Hmmm... your hardware looks to be "sufficient" :-) I don't recall any specific problems with Broadcom NICs... if you have an Intel NIC or two around... give those a shot (assuming you can fit them since the R200 is a 1U).
I can't see anything that jumps out at me in your ruleset... maybe try disabling any packages? Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 ----- "Nuno Gonçalves" wrote: > Hi, > thanks on responding. > The hardware is a DELL PowerEdge R200 - Quad Core Intel® Xeon® X3220 - 2.4GHz > The NICs are Dual embedded Broadcom Gigabit NICs. > Runing pfsense 1.2 > > thanks once again > Nuno > > > > > these are the pfsense rules (just in case): > TRANSLATION RULES: > nat-anchor "pftpx/*" all > nat-anchor "natearly/*" all > nat-anchor "natrules/*" all > rdr-anchor "pftpx/*" all > rdr-anchor "slb" all > rdr-anchor "imspector" all > rdr-anchor "miniupnpd" all > > FILTER RULES: > scrub all random-id fragment reassemble > anchor "ftpsesame/*" all > anchor "firewallrules" all > block drop quick proto tcp from any port = 0 to any > block drop quick proto udp from any port = 0 to any > block drop quick proto tcp from any to any port = 0 > block drop quick proto udp from any to any port = 0 > block drop quick from <snort2c> to any label "Block snort2c hosts" > block drop quick from any to <snort2c> label "Block snort2c hosts" > anchor "loopback" all > pass in quick on lo0 all flags S/SA keep state label "pass loopback" > pass out quick on lo0 all flags S/SA keep state label "pass loopback" > anchor "packageearly" all > anchor "carp" all > pass quick inet proto icmp from 193.137.219.13 to any keep state > anchor "dhcpserverlan" all > pass in quick on bge1 inet proto udp from any port = bootpc to > 255.255.255.255 port = bootps keep state label "allow access to DHCP server > on LAN" > pass in quick on bridge0 inet proto udp from any port = bootpc to > 255.255.255.255 port = bootps keep state label "allow access to DHCP server > on LAN" > pass in quick on bge1 inet proto udp from any port = bootpc to 193.137.219.14 > port = bootps keep state label "allow access to DHCP server on LAN" > pass in quick on bridge0 inet proto udp from any port = bootpc to > 193.137.219.14 port = bootps keep state label "allow access to DHCP server on > LAN" > pass out quick on bge1 inet proto udp from 193.137.219.14 port = bootps to > any port = bootpc keep state label "allow access to DHCP server on LAN" > pass out quick on bridge0 inet proto udp from 193.137.219.14 port = bootps to > any port = bootpc keep state label "allow access to DHCP server on LAN" > pass in quick on bge0 proto udp from any port = bootps to any port = bootpc > keep state label "allow dhcp client out wan" > pass in quick on bridge0 proto udp from any port = bootps to any port = > bootpc keep state label "allow dhcp client out wan" > block drop in on ! bge1 inet from 193.137.219.0/28 to any > block drop in on bge1 inet6 from fe80::21e:c9ff:feba:a598 to any > block drop in inet from 193.137.219.14 to any > anchor "spoofing" all > anchor "limitingesr" all > block drop in quick from <virusprot> to any label "virusprot overload table" > pass out quick on bge1 proto icmp all keep state label "let out anything from > firewall host itself" > pass out quick on bridge0 proto icmp all keep state label "let out anything > from firewall host itself" > pass out quick on bge0 proto icmp all keep state label "let out anything from > firewall host itself" > pass out quick on bridge0 proto icmp all keep state label "let out anything > from firewall host itself" > pass out quick on bge0 all flags S/SA keep state (tcp.closed 5) label "let > out anything from firewall host itself" > anchor "firewallout" all > pass out quick on bge0 all flags S/SA keep state label "let out anything from > firewall host itself" > pass out quick on bge1 all flags S/SA keep state label "let out anything from > firewall host itself" > pass out quick on bridge0 all flags S/SA keep state label "let out anything > from firewall host itself" > pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host > to host" > anchor "anti-lockout" all > pass in quick on bge1 inet from any to 193.137.219.14 flags S/SA keep state > label "anti-lockout web rule" > block drop in log proto tcp from <sshlockout> to any port = ssh label > "sshlockout" > anchor "ftpproxy" all > anchor "pftpx/*" all > pass in log quick on bge0 reply-to (bge0 193.137.219.2) inet all flags S/SA > keep state label "USER_RULE: WLAN -> LAN" > pass in log quick on bridge0 reply-to (bge0 193.137.219.2) inet all flags > S/SA keep state label "USER_RULE: WLAN -> LAN" > pass in log quick on bge1 all flags S/SA keep state label "USER_RULE: Default > LAN -> any" > pass in log quick on bridge0 all flags S/SA keep state label "USER_RULE: > Default LAN -> any" > pass in quick on bge1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy > flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" > pass in quick on bge1 inet proto tcp from any to 127.0.0.1 port = ftp flags > S/SA keep state label "FTP PROXY: Allow traffic to localhost" > pass in quick on bge0 inet proto tcp from any port = ftp-data to (bge0) port > > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection" > anchor "imspector" all > anchor "miniupnpd" all > block drop in log quick all label "Default block all just to be sure." > block drop out log quick all label "Default block all just to be sure." > No queue in use > > > > Tim Nelson wrote: We've got bridging setups that run well over 20mbit. What kind of NICs are you using? System specs/hardware? Firewall rules? > > Tim Nelson > Systems/Network Support > Rockbochs Inc. > (218)727-4332 x105 > > ----- "Nuno Gonçalves" wrote: > > Hi all, > > > > we are trying to use pfsense in bridging mode in a local network and > > experienced that with its use the bandwidth speed does not go beyond > > 25Mb/s. Even disabling shaping rules. > > Without pfsense we can go up to 40Mb/s. > > Do you think it might be anything with configuration in bridging mode ? Or > > it should be a design feature or a limitation somehow? > > > > Best Regards > > Nuno > > > > > > -- ______________________________________________ Nuno Gonçalves FCCN Av. do Brasil, nº 101 1700-066 Lisboa tel: +351 218 440 100 - fax: +351 218 472 167 email|SIP: [EMAIL PROTECTED] http://www.fccn.pt ______________________________________________ --- Aviso de Confidencialidade Esta mensagem é exclusivamente destinada ao seu destinatário, podendo conter informação CONFIDENCIAL, cuja divulgação está expressamente vedada nos termos da lei. Caso tenha recepcionado indevidamente esta mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta via ou para o telefone +351 218 440 100 devendo apagar o seu conteúdo de imediato. This message is intended exclusively for its addressee. It may contain CONFIDENTIAL information protected by law. If this message has been received by error, please notify us via e-mail or by telephone +351 218 440 100 and delete it immediately. ---
