Date: Thu, 12 May 2005 13:17:28 -0400 From: Christopher McGee <chris@xecu.net> To: Richard Tector <richardtector@thekeelecentre.com> Cc: freebsd-pf@freebsd.org Subject: Re: Pf in 4.11 Message-ID: <42838FA8.9080704@xecu.net> In-Reply-To: <428384A1.80608@thekeelecentre.com> References: <42838344.4050608@xecu.net> <428384A1.80608@thekeelecentre.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Richard Tector wrote: > Christopher McGee wrote: > >> The handbook states that pf is available through KAME in 4.11 and >> from my reading Kame is build into the system. How do you enable pf >> and altq on 4.x then. I have had trouble finding any how-to's on >> this since everything for pf points to 5.x. I just can't justify >> running 5.x on a production firewall though unless the performance >> greatly improves over 5.3. > > > I can push over 300Mbit of sustained TCP traffic through a celeron 1.3 > routing and firewalling with pf. It runs a 3 month old RELENG_5 > What sort of performance issues are you seeing that are stopping you > from moving to 5.x? > > Regards, > > Richard Tector When queue1 starts pushing it's maximum bandwidth, queue0(the default) seems to choke and services become unavailable from the outside. I cut back queue1 by about 7 mbit/s and it has cleared it up for the most part. Not completely though. Here's what I think is the relevant info, let me know if you need anything else: The box: CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class CPU) real memory = 1071906816 (1022 MB) avail memory = 1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the others are for future projects, like pfsync, and some dmz type stuff. pf configuration: set limit { states 100000, frags 5000 } set loginterface $ext_if set block-policy drop all other options are default queue configuration: altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, borrow) queue queue1 bandwidth 12Mb qlimit 5000 the additional bandwidth that is not included in the queues should be added to queue1 but when that is done, it causes problems. At high traffic times, queue will use ALL of its bandwidth and queue0 usually only uses 3-5megs. There is no nat or anything running on this firewall. Public IP addresses outside and inside. I would rather not revert to 4.x if possible but I can't have this machine unstable. Thanks, Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42838FA8.9080704>