Here's a suggestion somewhat out of left field. What about MTU? Any chance the provider changed it on you? A machine right on the edge would handle fragmentation somewhat more gracefully than a firewall that might decide to drop certain inappropriately fragmented frames. This would also cause potential slowdown in general.
One thing I didn't see (although I'm likely just missing it), is what your transfer speeds between DMZ and LAN are. Also, any chance for a test, you can remove the router? And again test LAN to DMZ and LAN to Internet. Based on your equipment specs I'm highly skeptical of this being a hardware capacity issue (a number of us have outperformed your numbers on _much_ lower end hardware - consider that a Soekris 4801 @266Mhz can easily hit 16Mbit of "normal" traffic, and iperf tests can get it upwards of 35Mbit). It might however be a hardware issue. Also, there are some sysctl's available for troubleshooting the Intel driver. Substitute '0' for whichever interface you are trying to debug sysctl -w dev.em.0.debug=1 sysctl -w dev.em.0.stats=1 The Intel driver will reset these sysctl to their default value on it's own, it's a one time use type thing. The results will be available in dmesg and look like: em0: Adapter hardware address = 0xc21e9a24 em0: CTRL = 0x40c00249 RCTL = 0x801a em0: Packet buffer = Tx=16k Rx=48k em0: Flow control watermarks high = 47104 low = 45604 em0: tx_int_delay = 66, tx_abs_int_delay = 66 em0: rx_int_delay = 0, rx_abs_int_delay = 66 em0: fifo workaround = 0, fifo_reset_count = 0 em0: hw tdh = 41, hw tdt = 41 em0: hw rdh = 102, hw rdt = 101 em0: Num Tx descriptors avail = 256 em0: Tx Descriptors not avail1 = 0 em0: Tx Descriptors not avail2 = 0 em0: Std mbuf failed = 0 em0: Std mbuf cluster failed = 0 em0: Driver dropped packets = 0 em0: Driver tx dma failure in encap = 0 em0: Excessive collisions = 0 em0: Sequence errors = 0 em0: Defer count = 0 em0: Missed Packets = 0 em0: Receive No Buffers = 0 em0: Receive Length Errors = 0 em0: Receive errors = 0 em0: Crc errors = 0 em0: Alignment errors = 0 em0: Collision/Carrier extension errors = 0 em0: RX overruns = 251 em0: watchdog timeouts = 0 em0: XON Rcvd = 0 em0: XON Xmtd = 0 em0: XOFF Rcvd = 0 em0: XOFF Xmtd = 0 em0: Good Packets Rcvd = 3269510 em0: Good Packets Xmtd = 647392 em0: TSO Contexts Xmtd = 0 em0: TSO Contexts Failed = 0 Lastly...if in interrupt mode still (I recommend it vs polling mode, I don't think we've done the appropriate tuning for polling to give a benefit), check net.inet.ip.intr_queue_drops <--- that should be 0, if it's not, something really wierd is happening on your box. --Bill On Thu, Jul 31, 2008 at 8:06 AM, Ted Crow <[EMAIL PROTECTED]> wrote: > > I don't consider myself a Cisco expert either, I've just been using > their hardware for the better part of 15 years. I have access to a fair > number of good Cisco resources to aid me in selecting and configuring > the hardware. I've never liked Cisco firewalls though, go figure. > > I actually sized the router based on an estimated max traffic flow of > 25Mbps. It does have a very small ACL set running on it, mainly to keep > weird stuff from molesting my DMZ hosts (spoofing, etc.) From the DMZ, > the speeds are pretty respectable considering the router was only > designed to handle a max of 46Mbps. This one is the baby of the 2800 > series and will probably be fine when the speed is dropped back down > below 25Mbps. > > Ted Crow > Information Technology Manager > Tuttle Services, Inc. > > -----Original Message----- > From: Paul Mansfield [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2008 5:56 AM > To: [email protected] > Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? > > It's not clear exactly what the cisco 2801 is doing... does it have > access control lists which can make a big difference in speed... AIUI > access lists can have two different execution paths and if you write > them wrongly they're much more CPU intensive. Sorry, I am not a cisco > expert in this instance. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
