From owner-freebsd-pf@FreeBSD.ORG Mon May 9 19:16:29 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 652C816A4EB for ; Mon, 9 May 2005 19:16:29 +0000 (GMT) Received: from gwmail1.grupos.com.br (gwmail1.grupos.com.br [66.90.64.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6778F43DAC for ; Mon, 9 May 2005 19:16:28 +0000 (GMT) (envelope-from marcus@corp.grupos.com.br) Received: from corp.grupos.com.br (unknown [150.162.166.55]) by gwmail1.grupos.com.br (Postfix) with ESMTP id 3963E3C15D for ; Mon, 9 May 2005 16:16:27 -0300 (BRT) Received: from [150.162.166.51] (noc.grupos.com.br [150.162.166.51]) by corp.grupos.com.br (Postfix) with ESMTP id B8CA25581 for ; Mon, 9 May 2005 16:15:35 -0300 (BRT) Message-ID: <427FB6D7.90208@corp.grupos.com.br> Date: Mon, 09 May 2005 16:15:35 -0300 From: Marcus Grando User-Agent: Mozilla Thunderbird 1.0+ (X11/20050502) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf is MPSAFE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 19:16:29 -0000 Hi, pf is MPSAFE in 5.4-RELEASE? I change ipfilter to pf because ipfilter have LOR in 5.4. But i don't know if pf is MPSAFE. Regards -- Marcus Grando Grupos Internet S/A marcus(at)corp.grupos.com.br From owner-freebsd-pf@FreeBSD.ORG Mon May 9 19:35:03 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02F0F16A4EC for ; Mon, 9 May 2005 19:35:03 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8DA543D98 for ; Mon, 9 May 2005 19:35:01 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E49B.dip.t-dialin.net[84.163.228.155] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1DVE1j3VsH-0005J5; Mon, 09 May 2005 21:34:51 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Mon, 9 May 2005 21:34:34 +0200 User-Agent: KMail/1.8 References: <427FB6D7.90208@corp.grupos.com.br> In-Reply-To: <427FB6D7.90208@corp.grupos.com.br> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2223137.WKXsoehL7m"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200505092134.40941.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf is MPSAFE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 19:35:03 -0000 --nextPart2223137.WKXsoehL7m Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 09 May 2005 21:15, Marcus Grando wrote: > pf is MPSAFE in 5.4-RELEASE? I change ipfilter to pf because ipfilter > have LOR in 5.4. But i don't know if pf is MPSAFE. Yes. There is one exception with user/group rules for udp/tcp connections= =20 originating for the gateway itself, though. This is described in the=20 pf.conf(5) manual page's BUGS section. ipfilter does not have this feature= =20 at all, so this should not be a regression for you. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2223137.WKXsoehL7m Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCf7tQXyyEoT62BG0RAjC4AJ9jPbjWFg529H8xH/GE8Df8VMVhjwCeOdTb T+3D8FExQ15F169k9IP/ULI= =w9GH -----END PGP SIGNATURE----- --nextPart2223137.WKXsoehL7m-- From owner-freebsd-pf@FreeBSD.ORG Thu May 12 16:24:41 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9894F16A4CE for ; Thu, 12 May 2005 16:24:41 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 27B3043D5C for ; Thu, 12 May 2005 16:24:41 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 17547 invoked from network); 12 May 2005 16:24:40 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 12 May 2005 16:24:40 -0000 Message-ID: <42838344.4050608@xecu.net> Date: Thu, 12 May 2005 12:24:36 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 16:24:41 -0000 The handbook states that pf is available through KAME in 4.11 and from my reading Kame is build into the system. How do you enable pf and altq on 4.x then. I have had trouble finding any how-to's on this since everything for pf points to 5.x. I just can't justify running 5.x on a production firewall though unless the performance greatly improves over 5.3. Chris From owner-freebsd-pf@FreeBSD.ORG Thu May 12 16:30:43 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69CD716A4CE for ; Thu, 12 May 2005 16:30:43 +0000 (GMT) Received: from mx0.thekeelecentre.com (mx0.thekeelecentre.com [217.206.238.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2F2743D69 for ; Thu, 12 May 2005 16:30:42 +0000 (GMT) (envelope-from richardtector@thekeelecentre.com) Received: from av.mx0.thekeelecentre.com (av.mx0.thekeelecentre.com [217.206.238.166]) by mx0.thekeelecentre.com (Postfix) with ESMTP id A5896429E; Thu, 12 May 2005 17:30:41 +0100 (BST) Received: from mx0.thekeelecentre.com ([217.206.238.167]) [217.206.238.166]) (amavisd-new, port 10024) with ESMTP id 27700-08; Thu, 12 May 2005 17:30:41 +0100 (BST) Received: from [217.206.238.190] (host-190.thekeelecentre.com [217.206.238.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx0.thekeelecentre.com (Postfix) with ESMTP id 43E9E429B; Thu, 12 May 2005 17:30:40 +0100 (BST) Message-ID: <428384A1.80608@thekeelecentre.com> Date: Thu, 12 May 2005 17:30:25 +0100 From: Richard Tector User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-gb, en MIME-Version: 1.0 To: Christopher McGee References: <42838344.4050608@xecu.net> In-Reply-To: <42838344.4050608@xecu.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mx0.thekeelecentre.com cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 16:30:43 -0000 Christopher McGee wrote: > The handbook states that pf is available through KAME in 4.11 and from > my reading Kame is build into the system. How do you enable pf and > altq on 4.x then. I have had trouble finding any how-to's on this > since everything for pf points to 5.x. I just can't justify running > 5.x on a production firewall though unless the performance greatly > improves over 5.3. I can push over 300Mbit of sustained TCP traffic through a celeron 1.3 routing and firewalling with pf. It runs a 3 month old RELENG_5 What sort of performance issues are you seeing that are stopping you from moving to 5.x? Regards, Richard Tector From owner-freebsd-pf@FreeBSD.ORG Thu May 12 16:41:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BA7216A4CE for ; Thu, 12 May 2005 16:41:44 +0000 (GMT) Received: from kraid.nerim.net (smtp-104-thursday.nerim.net [62.4.16.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id F043743D2D for ; Thu, 12 May 2005 16:41:42 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by kraid.nerim.net (Postfix) with ESMTP id 8DF9440EFE; Thu, 12 May 2005 18:41:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1])31975C501; Thu, 12 May 2005 18:41:38 +0200 (CEST) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21599-10; Thu, 12 May 2005 18:41:37 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id B6D05C4BF; Thu, 12 May 2005 18:41:37 +0200 (CEST) To: Christopher McGee From: Eric Masson In-Reply-To: <42838344.4050608@xecu.net> (Christopher McGee's message of "Thu, 12 May 2005 12:24:36 -0400") References: <42838344.4050608@xecu.net> X-Operating-System: FreeBSD 5.4-RELEASE i386 Date: Thu, 12 May 2005 18:41:37 +0200 Message-ID: <86psvwjt1a.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 16:41:44 -0000 Christopher McGee writes: Hi, > The handbook states that pf is available through KAME in 4.11 and from > my reading Kame is build into the system. How do you enable pf and altq > on 4.x then. I have had trouble finding any how-to's on this since > everything for pf points to 5.x. I just can't justify running 5.x on a > production firewall though unless the performance greatly improves over > 5.3. Take a look at http://www.kame.net/snap-users/ but iirc, FreeBSD 4 support has been recently dropped. Kame snap kits are experimental material, your mileage may vary. Ιric Masson -- S> Je cherche aussi des adresses de lieux contenant des fossiles dans S> la rιgion parisienne http://www.senat.fr/ -+- DP in : La dianurette et les fossiles -+- From owner-freebsd-pf@FreeBSD.ORG Thu May 12 17:17:31 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 934CC16A4CE for ; Thu, 12 May 2005 17:17:31 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 1E19143D79 for ; Thu, 12 May 2005 17:17:31 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 26897 invoked from network); 12 May 2005 17:17:30 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 12 May 2005 17:17:30 -0000 Message-ID: <42838FA8.9080704@xecu.net> Date: Thu, 12 May 2005 13:17:28 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Richard Tector References: <42838344.4050608@xecu.net> <428384A1.80608@thekeelecentre.com> In-Reply-To: <428384A1.80608@thekeelecentre.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 17:17:31 -0000 Richard Tector wrote: > Christopher McGee wrote: > >> The handbook states that pf is available through KAME in 4.11 and >> from my reading Kame is build into the system. How do you enable pf >> and altq on 4.x then. I have had trouble finding any how-to's on >> this since everything for pf points to 5.x. I just can't justify >> running 5.x on a production firewall though unless the performance >> greatly improves over 5.3. > > > I can push over 300Mbit of sustained TCP traffic through a celeron 1.3 > routing and firewalling with pf. It runs a 3 month old RELENG_5 > What sort of performance issues are you seeing that are stopping you > from moving to 5.x? > > Regards, > > Richard Tector When queue1 starts pushing it's maximum bandwidth, queue0(the default) seems to choke and services become unavailable from the outside. I cut back queue1 by about 7 mbit/s and it has cleared it up for the most part. Not completely though. Here's what I think is the relevant info, let me know if you need anything else: The box: CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class CPU) real memory = 1071906816 (1022 MB) avail memory = 1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the others are for future projects, like pfsync, and some dmz type stuff. pf configuration: set limit { states 100000, frags 5000 } set loginterface $ext_if set block-policy drop all other options are default queue configuration: altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, borrow) queue queue1 bandwidth 12Mb qlimit 5000 the additional bandwidth that is not included in the queues should be added to queue1 but when that is done, it causes problems. At high traffic times, queue will use ALL of its bandwidth and queue0 usually only uses 3-5megs. There is no nat or anything running on this firewall. Public IP addresses outside and inside. I would rather not revert to 4.x if possible but I can't have this machine unstable. Thanks, Chris From owner-freebsd-pf@FreeBSD.ORG Thu May 12 18:16:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9572416A4CE for ; Thu, 12 May 2005 18:16:47 +0000 (GMT) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE04643D6B for ; Thu, 12 May 2005 18:16:46 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id A327BBC183; Thu, 12 May 2005 21:16:45 +0300 (EEST) Received: from R3B (vdp2048.ath03.dsl.hol.gr [62.38.169.49])by smtp.freemail.gr (Postfix) with ESMTP id 45DA9BC0A6;Thu, 12 May 2005 21:16:40 +0300 (EEST) Message-ID: <00b401c5571e$b0f46810$0100000a@R3B> From: "Chris Dionissopoulos" To: "Christopher McGee" , "Richard Tector" References: <42838344.4050608@xecu.net> <428384A1.80608@thekeelecentre.com> <42838FA8.9080704@xecu.net> Date: Thu, 12 May 2005 21:16:07 +0300 MIME-Version: 1.0 Content-Type: text/plain;format=flowed;charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Dionissopoulos List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 18:16:47 -0000 My 2 cents: 1. 5000 qlimit packets is a HUGE value: This means, that your buffer is 5000 x 1000( avg. mtu) = 5mbytes. For 20Mbps queue-speed, it takes 32000 ms (32sec) to fill and then letting altq decide for adding or not (0.1-500 ms) delays. Doesn't makes sense, eh? Try a more reasonable value of 50 for speeds 10-100MBps. 2.Try enabling red (or rio) in "queue1". This early detects "queue1" congestion and drops packets before queue rate limit reached. Tell us, if you have a better 'queue0' behavior with these changes. Chris. > > When queue1 starts pushing it's maximum bandwidth, queue0(the default) > seems to choke and services become unavailable from the outside. I cut > back queue1 by about 7 mbit/s and it has cleared it up for the most > part. Not completely though. Here's what I think is the relevant info, > let me know if you need anything else: > > The box: > CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class CPU) > real memory = 1071906816 (1022 MB) > avail memory = 1039392768 (991 MB) > fxp0-6, only 0, and 1 are being used, the others are for future > projects, like pfsync, and some dmz type stuff. > > pf configuration: > set limit { states 100000, frags 5000 } > set loginterface $ext_if > set block-policy drop > all other options are default > > queue configuration: > altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } > queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, borrow) > queue queue1 bandwidth 12Mb qlimit 5000 > the additional bandwidth that is not included in the queues should be > added to queue1 but when that is done, it causes problems. At high > traffic times, queue will use ALL of its bandwidth and queue0 usually > only uses 3-5megs. > > There is no nat or anything running on this firewall. Public IP > addresses outside and inside. I would rather not revert to 4.x if > possible but I can't have this machine unstable. > > Thanks, > Chris > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-pf@FreeBSD.ORG Thu May 12 18:20:38 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E1EC16A4CE for ; Thu, 12 May 2005 18:20:38 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28B6643D79 for ; Thu, 12 May 2005 18:20:38 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 83CBB25FF6F for ; Thu, 12 May 2005 19:20:33 +0100 (BST) From: "Greg Hennessy" To: Date: Thu, 12 May 2005 19:20:24 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <42838FA8.9080704@xecu.net> Thread-Index: AcVXGF4hQZz+3hXHRXiDzn6zepc5lAABSrKQ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050512182025.4E5BA2C@gw2.local.net> Subject: RE: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 18:20:38 -0000 I assume this is internet facing ? If so, do you really have a 25 megabit full duplex pipe to the net ? You don't appear to have implemented any form of ACK prioritisation, http://www.benzedrine.cx/ackpri.html Its not optional when running links flat out. PRIQ/CBQ are not exactly precision instruments when it comes to packet shaping, HFSC is better IMHO. On a side note, I've recently rolled out a 3.4 ghz xeon running 5.4 for a customer and it iperfed under soak test @ ~800 megabits/sec through a pair of em. 25 megabits wouldn't tax one of P2-350s I have here as crash and burn test servers. Greg > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Christopher McGee > Sent: 12 May 2005 18:17 > To: Richard Tector > Cc: freebsd-pf@freebsd.org > Subject: Re: Pf in 4.11 > > Richard Tector wrote: > > > Christopher McGee wrote: > > > >> The handbook states that pf is available through KAME in 4.11 and > >> from my reading Kame is build into the system. How do you > enable pf > >> and altq on 4.x then. I have had trouble finding any how-to's on > >> this since everything for pf points to 5.x. I just can't justify > >> running 5.x on a production firewall though unless the performance > >> greatly improves over 5.3. > > > > > > I can push over 300Mbit of sustained TCP traffic through a > celeron 1.3 > > routing and firewalling with pf. It runs a 3 month old > RELENG_5 What > > sort of performance issues are you seeing that are stopping > you from > > moving to 5.x? > > > > Regards, > > > > Richard Tector > > When queue1 starts pushing it's maximum bandwidth, queue0(the > default) seems to choke and services become unavailable from > the outside. I cut back queue1 by about 7 mbit/s and it has > cleared it up for the most part. Not completely though. > Here's what I think is the relevant info, let me know if you > need anything else: > > The box: > CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class > CPU) real memory = 1071906816 (1022 MB) avail memory = > 1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the > others are for future projects, like pfsync, and some dmz type stuff. > > pf configuration: > set limit { states 100000, frags 5000 } > set loginterface $ext_if > set block-policy drop > all other options are default > > queue configuration: > altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } > queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, > borrow) queue queue1 bandwidth 12Mb qlimit 5000 the > additional bandwidth that is not included in the queues > should be added to queue1 but when that is done, it causes > problems. At high traffic times, queue will use ALL of its > bandwidth and queue0 usually only uses 3-5megs. > > There is no nat or anything running on this firewall. Public > IP addresses outside and inside. I would rather not revert > to 4.x if possible but I can't have this machine unstable. > > Thanks, > Chris > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Thu May 12 18:35:26 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42C3A16A4CE for ; Thu, 12 May 2005 18:35:26 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 9D83D43D55 for ; Thu, 12 May 2005 18:35:25 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 22653 invoked from network); 12 May 2005 18:35:25 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 12 May 2005 18:35:25 -0000 Message-ID: <4283A1EC.7080002@xecu.net> Date: Thu, 12 May 2005 14:35:24 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chris Dionissopoulos References: <42838344.4050608@xecu.net> <428384A1.80608@thekeelecentre.com> <42838FA8.9080704@xecu.net> <00b401c5571e$b0f46810$0100000a@R3B> In-Reply-To: <00b401c5571e$b0f46810$0100000a@R3B> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 18:35:26 -0000 Chris Dionissopoulos wrote: > My 2 cents: > > 1. 5000 qlimit packets is a HUGE value: > This means, that your buffer is 5000 x 1000( avg. mtu) = 5mbytes. > For 20Mbps queue-speed, it takes 32000 ms (32sec) to fill and then > letting altq decide for adding or not (0.1-500 ms) delays. > Doesn't makes sense, eh? > Try a more reasonable value of 50 for speeds 10-100MBps. > > 2.Try enabling red (or rio) in "queue1". This early detects "queue1" > congestion and drops packets before queue rate limit reached. > > > Tell us, if you have a better 'queue0' behavior with these changes. > > Chris. > >> >> When queue1 starts pushing it's maximum bandwidth, queue0(the >> default) seems to choke and services become unavailable from the >> outside. I cut back queue1 by about 7 mbit/s and it has cleared it >> up for the most part. Not completely though. Here's what I think is >> the relevant info, let me know if you need anything else: >> >> The box: >> CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class CPU) >> real memory = 1071906816 (1022 MB) >> avail memory = 1039392768 (991 MB) >> fxp0-6, only 0, and 1 are being used, the others are for future >> projects, like pfsync, and some dmz type stuff. >> >> pf configuration: >> set limit { states 100000, frags 5000 } >> set loginterface $ext_if >> set block-policy drop >> all other options are default >> >> queue configuration: >> altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } >> queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, borrow) >> queue queue1 bandwidth 12Mb qlimit 5000 >> the additional bandwidth that is not included in the queues should be >> added to queue1 but when that is done, it causes problems. At high >> traffic times, queue will use ALL of its bandwidth and queue0 usually >> only uses 3-5megs. >> >> There is no nat or anything running on this firewall. Public IP >> addresses outside and inside. I would rather not revert to 4.x if >> possible but I can't have this machine unstable. >> >> Thanks, >> Chris >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > ____________________________________________________________________ > http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. > http://www.freemail.gr - free email service for the Greek-speaking. The reason the queue size was changed was because the queue was getting filled very quickly and there were TONS of dropped packets. I will try RED and see if it gives me better results. I'll let you know. From owner-freebsd-pf@FreeBSD.ORG Thu May 12 18:39:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5184C16A4CE for ; Thu, 12 May 2005 18:39:54 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id CB0E843D79 for ; Thu, 12 May 2005 18:39:53 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 31813 invoked from network); 12 May 2005 18:39:53 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 12 May 2005 18:39:53 -0000 Message-ID: <4283A2F9.4060305@xecu.net> Date: Thu, 12 May 2005 14:39:53 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Greg Hennessy References: <20050512182025.4E5BA2C@gw2.local.net> In-Reply-To: <20050512182025.4E5BA2C@gw2.local.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 18:39:54 -0000 Greg Hennessy wrote: >I assume this is internet facing ? If so, do you really have a 25 megabit >full duplex pipe to the net ? > >You don't appear to have implemented any form of ACK prioritisation, > >http://www.benzedrine.cx/ackpri.html > >Its not optional when running links flat out. > >PRIQ/CBQ are not exactly precision instruments when it comes to packet >shaping, HFSC is better IMHO. > >On a side note, I've recently rolled out a 3.4 ghz xeon running 5.4 for a >customer and it iperfed under soak test @ ~800 megabits/sec through a pair >of em. > >25 megabits wouldn't tax one of P2-350s I have here as crash and burn test >servers. > > >Greg > > > > > > >>-----Original Message----- >>From: owner-freebsd-pf@freebsd.org >>[mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Christopher McGee >>Sent: 12 May 2005 18:17 >>To: Richard Tector >>Cc: freebsd-pf@freebsd.org >>Subject: Re: Pf in 4.11 >> >>Richard Tector wrote: >> >> >> >>>Christopher McGee wrote: >>> >>> >>> >>>>The handbook states that pf is available through KAME in 4.11 and >>>>from my reading Kame is build into the system. How do you >>>> >>>> >>enable pf >> >> >>>>and altq on 4.x then. I have had trouble finding any how-to's on >>>>this since everything for pf points to 5.x. I just can't justify >>>>running 5.x on a production firewall though unless the performance >>>>greatly improves over 5.3. >>>> >>>> >>>I can push over 300Mbit of sustained TCP traffic through a >>> >>> >>celeron 1.3 >> >> >>>routing and firewalling with pf. It runs a 3 month old >>> >>> >>RELENG_5 What >> >> >>>sort of performance issues are you seeing that are stopping >>> >>> >>you from >> >> >>>moving to 5.x? >>> >>>Regards, >>> >>>Richard Tector >>> >>> >>When queue1 starts pushing it's maximum bandwidth, queue0(the >>default) seems to choke and services become unavailable from >>the outside. I cut back queue1 by about 7 mbit/s and it has >>cleared it up for the most part. Not completely though. >>Here's what I think is the relevant info, let me know if you >>need anything else: >> >>The box: >>CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class >>CPU) real memory = 1071906816 (1022 MB) avail memory = >>1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the >>others are for future projects, like pfsync, and some dmz type stuff. >> >>pf configuration: >>set limit { states 100000, frags 5000 } >>set loginterface $ext_if >>set block-policy drop >>all other options are default >> >>queue configuration: >>altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } >>queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, >>borrow) queue queue1 bandwidth 12Mb qlimit 5000 the >>additional bandwidth that is not included in the queues >>should be added to queue1 but when that is done, it causes >>problems. At high traffic times, queue will use ALL of its >>bandwidth and queue0 usually only uses 3-5megs. >> >>There is no nat or anything running on this firewall. Public >>IP addresses outside and inside. I would rather not revert >>to 4.x if possible but I can't have this machine unstable. >> >>Thanks, >>Chris >> >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> >> > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Yes, we do have a full 25meg full duplex pipe to the internet. There is no ACK prioritization because this was migrated from ipfw and dummynet and there was none with that setup either. Everything worked fine with that setup, we were just looking for some of the newer features, and unfortunately, we are close to going back to the old setup. As for the queuing method, i've read that cbq is a more refined/reliable than hfsc right now. Anyway, why would ACK prioritization be necessary on the pf/altq setup vs the ipfw/dummynet setup? Chris From owner-freebsd-pf@FreeBSD.ORG Thu May 12 20:11:50 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F01BA16A4CE for ; Thu, 12 May 2005 20:11:50 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8370D43D68 for ; Thu, 12 May 2005 20:11:50 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 1F53525DB28 for ; Thu, 12 May 2005 21:11:46 +0100 (BST) From: "Greg Hennessy" To: Date: Thu, 12 May 2005 21:11:37 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <4283A2F9.4060305@xecu.net> Thread-Index: AcVXJThOwlRFiJPtSx6OcXVHlBU81AACPJbw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050512201137.8B79B28@gw2.local.net> Subject: RE: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 20:11:51 -0000 > As for the queuing method, i've read that cbq is a more > refined/reliable than hfsc right now. Cant say I've had reliability problems with HFSC. It does require the sacrifice of several barnyard fowl to configure correctly, but I digress. > Anyway, why would ACK > prioritization be necessary on the pf/altq setup vs the > ipfw/dummynet setup? Never having had the pleasure of using dummynet/ipfw I couldn't possibly comment. But I would always recommend configuring some form of ACKPRI on a congested link. Backoff will kill tcp traffic otherwise. Greg > > Chris > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Sat May 14 01:48:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B6F916A4CE for ; Sat, 14 May 2005 01:48:11 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id E9BD743D64 for ; Sat, 14 May 2005 01:48:10 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 32114 invoked from network); 14 May 2005 01:48:10 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 14 May 2005 01:48:10 -0000 Message-ID: <428558D9.4090706@xecu.net> Date: Fri, 13 May 2005 21:48:09 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20050512201137.8B79B28@gw2.local.net> In-Reply-To: <20050512201137.8B79B28@gw2.local.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Pf in 4.11 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 May 2005 01:48:11 -0000 Greg Hennessy wrote: > > > >>As for the queuing method, i've read that cbq is a more >>refined/reliable than hfsc right now. >> >> > >Cant say I've had reliability problems with HFSC. > >It does require the sacrifice of several barnyard fowl to configure >correctly, but I digress. > > > >>Anyway, why would ACK >>prioritization be necessary on the pf/altq setup vs the >>ipfw/dummynet setup? >> >> > >Never having had the pleasure of using dummynet/ipfw I couldn't possibly >comment. > >But I would always recommend configuring some form of ACKPRI on a congested >link. >Backoff will kill tcp traffic otherwise. > > >Greg > > > > > >>Chris >> >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> >> > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > The problem seems to be solved, although I will know for sure over the next couple days. I am now using my full pipe and everything seems to be working. I enabled RED on the big queue, queue1. I also set the default queue(queue0) to priority 7, and dropped the qlength back to default(50) on both queues. Everything seems to be flowing smoothly but I will probably do the ACK prioritization after I see how it runs like this for a day or 2. I don't like to make too many changes at one time. In essence, I think the default queue being set at high priority has the same effect, but I have to read a little more about it to ensure that is the case. Thank you everyone for your help on this. I really didn't want to have to switch back to 4.11 for this project. Chris From owner-freebsd-pf@FreeBSD.ORG Sat May 14 17:02:51 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2A9E16A4CE for ; Sat, 14 May 2005 17:02:50 +0000 (GMT) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id D939D43D49 for ; Sat, 14 May 2005 17:02:49 +0000 (GMT) (envelope-from yamamoto436@oki.com) Received: from aoi.bmc.oki.co.jp (localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id CAA22518 for ; Sun, 15 May 2005 02:02:48 +0900 Received: (qmail 8186 invoked from network); 15 May 2005 02:02:48 +0900 Received: from tulip.bmc.oki.co.jp (172.19.234.100) by aoi.bmc.oki.co.jp with SMTP; 15 May 2005 02:02:48 +0900 Received: from localhost (tulip [172.19.234.100]) by tulip.bmc.oki.co.jp (8.13.1/8.12.11) with ESMTP id j4EH2lJo013119; Sun, 15 May 2005 02:02:48 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Sun, 15 May 2005 02:02:47 +0900 (JST) Message-Id: <20050515.020247.104108009.yamamoto436@oki.com> To: max@love2party.net From: Hideki Yamamoto In-Reply-To: <200504200112.41260.max@love2party.net> References: <200504200112.41260.max@love2party.net> X-Mailer: Mew version 3.3 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: New PF (OpenBSD 3.7 ***ALPHA-preview***) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 May 2005 17:02:51 -0000 Dear Mr. Max; Thank you for your efforts!! I am expecting full bridge function on FreeBSD 5 as OpenBSD 3.5 or later. Last year, I have tested FreeBSD, NetBSD, and OpenBSD to bridge IPv6 packet over IPv4 tunnel with bridge. Though only OpenBSD supported the above function, it is not stable. Kernel panic happens wheneve we type reboot command, or booting process sometimes stop when chekecking USB devices. I hope FreeBSD pf porting supports full function of bridge. Thanks in advance. From: Max Laier Subject: New PF (OpenBSD 3.7 ***ALPHA-preview***) Date: Wed, 20 Apr 2005 01:12:30 +0200 Message-ID: <200504200112.41260.max@love2party.net> > All, > > at: > http://people.freebsd.org/~mlaier/pf37/ > > you will find the first shot at the long awaited import of a new version of > pf. This is level with what is likely to be shipped as OpenBSD 3.7 and > includes *most* of the features. Some are not yet implemented: > > - Filtering on route labels (we don't have any). > - Return-rst on IP-less bridges (bridge support is still behind; There is > work ongoing to improve this as well, though.). > - Congestion prevention/graceful comeback (subject to future work). > > There are, however, some hightlights that came with OpenBSD 3.6 and will be > coming with OpenBSD 3.7 (from the OpenBSD release notes): > > + pfctl(8) now provides a rules optimizer to help improve filtering speed. > + pf, now supports nested anchors. > + Support limiting TCP connections by establishment rate, automatically > adding flooding IP addresses to tables and flushing states > (max-src-conn-rate, overload , flush global). > + Improved functionality of tags (tag and tagged for translation rules, > tagging of all packets matching state entries). > + Improved diagnostics (error messages and additional counters from > pfctl -si). > + New keyword set skip on to skip filtering on arbitrary interfaces, like > loopback. > + Several bugfixes improving stability. > > This import is in a very early stage and you should keep this in mind! > > However, it should build and boot just fine. I have done some basic tests to > weed out the common problems seen during the last imports, but didn't do > extensive testing yet. If you are in a position where you can test this, I > am looking forward to getting your feedback! > > Updates will be posted to the freebsd-pf mailing list. Thanks. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News ----------------------------------------------------------------- Hideki YAMAMOTO | Broadband Media Solutions Department | E-mail: yamamoto436@oki.com Broadband Media Company | Tel: +81-48-420-7012 Oki Electric Industry Co., Ltd. | FAX: +81-48-420-7016