Try using something like iperf or netperf to get more results than just icmp.
J On Jan 11, 2008 9:36 AM, scott <[EMAIL PROTECTED]> wrote: > re-test and post with in your ruleset > > pass in quick on fxp0 inet from any to any keep state > pass out quick on $ext_if inet from any to any keep state > > /S > > -----Original Message----- > From: Chris Cohen <[EMAIL PROTECTED]> > To: misc@openbsd.org > Subject: 4.2-current throughput with pf enabled > Date: Fri, 11 Jan 2008 17:45:37 +0100 > Mailer: KMail/1.9.7 > Delivered-To: [EMAIL PROTECTED] > > Hi, > > I just upgraded my home firewall/router from 4.1 to a current snapshot > from % > 9th January. I also changed the NIC which is connected to my core switch > from > fxp to em and upgraded the memory from 128Mb to 256Mb. > With PF disabled I can route about 40Mbyte/s (sorry, don't have pps but > the > traffic should mostly be large packets) and the system still responds very > well. (To get some numbers I just pinged the machine...): > > PING 10.1.0.254 (10.1.0.254) 56(84) bytes of data. > 64 bytes from 10.1.0.254: icmp_seq=1 ttl=255 time=2.39 ms > 64 bytes from 10.1.0.254: icmp_seq=2 ttl=255 time=0.078 ms > 64 bytes from 10.1.0.254: icmp_seq=3 ttl=255 time=0.077 ms > 64 bytes from 10.1.0.254: icmp_seq=4 ttl=255 time=0.258 ms > 64 bytes from 10.1.0.254: icmp_seq=5 ttl=255 time=1.63 ms > 64 bytes from 10.1.0.254: icmp_seq=6 ttl=255 time=2.03 ms > 64 bytes from 10.1.0.254: icmp_seq=7 ttl=255 time=1.87 ms > 64 bytes from 10.1.0.254: icmp_seq=8 ttl=255 time=0.954 ms > 64 bytes from 10.1.0.254: icmp_seq=9 ttl=255 time=2.65 ms > 64 bytes from 10.1.0.254: icmp_seq=10 ttl=255 time=0.315 ms > > --- 10.1.0.254 ping statistics --- > 10 packets transmitted, 10 received, 0% packet loss, time 9007ms > rtt min/avg/max/mdev = 0.077/1.228/2.657/0.955 ms > > With pf enabled and a very short ruleset (see pf.conf below) the system > doesn't respond to many of the dns queries (bind9 is also enabled on this > system) and the throughput is decreased to about 10Mbyte/s with the same > kind > of traffic as above. See my stupid pingtest: > > PING 10.1.0.254 56(84) bytes of data. > 64 bytes from 10.1.0.254: icmp_seq=2 ttl=255 time=5.39 ms > 64 bytes from 10.1.0.254: icmp_seq=3 ttl=255 time=0.206 ms > 64 bytes from 10.1.0.254: icmp_seq=4 ttl=255 time=9.87 ms > 64 bytes from 10.1.0.254: icmp_seq=5 ttl=255 time=1.35 ms > 64 bytes from 10.1.0.254: icmp_seq=6 ttl=255 time=10.1 ms > 64 bytes from 10.1.0.254: icmp_seq=7 ttl=255 time=1.47 ms > 64 bytes from 10.1.0.254: icmp_seq=8 ttl=255 time=11.1 ms > 64 bytes from 10.1.0.254: icmp_seq=9 ttl=255 time=11.8 ms > 64 bytes from 10.1.0.254: icmp_seq=10 ttl=255 time=12.1 ms > 64 bytes from 10.1.0.254: icmp_seq=11 ttl=255 time=11.7 ms > 64 bytes from 10.1.0.254: icmp_seq=12 ttl=255 time=12.7 ms > 64 bytes from 10.1.0.254: icmp_seq=13 ttl=255 time=11.3 ms > 64 bytes from 10.1.0.254: icmp_seq=14 ttl=255 time=14.0 ms > 64 bytes from 10.1.0.254: icmp_seq=15 ttl=255 time=12.2 ms > 64 bytes from 10.1.0.254: icmp_seq=16 ttl=255 time=11.7 ms > 64 bytes from 10.1.0.254: icmp_seq=17 ttl=255 time=14.7 ms > 64 bytes from 10.1.0.254: icmp_seq=18 ttl=255 time=11.1 ms > 64 bytes from 10.1.0.254: icmp_seq=19 ttl=255 time=3.01 ms > > --- 10.1.0.254 ping statistics --- > 19 packets transmitted, 18 received, 5% packet loss, time 18026ms > rtt min/avg/max/mdev = 0.206/9.239/14.713/4.549 ms > > With openbsd 4.1 and an fxp NIC instead of the em one the system was able > to > handle full 12Mbyte/s with a pretty complex pf.conf (more than 200 lines). > The system is an old Compaq Deskpro EN with a P3/500 and 256Mb of ram. > > > pf.conf (already played with scrub, skip and pass with no success...) > --------- > ext_if="pppoe0" > set skip on lo > set skip on em0 > #scrub in > scrub out on pppoe0 max-mss 1440 no-df random-id fragment reassemble > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat on fxp0 from any to 10.1.0.253 -> 10.1.0.254 > rdr pass on vlan10 proto tcp to port ftp -> 127.0.0.1 port 8021 > anchor "ftp-proxy/*" > #block in on pppoe0 > #pass out > > Is there anything I can tune in pf? > Should I provide a dmesg?
