Hi guys,
I got the following setup
bridge----2 gig
switches---home lab
Inet---alix 1d box with quad gigabit---<
DHCP usr lan
The alix box is alix 1d with 256mb RAM and from home lab 2 home lab
segment I'm able to get gigabit speed. my problem is that from usr lan
to home lab, I'm able to get 150 mbit/s max though all interfaces are
gig ones.
If someone can point me where my fault is - e.g. bad pf rules or etc,
I'd be very grateful
Below are the details of my setup. Sorry for hitting the send button
too quickly.
Best regards,
Dimitar
# dmesg | more
OpenBSD 4.8-current (GENERIC) #363: Wed Sep 22 01:41:57 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 259284992 (247MB)
avail mem = 245071872 (233MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/16/08, BIOS32 rev. 0 @ 0xfa960
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdfb4
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/112 (5 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 5 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0xa800 0xef000/0x1000!
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
vga1 at pci0 dev 1 function 1 "AMD Geode LX Video" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
ppb0 at pci0 dev 12 function 0 "Hint HB6 PCI-PCI" rev 0x11
pci1 at ppb0 bus 1
vge0 at pci1 dev 8 function 0 "VIA VT612x" rev 0x11: irq 11, address
00:0c:42:1a:32:60
ciphy0 at vge0 phy 1: CS8201 10/100/1000TX PHY, rev. 2
vge1 at pci1 dev 9 function 0 "VIA VT612x" rev 0x11: irq 5, address
00:0c:42:1a:32:61
ciphy1 at vge1 phy 1: CS8201 10/100/1000TX PHY, rev. 2
vge2 at pci1 dev 10 function 0 "VIA VT612x" rev 0x11: irq 10, address
00:0c:42:1a:32:62
ciphy2 at vge2 phy 1: CS8201 10/100/1000TX PHY, rev. 2
vge3 at pci1 dev 11 function 0 "VIA VT612x" rev 0x11: irq 11, address
00:0c:42:1a:32:63
ciphy3 at vge3 phy 1: CS8201 10/100/1000TX PHY, rev. 2
vr0 at pci0 dev 13 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
address 00:0d:b9:0d:47:94
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
iwi0 at pci0 dev 14 function 0 "Intel PRO/Wireless 2915ABG" rev 0x05:
irq 10, address 00:13:ce:8a:8e:0a
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3,
32-bit 3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <CF CARD 4GB>
wd0: 1-sector PIO, LBA, 3847MB, 7880544 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
auglx0 at pci0 dev 15 function 3 "AMD CS5536 Audio" rev 0x01: irq 11,
CS5536 AC97
ac97: codec id 0x414c4770 (Avance Logic ALC203 rev 0)
ac97: codec features headphone, 20 bit DAC, 18 bit ADC, No 3D Stereo
audio0 at auglx0
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 5,
version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41
lm1 at wbsio0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
biomask f365 netmask ff65 ttymask ffff
mtrr: K6-family MTRR support (2 registers)
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
# more hostname.bridge0
add vlan10
add vlan11
blocknonip vlan10
blocknonip vlan11
maxaddr 2000
up
# more hostname.vlan11
up vlan 10 vlandev vge3 descr "IPMP_NODE2"
# more hostname.vlan10
inet xxx NONE vlan 10 vlandev vge2 descr "IPMP_NODE1"
!route add -net xxxx/24 xxxx
#
# more /etc/pf.conf
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#
tg="block log quick"
tg_in="block in log quick"
tg_out="block out log quick"
bw="bandwidth"
#interface desc
l="lo0"
ext_if="vr0"
usr_if="vge0"
usr_if2="iwi0"
b="bridge0"
#
#mgmt ifs
#
mgmt1="vge2"
mgmt2="vge3"
vl10="vlan10"
vl11="vlan11"
cluster_pub="bridge0"
#
#network desc
#
usr_lan="foo"
cl_lan="foo2"
#
dhcp1="255.255.255.255/32"
dhcp2="172.20.16.1/32"
bootstrap_server="67"
bootstrap_client="68"
q="qlimit"
services="22,5190,6666,6667,5190,80,443,5222,5223"
#
#tables
#
table <nogo> persist file "/etc/pf/bogons"
table <bastards> persist
#
set skip on lo
#pass quick on {$l} all keep state
#
#sets
#
set timeout { interval 5, frag 20, src.track 20 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 90, tcp.finwait 20, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit { states 20000, frags 20000, src-nodes 2000 }
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set state-policy if-bound
set require-order yes
set ruleset-optimization basic
#
# Queueing: rule-based bandwidth control
#
#external shaping on $ext_if
#
altq on $ext_if bandwidth 25Mb hfsc queue { tcp_ack_out, www, ftp, ssh
tcp_ack_in}
queue tcp_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 512Kb
linkshare 10% upperlimit 2Mb) $q 1000
queue tcp_ack_in $bw 1Mb priority 5 hfsc (ecn default realtime 512Kb
linkshare 10% upperlimit 1Mb) $q 1000
#
#start www
#
queue www $bw 3Mb priority 5 hfsc (ecn linkshare 20% upperlimit 2Mb)
$q 1000 { www_in, www_out }
queue www_in $bw 2500Kb priority 5 hfsc (ecn realtime 1Mb linkshare
35% upperlimit 10Mb) $q 1000
queue www_out $bw 500Kb priority 6 hfsc (ecn realtime 1Mb linkshare
35% upperlimit 10Mb) $q 1000
#
#ftp
#
queue ftp $bw 8Mb priority 5 hfsc (ecn linkshare 40% upperlimit 8Mb)
$q 1000 { ftp_login, ftp_bulk }
queue ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 50% upperlimit
4Mb) $q 1000
queue ftp_login $bw 30% priority 7 hfsc (ecn linkshare 10%
upperlimit 1Mb) $q 1000
#
#ssh
queue ssh $bw 3Mb priority 6 hfsc (ecn linkshare 20% upperlimit 1Mb)
$q 1000 { ssh_login, ssh_bulk }
queue ssh_login $bw 1Mb priority 7 hfsc (ecn linkshare 10%
upperlimit 2Mb) $q 1000
queue ssh_bulk $bw 2Mb priority 5 hfsc (ecn linkshare 10% upperlimit
2Mb) $q 1000
#
#lab net
#
altq on {$vl10,$vl11,$b} $bw 1000Mb hfsc queue { cl_ack_out,
cl_ack_in, cl_www, cl_ftp, cl_ssh}
#
#
#
queue cl_ack_out $bw 1Mb priority 7 hfsc (ecn realtime 5120Kb
linkshare 10% upperlimit 100Mb) $q 1000
queue cl_ack_in $bw 100Mb priority 5 hfsc (ecn default linkshare 10%
upperlimit 100Mb) $q 1000
#
#start www
#
queue cl_www $bw 100Mb priority 5 hfsc (ecn linkshare 20% upperlimit
200Mb) $q 2000 { cl_www_in, cl_www_out }
queue cl_www_in $bw 90Mb priority 5 hfsc (ecn realtime 80Mb
linkshare 15% upperlimit 90Mb) $q 1000
queue cl_www_out $bw 10Mb priority 6 hfsc (ecn realtime 10Mb
linkshare 15% upperlimit 10Mb) $q 1000
#
#ftp
#
queue cl_ftp $bw 500Mb priority 5 hfsc (ecn linkshare 30% upperlimit
500Mb) $q 2000 { cl_ftp_login, cl_ftp_bulk }
queue cl_ftp_bulk $bw 70% priority 5 hfsc (ecn linkshare 20%
upperlimit 400Mb) $q 1000
queue cl_ftp_login $bw 30% priority 7 hfsc (ecn linkshare 20%
upperlimit 100Mb) $q 1000
#
#ssh
queue cl_ssh $bw 100Mb priority 6 hfsc (ecn linkshare 10% upperlimit
100Mb) $q 2000 { cl_ssh_login, cl_ssh_bulk }
queue cl_ssh_login $bw 10Mb priority 7 hfsc (ecn linkshare 10%
upperlimit 90Mb) $q 1000
queue cl_ssh_bulk $bw 90Mb priority 5 hfsc (ecn linkshare 10%
upperlimit 90Mb) $q 1000
#
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $usr_if proto tcp from $usr_if:network to any port
ftp rdr-to 127.0.0.1 port 8021 synproxy state
# anchor for relayd(8)
#anchor "relayd/*"
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#
#scrubs from ol rules
match in all scrub (no-df min-ttl 64 max-mss 1440 reassemble tcp)
match out all scrub (max-mss 1440 reassemble tcp random-id set-tos lowdelay)
#match in on $usr_if inet proto tcp from $usr_lan to any port ftp
rdr-to 127.0.0.1 port 8021
#
#
#
antispoof for { $ext_if,$l,$usr_if,$usr_if2 }
#
#basic antispoof
#
block log on $ext_if all
block log on $ext_if from <nogo> to any
block log on $ext_if from any to <nogo>
#extra from obsd team
block in quick from urpf-failed to any # use with care
#
#nat
#
match out log on egress from (self) to any tag EGRESS nat-to ($ext_if:0)
match out log on $ext_if from $usr_if:network to !($usr_if:network)
nat-to ($ext_if:0)
# By default, do not permit remote connections to X11
#
block in on ! lo0 proto tcp to port 6000:6010
#block in on $ext_if proto tcp to port 6000:6010
#
#ftp tricks
pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if
user proxy keep state queue ftp_bulk
pass out quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
#
#pass out quick on $ext_if from $usr_if:network to !{$usr_if:network}
nat-to $ext_if modulate state
#
#test - restore if needed
#
#pass out quick on $ext_if from $usr_if:network to any modulate state
#
#match in on $ext_if inet proto tcp from any port 21 to $ext_if queue ftp_bulk
#pass quick on $ext_if inet proto tcp from any to any port 21 user
proxy keep state queue ftp_login
#
pass out quick on $ext_if inet proto tcp from any to any port
{22,5190,6667,6666,5223,5222} keep state queue ssh_login
pass in quick on $ext_if inet proto tcp from any port { 22, 5190,
6666,6667, 5190 } to any keep state queue ssh_bulk
pass out quick on $ext_if inet proto tcp from any to any port { 80,
443 } keep state queue www_out
pass out quick on $ext_if inet proto {tcp, udp} from any to any port {
isakmp,pptp,ipsec-nat-t } queue tcp_ack_out modulate state
#pass in quick on $ext_if inet proto tcp from any port { 80, 443 }
keep state queue www_in
#
#
#
pass out on $ext_if inet proto tcp from $ext_if:network to any port {
53,123,67,68,80,443 } queue tcp_ack_out modulate state
pass out on $ext_if inet proto udp from $ext_if:network to any port {
53,123,67,68,80,443 } queue tcp_ack_out modulate state
#
#pass out on $ext_if from $usr_if:network to any modulate state
#
#
#icmp external
#
#pass in on $ext_if inet proto icmp all icmp-type {0,8,11} synproxy state
#pass out on $ext_if inet proto icmp all icmp-type {0,8,11} modulate state
#pass out on $ext_if inet proto udp from any to any \
port 33433 >< 33626 keep state
#
#icmp internal+external
#
pass quick on { $ext_if,$usr_if,$vl10,$vl11,$mgmt1,$mgmt2} inet proto
icmp all icmp-type {0,8,11} synproxy state
#pass out on { $ext_if,$usr_if,$vl10,$vl11,$mgmt1,$mgmt2} inet proto
icmp all icmp-type {0,8,11} modulate state
pass out on { $ext_if,$usr_if,$vl10,$vl11,$mgmt1,$mgmt2} inet proto
udp from any to any \
port 33433 >< 33626 keep state
#
#mgmt network
#
pass out on $mgmt1 from $usr_if:network keep state
pass out on $mgmt2 from $usr_if:network keep state
#
#
pass in on {$mgmt1,$mgmt2 } inet proto { tcp,udp,icmp} from {$usr_lan}
to any synproxy state
#
#
#bridge - below may follow in the future
# general bridge filtering policy - block all that's not related to
cluster ipmp and not coming from cluster lan or usr network
#
#
#block on $vl10 all
pass quick on $vl11 all
#pass on $vl10 all
#
#
pass quick on { $vl10 } inet proto tcp from any to $vl10:network port
22 keep state
#
#pass out quick on { $vl10 } inet proto tcp from $cl_lan port 22 to
$usr_lan queue cl_ssh_bulk modulate state
#
#rule below may need tuning with user proxy and etc
#
pass in quick on { $vl10, $vl11} inet proto tcp from $usr_lan to
$cl_lan port 21 keep state
pass out on {$vl10, $vl11} inet proto tcp from any to any port 21 keep
state queue cl_ftp_login
#
pass in on {$vl10, $vl11} inet proto { tcp,udp,icmp} from
{$usr_lan,$cl_lan} to any synproxy state
#
#pass out on {$vlan1, $vlan2,$mgmt1,$mgmt2 } inet proto {
tcp,udp,icmp} from $usr_lan to any modulate state
#
pass out on $vl10 from $cl_lan to {$cl_lan, $usr_lan} keep state
pass out on $vl11 from $cl_lan to {$cl_lan, $usr_lan} keep state
#
sysctl.conf
kern.maxclusters=128000
#network
net.inet.tcp.recvspace=262144
net.inet.tcp.sendspace=262144
net.inet.udp.recvspace=262144
net.inet.udp.sendspace=262144
net.inet.ip.ifq.maxlen=2560
net.inet.tcp.ackonpush=1
net.inet.tcp.mssdflt=1460
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of
IPv4 multicast packets
net.inet.ip.multipath=1 # 1=Enable IP multipath routing
