Re: pf + ftp throughput
On Fri, Jun 16, 2006 at 02:31:07PM -0500, J.D. Bronson wrote: for a trial, I am going to fire up a drive loaded with OpenBSD 3.9 and PF and see if there is anything better/worse with the same pf.conf file. I've been playing at home, trying to reproduce this behavior (sparc64, OpenBSD). I haven't done so yet, but I don't have the best test cases. I tried with a 12M file across the 'net, and what looked like the same issue went away, so it was just fluctuations on the net. I tried the same file from the firewall itself to a client, and times are virtually identical. What I really need is two local clients going through the firewall. If I get that going I'll let you know what I find. FWIW, I Googled pretty heavily for this and didn't turn up much. I found one mailing list message from years ago describing *exactly* the same problem. Unfortunately I didn't see any followups or further problem reports. Are you also doing nat/rdr on this box? Have you run tcpdump on the pflog interface to make sure you're matching the rules you think? I'd like to track this down, so please feel free to send me any info you think pertains to this. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pf + ftp throughput
given the following rules: # Permit internal network to send packets through the firewall pass in quick on $INT_IF from $INT_IF:network to any flags S/SA keep state # Permit traffic from firewall to initiate connection to internal network: pass out quick on $INT_IF from any to $INT_IF:network flags S/SA keep state ..I have noticed that if I use 'keep state' ftp rates are fine (machine to machine...not via ftp-proxy) but if I change this to 'modulate state' my ftp rates fall... For example...moving a 50MB file: 'keep state' = 11-12MB/sec over 100MB-FDX 'modulate state = 6-7MB/sec over 100MB-FDX ..it took me a while to determine the culprit here - but I am curious as to why this is the case? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf + ftp throughput
On Fri, Jun 16, 2006 at 01:59:01PM -0500, J.D. Bronson wrote: For example...moving a 50MB file: 'keep state' = 11-12MB/sec over 100MB-FDX 'modulate state = 6-7MB/sec over 100MB-FDX ..it took me a while to determine the culprit here - but I am curious as to why this is the case? Since modulate state substitues its own high quality random sequence for the TCP stream in both directions, a wimpy CPU or similar problem could easily cause this, I think. Still, I'm surprised to see a 50% hit from using modulate state. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf + ftp throughput
At 02:10 PM 6/16/2006, Darrin Chandler wrote: On Fri, Jun 16, 2006 at 01:59:01PM -0500, J.D. Bronson wrote: For example...moving a 50MB file: 'keep state' = 11-12MB/sec over 100MB-FDX 'modulate state = 6-7MB/sec over 100MB-FDX ..it took me a while to determine the culprit here - but I am curious as to why this is the case? Since modulate state substitues its own high quality random sequence for the TCP stream in both directions, a wimpy CPU or similar problem could easily cause this, I think. Still, I'm surprised to see a 50% hit from using modulate state. Yes. I am too! This is a P4-3.06 with 1GB ram...under almost no load...so I cant fault the CPU this time -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf + ftp throughput
On Fri, Jun 16, 2006 at 02:13:00PM -0500, J.D. Bronson wrote: At 02:10 PM 6/16/2006, Darrin Chandler wrote: On Fri, Jun 16, 2006 at 01:59:01PM -0500, J.D. Bronson wrote: For example...moving a 50MB file: 'keep state' = 11-12MB/sec over 100MB-FDX 'modulate state = 6-7MB/sec over 100MB-FDX ..it took me a while to determine the culprit here - but I am curious as to why this is the case? Since modulate state substitues its own high quality random sequence for the TCP stream in both directions, a wimpy CPU or similar problem could easily cause this, I think. Still, I'm surprised to see a 50% hit from using modulate state. Yes. I am too! This is a P4-3.06 with 1GB ram...under almost no load...so I cant fault the CPU this time The only two things that come to mind are 1) pf is using a really complex and slow random source, or 2) something is going haywire with the connection. Have your tried tcpdump on either interface (not pflog) to see if anything strange is going on (ACK storms, etc)? Just fishing at this point... -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf + ftp throughput
At 02:27 PM 6/16/2006, Darrin Chandler wrote: The only two things that come to mind are 1) pf is using a really complex and slow random source, or 2) something is going haywire with the connection. Have your tried tcpdump on either interface (not pflog) to see if anything strange is going on (ACK storms, etc)? Just fishing at this point... Thanks. Well its on the same segment of the lan on a 3Com managed (and not busy) switch. I am using S/SA and I thought that should help ACK issues for a trial, I am going to fire up a drive loaded with OpenBSD 3.9 and PF and see if there is anything better/worse with the same pf.conf file. Something is amiss and unacceptable! -JD -- J.D. Bronson Information Services Telecommunications Site Support Aurora West Allis Memorial Hospital Office: 414.978.8282 Fax: 414.977.5299 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
