Hi, I just upgraded my home firewall/router from 4.1 to a current snapshot from 9th January. I also changed the NIC which is connected to my core switch from fxp to em and upgraded the memory from 128Mb to 256Mb. With PF disabled I can route about 40Mbyte/s (sorry, don't have pps but the traffic should mostly be large packets) and the system still responds very well. (To get some numbers I just pinged the machine...):
PING 10.1.0.254 (10.1.0.254) 56(84) bytes of data. 64 bytes from 10.1.0.254: icmp_seq=1 ttl=255 time=2.39 ms 64 bytes from 10.1.0.254: icmp_seq=2 ttl=255 time=0.078 ms 64 bytes from 10.1.0.254: icmp_seq=3 ttl=255 time=0.077 ms 64 bytes from 10.1.0.254: icmp_seq=4 ttl=255 time=0.258 ms 64 bytes from 10.1.0.254: icmp_seq=5 ttl=255 time=1.63 ms 64 bytes from 10.1.0.254: icmp_seq=6 ttl=255 time=2.03 ms 64 bytes from 10.1.0.254: icmp_seq=7 ttl=255 time=1.87 ms 64 bytes from 10.1.0.254: icmp_seq=8 ttl=255 time=0.954 ms 64 bytes from 10.1.0.254: icmp_seq=9 ttl=255 time=2.65 ms 64 bytes from 10.1.0.254: icmp_seq=10 ttl=255 time=0.315 ms --- 10.1.0.254 ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 9007ms rtt min/avg/max/mdev = 0.077/1.228/2.657/0.955 ms With pf enabled and a very short ruleset (see pf.conf below) the system doesn't respond to many of the dns queries (bind9 is also enabled on this system) and the throughput is decreased to about 10Mbyte/s with the same kind of traffic as above. See my stupid pingtest: PING 10.1.0.254 56(84) bytes of data. 64 bytes from 10.1.0.254: icmp_seq=2 ttl=255 time=5.39 ms 64 bytes from 10.1.0.254: icmp_seq=3 ttl=255 time=0.206 ms 64 bytes from 10.1.0.254: icmp_seq=4 ttl=255 time=9.87 ms 64 bytes from 10.1.0.254: icmp_seq=5 ttl=255 time=1.35 ms 64 bytes from 10.1.0.254: icmp_seq=6 ttl=255 time=10.1 ms 64 bytes from 10.1.0.254: icmp_seq=7 ttl=255 time=1.47 ms 64 bytes from 10.1.0.254: icmp_seq=8 ttl=255 time=11.1 ms 64 bytes from 10.1.0.254: icmp_seq=9 ttl=255 time=11.8 ms 64 bytes from 10.1.0.254: icmp_seq=10 ttl=255 time=12.1 ms 64 bytes from 10.1.0.254: icmp_seq=11 ttl=255 time=11.7 ms 64 bytes from 10.1.0.254: icmp_seq=12 ttl=255 time=12.7 ms 64 bytes from 10.1.0.254: icmp_seq=13 ttl=255 time=11.3 ms 64 bytes from 10.1.0.254: icmp_seq=14 ttl=255 time=14.0 ms 64 bytes from 10.1.0.254: icmp_seq=15 ttl=255 time=12.2 ms 64 bytes from 10.1.0.254: icmp_seq=16 ttl=255 time=11.7 ms 64 bytes from 10.1.0.254: icmp_seq=17 ttl=255 time=14.7 ms 64 bytes from 10.1.0.254: icmp_seq=18 ttl=255 time=11.1 ms 64 bytes from 10.1.0.254: icmp_seq=19 ttl=255 time=3.01 ms --- 10.1.0.254 ping statistics --- 19 packets transmitted, 18 received, 5% packet loss, time 18026ms rtt min/avg/max/mdev = 0.206/9.239/14.713/4.549 ms With openbsd 4.1 and an fxp NIC instead of the em one the system was able to handle full 12Mbyte/s with a pretty complex pf.conf (more than 200 lines). The system is an old Compaq Deskpro EN with a P3/500 and 256Mb of ram. pf.conf (already played with scrub, skip and pass with no success...) --------- ext_if="pppoe0" set skip on lo set skip on em0 #scrub in scrub out on pppoe0 max-mss 1440 no-df random-id fragment reassemble nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from !($ext_if) -> ($ext_if:0) nat on fxp0 from any to 10.1.0.253 -> 10.1.0.254 rdr pass on vlan10 proto tcp to port ftp -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" #block in on pppoe0 #pass out Is there anything I can tune in pf? Should I provide a dmesg? -- Thanks Chris
