Re: [pfSense Support] Re: Less bandwidth available behind the firewall
On Wed, Jan 13, 2010 at 12:59 AM, David Newman dnew...@networktest.com wrote: On 1/12/10 9:51 PM, Ugo Bellavance wrote: On 2010-01-12 23:56, Chris Buechler wrote: On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavanceu...@lubik.ca wrote: Hi, I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. When I start a download from a nearby centos mirror, directly from the firewall (using fetch), I get the full bandwith available from my ISP (60 mbps). However, If I try to download the same file from the same server, but from a linux server behind the firewall, using wget, I only get about 20 mbps. If I start multiple download, I can reach 60mbps. Is there an explanation? Probably a TCP window difference of some sort between FreeBSD and your Linux box. How would I check that? Run tcpdump to capture traffic from both types of transfers (from the firewall and behind the firewall). Then examine the captures to compare the TCP receive window sizes during the transfers. That's the best way, though maybe not the easiest to decipher if you aren't intricately familiar with how TCP functions. The settings are sysctls in FreeBSD and Linux. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Less bandwidth available behind the firewall
Le 2010-01-13 09:49, Chris Buechler a écrit : On Wed, Jan 13, 2010 at 12:59 AM, David Newmandnew...@networktest.com wrote: On 1/12/10 9:51 PM, Ugo Bellavance wrote: On 2010-01-12 23:56, Chris Buechler wrote: On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavanceu...@lubik.cawrote: Hi, I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. When I start a download from a nearby centos mirror, directly from the firewall (using fetch), I get the full bandwith available from my ISP (60 mbps). However, If I try to download the same file from the same server, but from a linux server behind the firewall, using wget, I only get about 20 mbps. If I start multiple download, I can reach 60mbps. Is there an explanation? Probably a TCP window difference of some sort between FreeBSD and your Linux box. How would I check that? Run tcpdump to capture traffic from both types of transfers (from the firewall and behind the firewall). Then examine the captures to compare the TCP receive window sizes during the transfers. That's the best way, though maybe not the easiest to decipher if you aren't intricately familiar with how TCP functions. ## Linux box net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_window_scaling = 1 net.core.rmem_default = 107520 net.core.wmem_default = 107520 net.core.rmem_max = 131071 net.core.wmem_max = 131071 ## pfsense box # sysctl -a | grep -i tcp | grep space net.inet.tcp.sendspace: 65228 net.inet.tcp.recvspace: 65228 I hope I got all the numbers, these are the default values, we didn't change them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
On 1/13/10 8:14 AM, Ugo Bellavance wrote: Le 2010-01-13 09:49, Chris Buechler a écrit : On Wed, Jan 13, 2010 at 12:59 AM, David Newmandnew...@networktest.com wrote: On 1/12/10 9:51 PM, Ugo Bellavance wrote: On 2010-01-12 23:56, Chris Buechler wrote: On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavanceu...@lubik.ca wrote: Hi, I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. When I start a download from a nearby centos mirror, directly from the firewall (using fetch), I get the full bandwith available from my ISP (60 mbps). However, If I try to download the same file from the same server, but from a linux server behind the firewall, using wget, I only get about 20 mbps. If I start multiple download, I can reach 60mbps. Is there an explanation? Probably a TCP window difference of some sort between FreeBSD and your Linux box. How would I check that? Run tcpdump to capture traffic from both types of transfers (from the firewall and behind the firewall). Then examine the captures to compare the TCP receive window sizes during the transfers. That's the best way, though maybe not the easiest to decipher if you aren't intricately familiar with how TCP functions. ## Linux box net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_window_scaling = 1 net.core.rmem_default = 107520 net.core.wmem_default = 107520 net.core.rmem_max = 131071 net.core.wmem_max = 131071 ## pfsense box # sysctl -a | grep -i tcp | grep space net.inet.tcp.sendspace: 65228 net.inet.tcp.recvspace: 65228 I hope I got all the numbers, these are the default values, we didn't change them. I would strongly recommend against messing with TCP sysctls unless (a) you know what the actual problem is and (b) you fully understand TCP sliding windows and window scaling mechanics. TCP is a complex beast, and easily upset. Better to first isolate and understand the problem before attempting fixes. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
Am Mittwoch, den 13.01.2010, 11:14 -0500 schrieb Ugo Bellavance: [...] ## Linux box net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_window_scaling = 1 net.core.rmem_default = 107520 net.core.wmem_default = 107520 net.core.rmem_max = 131071 net.core.wmem_max = 131071 [...] Sorry, I'm not a BSD guy, but the Linux memory values seem somewhat low. How much RAM do you have in that box? Theses values and the following could be set somewhat more generous, depending on available RAM and BDP (bandwidth delay product) net.ipv4.tcp_mem=311904 415872 623808 net.ipv4.tcp_wmem= 4096 16384 4194304 net.ipv4.tcp_rmem= 4096 87380 4194304 Klaus -- Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
Klaus Lichtenwalder wrote: Am Mittwoch, den 13.01.2010, 11:14 -0500 schrieb Ugo Bellavance: [...] ## Linux box net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_window_scaling = 1 net.core.rmem_default = 107520 net.core.wmem_default = 107520 net.core.rmem_max = 131071 net.core.wmem_max = 131071 [...] Sorry, I'm not a BSD guy, but the Linux memory values seem somewhat low. How much RAM do you have in that box? Theses values and the following could be set somewhat more generous, depending on available RAM and BDP (bandwidth delay product) net.ipv4.tcp_mem=311904 415872 623808 net.ipv4.tcp_wmem= 4096 16384 4194304 net.ipv4.tcp_rmem= 4096 87380 4194304 Klaus Point of note: you're running pfSense 1.2.2 and the current release is 1.2.3. Before tinkering with the underlying system, it might be helpful to upgrade to the latest stable version and see if the operating system and upgraded drivers give you any relief. Gary - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
Am Mittwoch, den 13.01.2010, 11:14 -0500 schrieb Ugo Bellavance: [...] =20 ## Linux box =20 net.ipv4.tcp_tso_win_divisor =3D 3 net.ipv4.tcp_adv_win_scale =3D 2 net.ipv4.tcp_app_win =3D 31 net.ipv4.tcp_window_scaling =3D 1 =20 net.core.rmem_default =3D 107520 net.core.wmem_default =3D 107520 net.core.rmem_max =3D 131071 net.core.wmem_max =3D 131071 =20 [...] Sorry, I'm not a BSD guy, but the Linux memory values seem somewhat low. How much RAM do you have in that box? Theses values and the following could be set somewhat more generous, depending on available RAM and BDP (bandwidth delay product) net.ipv4.tcp_mem = 311904 415872 623808 net.ipv4.tcp_wmem = 4096 16384 4194304 net.ipv4.tcp_rmem = 4096 87380 4194304 Klaus - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Less bandwidth available behind the firewall
On 2010-01-12 23:56, Chris Buechler wrote: On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavanceu...@lubik.ca wrote: Hi, I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. When I start a download from a nearby centos mirror, directly from the firewall (using fetch), I get the full bandwith available from my ISP (60 mbps). However, If I try to download the same file from the same server, but from a linux server behind the firewall, using wget, I only get about 20 mbps. If I start multiple download, I can reach 60mbps. Is there an explanation? Probably a TCP window difference of some sort between FreeBSD and your Linux box. How would I check that? Thanks, ugo - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
On 1/12/10 9:51 PM, Ugo Bellavance wrote: On 2010-01-12 23:56, Chris Buechler wrote: On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavanceu...@lubik.ca wrote: Hi, I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. When I start a download from a nearby centos mirror, directly from the firewall (using fetch), I get the full bandwith available from my ISP (60 mbps). However, If I try to download the same file from the same server, but from a linux server behind the firewall, using wget, I only get about 20 mbps. If I start multiple download, I can reach 60mbps. Is there an explanation? Probably a TCP window difference of some sort between FreeBSD and your Linux box. How would I check that? Run tcpdump to capture traffic from both types of transfers (from the firewall and behind the firewall). Then examine the captures to compare the TCP receive window sizes during the transfers. dn Thanks, ugo - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
