Really odd problem here:
I've set up a fairly simple firewall utilizing dual DGE-530T gigabit cards.
Isolating a windows rack from the rest of campus. Note that testing the
speed from a 100Mb linux host in the same office (plugged into the same
router as the firewall but of course outside the firewall's control) shows a
better then expected speed (94.2Mb/sec) connecting to the same test server
(100Mb) across campus.
First the Iperf (again note this is connecting to a 100Mb host) results
with both the linux host and the openbsd firewall running 2.0.2 (final note:
this speed is the same when the openbsd system is connected to a 1Gb host as
well)
(linux host running iperf -s)
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[ 4] local x port 5001 connected with y port 36002 [ 4] 0.0-10.1 sec
20.8 MBytes 17.3 Mbits/sec
(openbsd host running iperf -s)
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[ 6] local y port 5001 connected with x port 34081 [ 6] 0.0-10.1 sec
20.8 MBytes 17.3 Mbits/sec
Dmesg (yes, there's only 512M of ram, will upgrade it to 1G if needed, but
considering a top shows Free: 424M I don't think that's the problem) :
OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
SH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF
real mem = 535871488 (523312K)
avail mem = 481947648 (470652K)
using 4278 buffers containing 26898432 bytes (26268K) of memory mainbus0
(root) bios0 at mainbus0: AT/286+(00) BIOS, date 04/28/03, BIOS32 rev. 0 @
0xffe90 apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfeae0/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801BA LPC" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xe0000/0x1800 cpu0 at mainbus0 pci0 at
mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function
0 "Intel 82845G/GL" rev 0x01 ppb0 at pci0 dev 1 function 0 "Intel
82845G/GL/GV/GE/PE AGP" rev 0x01
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon 7500 QW" rev 0x00 wsdisplay0 at
vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29
function 0 "Intel 82801DB USB" rev 0x01: irq 11 usb0 at uhci0: USB revision
1.0 uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 9
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function
7 "Intel 82801DB USB" rev 0x01: irq 3
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x81
pci2 at ppb1 bus 2
skc0 at pci2 dev 9 function 0 "D-Link Systems DGE-530T" rev 0x11, Marvell
Yukon (0x1): irq 9 sk0 at skc0 port A, address 00:0d:88:70:c1:f7 eephy0 at
sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3
skc1 at pci2 dev 10 function 0 "D-Link Systems DGE-530T" rev 0x11, Marvell
Yukon (0x1): irq 10
sk1 at skc1 port A, address 00:0f:3d:f4:8d:ce
eephy1 at sk1 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 ichpcib0 at pci0
dev 31 function 0 "Intel 82801DB LPC" rev 0x01 pciide0 at pci0 dev 31
function 1 "Intel 82801DB IDE" rev 0x01: DMA, channel 0 configured to
compatibility, channel 1 configured to compatibility wd0 at pciide0 channel
0 drive 0: <WDC WD400BB-75JHA0>
wd0: 16-sector PIO, LBA, 38146MB, 78125000 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0
channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0
lun 0: <Lite-On, LTN486S 48x Max, YDS6> SCSI0 5/cdrom removable
atapiscsi1 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi1: 2 targets
cd1 at scsibus1 targ 0 lun 0: <HL-DT-ST, CD-RW GCE-8481B, C102> SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31
function 3 "Intel 82801DB SMBus" rev 0x01: irq 11 iic0 at ichiic0 auich0 at
pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x01: irq 11, ICH4 AC97
ac97: codec id 0x41445374 (Analog Devices AD1981B)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0
isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0
(kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port
0x61 midi0 at pcppi0: <PC speaker> spkr0 at pcppi0 lpt0 at isa0 port 0x378/4
irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port
0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ff6d netmask ff6d
ttymask ffef
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
Netstat -m results during the iperf session:
519 mbufs in use:
513 mbufs allocated to data
1 mbuf allocated to packet headers
5 mbufs allocated to socket names and addresses
0/42/6144 mbuf clusters in use (current/peak/max)
252 Kbytes allocated to network (51% in use) 0 requests for memory denied 0
requests for memory delayed 0 calls to protocol drain routines
Ifconfig -a results:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:88:70:c1:f7
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,flag0,flag1)
status: active
inet Y netmask 0xffffff80 broadcast Y.255
inet6 fe80::20d:88ff:fe70:c1f7%sk0 prefixlen 64 scopeid 0x1
sk1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0f:3d:f4:8d:ce
media: Ethernet autoselect (1000baseT full-duplex,flag0,flag1)
status: active
inet6 fe80::20f:3dff:fef4:8dce%sk1 prefixlen 64 scopeid 0x2
inet 192.168.144.1 netmask 0xffffff00 broadcast 255.255.255.0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=0<> mtu 1536
The rather simple pf.conf file (slightly modified):
internal_net="192.168.144.0/24"
sk1_ip4addr="192.168.144.1"
sk1_tcpports="any"
sk0_tcpports="any
int_if="sk1"
ext_if="sk0"
set block-policy return #"I don't appear to be running a firewall"
nat on sk0 from $internal_net to !$internal_net -> sk0
#redirecting vnc to the boxes below:
rdr on sk0 proto tcp from any to any port 5900 -> 192.168.144.3 port 5900
rdr on sk0 proto tcp from any to any port 5901 -> 192.168.144.4 port 5900
rdr on sk0 proto tcp from any to any port 5902 -> 192.168.144.40 port 5900
rdr on sk0 proto tcp from any to any port 5903 -> 192.168.144.41 port 5900
rdr on sk0 proto tcp from any to any port 5904 -> 192.168.144.42 port 5900
rdr on sk0 proto tcp from any to any port 5905 -> 192.168.144.43 port 5900
rdr on sk0 proto tcp from any to any port 5906 -> 192.168.144.44 port 5900
rdr on sk0 proto tcp from any to any port 5907 -> 192.168.144.45 port 5900
rdr on sk0 proto tcp from any to any port 5908 -> 192.168.144.46 port 5900
rdr on sk0 proto tcp from any to any port 5909 -> 192.168.144.47 port 5900
pass out on sk0 all keep state
pass in on sk1 all keep state
pass out on sk1 all keep state
pass in on sk0 all keep state
pass out quick on sk0 from any to {samba server}keep state pass out quick on
sk0 from any to {windows fileservers} keep state pass out quick on sk1 from
any to {windows fileservers, redundant} keep state pass out quick on sk0
from any to {another box that traffic to needs to not be filtered} keep
state pass out quick on sk1 from any to {same box as above) keep state
Thanks for any help,
Ben
