Pf in 4.11

Greg Hennessy Greg.Hennessy at nviz.net
Thu May 12 11:20:38 PDT 2005 

I assume this is internet facing ? If so, do you really have a 25 megabit
full duplex pipe to the net ? 

You don't appear to have implemented any form of ACK prioritisation, 

http://www.benzedrine.cx/ackpri.html

Its not optional when running links flat out. 

PRIQ/CBQ are not exactly precision instruments when it comes to packet
shaping, HFSC is better IMHO.  

On a side note, I've recently rolled out a 3.4 ghz xeon running 5.4 for a
customer and it iperfed under soak test @ ~800 megabits/sec through a pair
of em. 

25 megabits wouldn't tax one of P2-350s I have here as crash and burn test
servers. 


Greg
 



> -----Original Message-----
> From: owner-freebsd-pf at freebsd.org 
> [mailto:owner-freebsd-pf at freebsd.org] On Behalf Of Christopher McGee
> Sent: 12 May 2005 18:17
> To: Richard Tector
> Cc: freebsd-pf at freebsd.org
> Subject: Re: Pf in 4.11
> 
> Richard Tector wrote:
> 
> > Christopher McGee wrote:
> >
> >> The handbook states that pf is available through KAME in 4.11 and 
> >> from my reading Kame is build into the system.  How do you 
> enable pf 
> >> and altq on 4.x then.  I have had trouble finding any how-to's on 
> >> this since everything for pf points to 5.x.  I just can't justify 
> >> running 5.x on a production firewall though unless the performance 
> >> greatly improves over 5.3.
> >
> >
> > I can push over 300Mbit of sustained TCP traffic through a 
> celeron 1.3 
> > routing and firewalling with pf. It runs a 3 month old  
> RELENG_5 What 
> > sort of performance issues are you seeing that are stopping 
> you from 
> > moving to 5.x?
> >
> > Regards,
> >
> > Richard Tector
> 
> When queue1 starts pushing it's maximum bandwidth, queue0(the 
> default) seems to choke and services become unavailable from 
> the outside.  I cut back queue1 by about 7 mbit/s and it has 
> cleared it up for the most part.  Not completely though.  
> Here's what I think is the relevant info, let me know if you 
> need anything else:
> 
> The box:
> CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class 
> CPU) real memory  = 1071906816 (1022 MB) avail memory = 
> 1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the 
> others are for future projects, like pfsync, and some dmz type stuff.
> 
> pf configuration:
> set limit { states 100000, frags 5000 }
> set loginterface $ext_if
> set block-policy drop
> all other options are default
> 
> queue configuration:
> altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } 
> queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, 
> borrow) queue queue1 bandwidth 12Mb qlimit 5000 the 
> additional bandwidth that is not included in the queues 
> should be added to queue1 but when that is done, it causes 
> problems.  At high traffic times, queue will use ALL of its 
> bandwidth and queue0 usually only uses 3-5megs.
> 
> There is no nat or anything running on this firewall.  Public 
> IP addresses outside and inside.  I would rather not revert 
> to 4.x if possible but I can't have this machine unstable.
> 
> Thanks,
> Chris
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 
>

More information about the freebsd-pf mailing list