Re: Firewall & DSL performance

2004-03-10 Thread Nathan Kinkade 
On Wed, Mar 10, 2004 at 08:10:05AM -0600, Darryl Hoar wrote:
> Well,
> last night I changed the ipf.rules file to be:
> 
> pass in all  keep state
> pass out all keep state
> 
> to completely open my firewall to test my performance.
> 
> Well, it didn't make a lick of difference.  Still got
> 700K.
> 
> If I open the firewall like I did, shouldn't performance
> be a non issue ?
> 
> thanks,
> Darryl 

I wouldn't rule out the inside network card.  I recently noticed
something similar here and it turned out that, though a particular
network card worked on the whole, it's performace was inexplicable
miserable.  We swapped out the cheap SiS card with a good 3Com card and
the problem was solved.  Is there any way that you could get ahold of
another NIC to test?

Nathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys D8527E49


pgp0.pgp
Description: PGP signature

RE: Firewall & DSL performance

2004-03-10 Thread Darryl Hoar 
I didn't mean to imply that ipfilter itself had a 
performance problem, just that my configuration/hardware
exhibited a performance problem once my DSL was boosted
to 1.5Mb.

There is a box on the side of my house that the fiber
is connected to.  It has a network port for testing.
The tech connected his notebook to this port and
saw 1.5Mb performance.  There is a cat 5 run from this
external box to my office in my basement.  There is a jack
on the end of this run.  The tech connected to this jack
and saw roughly 1.48Mb performance.

Since both cards in the firewall are 3com 10Mb cards, they
won't show 100Mb.  When I did an ifconfig -a I see them 
represented as 10Mb/UTP.  I did not see any reference to
the duplex mode (half or full).  I will examine this to
see if it is somehow running in half duplex mode when
plugged into my DSL link.

>From the command line on my firewall, if I ftp down a file,
how do I figure the Mbps ?

thanks,
Darryl

> -Original Message-
> From: JJB [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 10, 2004 8:46 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Firewall & DSL performance
> 
> 
> If the ipfilter firewall had an performance problem, I am sure many
> people other that you would have been complaining about it. I use
> ipfilter and have no performance problem. You have to look else
> where for your problem.
> 
> Check all the Nic and switches or hubs in the path the test packets
> flow through to verify they are all operating in full duplex/100
> mode. Then start with the gateway box and run native FTP to your
> public FTP site and see what the through put is there. If it bad
> then you have isolated the problem to the nic card that connects you
> to the DSL modem.
> 
> Greater details about how you test from the lan is needed to help
> you.
> Also an detailed description of just what you mean by your
> statements
> "Testing at the box on the side of my house yielded  1.5Mb.
>  Testing  at the jack inside also yielded 1.5Mb".
> 
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Darryl Hoar
> Sent: Wednesday, March 10, 2004 9:10 AM
> To: 'Mike Jackson'
> Cc: [EMAIL PROTECTED]
> Subject: RE: Firewall & DSL performance
> 
> Well,
> last night I changed the ipf.rules file to be:
> 
> pass in all  keep state
> pass out all keep state
> 
> to completely open my firewall to test my performance.
> 
> Well, it didn't make a lick of difference.  Still got
> 700K.
> 
> If I open the firewall like I did, shouldn't performance
> be a non issue ?
> 
> thanks,
> Darryl
> 
> > -Original Message-
> > From: Mike Jackson [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, March 09, 2004 11:55 AM
> > To: Darryl Hoar
> > Subject: Re: Firewall & DSL performance
> >
> >
> > Darryl Hoar ([EMAIL PROTECTED]) wrote:
> > >
> > > Problem:
> > > Recently, our ISP upgraded (at no charge) our connection
> > from 512K to
> > > 1.5Mb.  When testing from a computer on my Lan, I was only
> > seeing about
> > > 700K.  Testing at the box on the side of my house yielded
> > 1.5Mb.  Testing
> > > at the jack inside also yielded 1.5Mb.  So, my firewall seems to
> be
> > > slowing things down.
> >
> > Run `top' and watch the memory and processor usage when
> > downloading an iso
> > from some internet site.
> >
> > Open another terminal and run `iostat -odICTw 2 -c 9', to
> > watch your io
> > performance.
> >
> > Open another terminal and run `vmstat -w 5', to watch virtual
> memory
> > statistics.
> >
> > Finally, a slow processor just might be the bottleneck. For
> > example, if
> > you put a gigabit ethernet card in a P4 and one in a P2, you will
> most
> > likely not get full speed - especially if there is kernel level
> packet
> > interception going, e.g. ipsec, nat, or firewall filters.
> >
> > HTH,
> > --
> > Mike Jackson
> >
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
> 
> 
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Firewall & DSL performance

2004-03-10 Thread Darryl Hoar 
Well,
last night I changed the ipf.rules file to be:

pass in all  keep state
pass out all keep state

to completely open my firewall to test my performance.

Well, it didn't make a lick of difference.  Still got
700K.

If I open the firewall like I did, shouldn't performance
be a non issue ?

thanks,
Darryl 

> -Original Message-
> From: Mike Jackson [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 09, 2004 11:55 AM
> To: Darryl Hoar
> Subject: Re: Firewall & DSL performance
> 
> 
> Darryl Hoar ([EMAIL PROTECTED]) wrote:
> > 
> > Problem:
> > Recently, our ISP upgraded (at no charge) our connection 
> from 512K to
> > 1.5Mb.  When testing from a computer on my Lan, I was only 
> seeing about
> > 700K.  Testing at the box on the side of my house yielded 
> 1.5Mb.  Testing
> > at the jack inside also yielded 1.5Mb.  So, my firewall seems to be
> > slowing things down.
> 
> Run `top' and watch the memory and processor usage when 
> downloading an iso
> from some internet site.
> 
> Open another terminal and run `iostat -odICTw 2 -c 9', to 
> watch your io
> performance.
> 
> Open another terminal and run `vmstat -w 5', to watch virtual memory
> statistics.
> 
> Finally, a slow processor just might be the bottleneck. For 
> example, if
> you put a gigabit ethernet card in a P4 and one in a P2, you will most
> likely not get full speed - especially if there is kernel level packet
> interception going, e.g. ipsec, nat, or firewall filters.
> 
> HTH,
> -- 
> Mike Jackson
> 
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Firewall & DSL performance

2004-03-09 Thread Darryl Hoar 
Greetings,
I have a dedicated older box that is running Freebsd 4.7-stable,
IPFilter and nat for my home network.  It has a 3com 10Mb 
ethernet adapter plugged into the dsl jack (we don't have /need
dsl modems as we have fiber to the house).  The other NIC in the
firewall is another 3com 10Mb which is plugged into my Linksys 
10/100 switch.

Problem:
Recently, our ISP upgraded (at no charge) our connection from 512K to
1.5Mb.  When testing from a computer on my Lan, I was only seeing about
700K.  Testing at the box on the side of my house yielded 1.5Mb.  Testing
at the jack inside also yielded 1.5Mb.  So, my firewall seems to be
slowing things down.

I am using CAT5 cabling, and quality jacks and patch cables (hubble).

Any ideas where to start on determining what is causing this slow down ?

A friend that also has the service is running Windows 2000 Pro, Norton 
firewall and zone alarm and has no problem getting 1200K.

thanks for ideas,
Darryl
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"