when doing a bulk update pfsync only generates 100 packets a second. each packet will be filled with as many full state update messages as possible.
unfortunately the full state update message is about 264 bytes so you can only fit 5 in a packet. that means 5 * 100 or 500 messages a second, which means 60000 / 500 seconds, ie, a minimum of 2 minutes. to make this worse, pfsync wont make a new packet for bulk updates, it will fill a packet every 100th of a second. if the master has pending updates to send, you'll fit even less full update messages in a frame. if the master is reasonably busy you'll always have pending updates. i do this on my firewalls sometimes: root@passive ~# ssh master pfctl -S /dev/stdout | pfctl -L /dev/stdin its a bit faster... dlg On 05/05/2011, at 1:23 AM, Kapetanakis Giannis wrote: > Hi, > > I'd like to ask if it's normal for pfsync bulk transfer to take 5-15 > minutes to end for 60k states. > > pfsync is on a dedicated gigabit interface on both firewalls. > > May 4 17:59:35 fw1 /bsd: carp: pfsync0 demoted group carp by 1 to 131 > (pfsync bulk start) > May 4 17:59:35 fw1 /bsd: carp: pfsync0 demoted group pfsync by 1 to 1 > (pfsync bulk start) > May 4 18:13:47 fw1 /bsd: carp: pfsync0 demoted group carp by -1 to 0 > (pfsync bulk done) > May 4 18:13:47 fw1 /bsd: carp: pfsync0 demoted group pfsync by -1 to 0 > (pfsync bulk done) > > Stats on this interface show 967 pkts/sec 1421128 bytes/sec > Iperf gives me 850Mbps from fw2 to fw1 > > fw1 is -current, fw2 is 4.9 -stable (kudos for another excellent release!) > > regards, > > Giannis > > [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
