: >>> Router is an OpenBSD system (a CARP cluster, actually) running on >>> silly-overpowered hardware. >>> Client is actually multiple systems, ranging from laptops to >>> high-end servers. >>> Server is a Xeon E3-1230v3 running Linux, exporting a filesystem via >>> both NFS (v2, v3 & v4) and CIFS (samba). >>> pfSense is v2.1.5 (i386) on a dual P-III 1.1GHz, CPU usage typically >>> peaks at around 5%. >>> >>> >>> Performance on local Server subnet (i.e. from a same-subnet client) is >>> very good on all protocols, nearly saturating the gigabit link. >>> Traffic outbound from the server subnet to the internet (via Router) >>> moves at a decent pace, this firewall can typically handle ~400Mbps without >>> any trouble, IIRC synthetic benchmarks previously showed it can peak at >>> over 800Mbps. >>> >>> Based on the FUBAR TCP window sizes I've observed, I assume pfSense is >>> doing something to my TCP connections... but why are only the non-NAT'd >>> connections affected? I know there's an option to disable pf scrub, but >>> that's only supposed to affect NFSv3 (AFAIK), and this also affects >>> NFSv4-over-TCP and CIFS. >>> >>> -- >>> -Adam Thompson >>> [email protected] >>> >>> _______________________________________________ >>> List mailing list >>> [email protected] >>> https://lists.pfsense.org/mailman/listinfo/list >>> >> >> ------------------------------ >> >> List mailing list >> [email protected] >> https://lists.pfsense.org/mailman/listinfo/list >> >> > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. > > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
