I noticed that running BitTorrent was making my network go very slow
and have been trying to fix it. After spending most of the day
playing around with it I have concluded that the problem is caused by
having too many simultaneous BitTorrent connections. As you increase
the number of connections, the latency on the external interface
increases dramatically (e.g. ping times hit 900+ms or time out
entirely.) This is true regardless of bandwidth usage, because I can
rate limit client and still cause the problem. Running `pfctl -vvsq`
shows that altq doesn't have a backlog. Looking at the archives, it
seems that others on the list have experienced this problem in the
past, but there hasn't been a final resolution.
I am at a total loss as to why this would be causing the massive
increase in latency. Can someone more experienced explain why this is
(and possibly tell me what I'm doing wrong)? For your reference I'm
running OpenBSD4.2-current (Dec18 snapshot) on a Sun Blade 100. The
computer is as it comes from the factory except that I have added a
gigabit network card (re) and a wifi card (ral).
Here is my pf.conf:
ext_if="gem0"
int_if="re0"
wifi="ral0"
vpn="enc0"
bthost="172.16.1.10"
btport="21885"
set skip on lo
scrub in
scrub on $vpn max-mss 1400 no-df random-id
altq on $ext_if priq bandwidth 512Kb queue{ack, main, others, bt}
queue ack priority 7
queue main priority 6
queue others priority 5
queue bt priority 1 priq(default)
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $ext_if proto tcp to port $btport tag BT -> $bthost
block all
pass on $int_if no state
pass in on $ext_if proto tcp to port $btport queue bt
pass out on $ext_if queue (others, ack)
pass out on $ext_if from $bthost queue bt
pass out on $ext_if proto tcp to port {ssh, http, https} queue (main,ack)
pass in proto tcp to port ssh
##Rules for WiFi Gateway
#Allow configuring IPSec
pass in on $wifi proto udp to port isakmp
pass in on $wifi proto udp to port domain
pass in on $wifi proto esp
#allow authenticated users to do everything
pass on $vpn no state
I can send a dmesg or anything else if I need to. Thanks in advance
for your help.
--MHC
P.S. The obvious way to have pf deal with this is to use
max-src-states. I have tested this approach and confirmed that it
will avoid the problem, but I don't understand why this works, nor do
I know if this is the "correct" way to deal with this.
