From owner-freebsd-questions@FreeBSD.ORG Mon Apr 7 12:57:37 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 64C1024E for ; Mon, 7 Apr 2014 12:57:37 +0000 (UTC) Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F37F1AF4 for ; Mon, 7 Apr 2014 12:57:36 +0000 (UTC) Received: by mail-wg0-f41.google.com with SMTP id n12so6776578wgh.12 for ; Mon, 07 Apr 2014 05:57:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=63Fr7eNGg4IeR4mEMKj9fvGyW4vbbCcWIR7WSFuvNps=; b=D9VJgy0srxFZ8ufadsGaBynPlxJMo5r6HffTVsnxcrysjHlPr3KMbZloy20p6oBEga 7PIxBJGbxNKvgc7h3wvTsuhgVk/BgyQ7IMKhZDmW1TbY58+OUn/vXrR51w1z1HgSMiyF enS5rq84ofjcECXDmzpi7IBKkVVpfRAU0zk3GqITVSoZSjPJ42QwmMKP8+jxOKZkEXIJ WzSSJBlp2mvByGHWbtuwVbTp2OL6D5h0r/+QNF/tIST22kpV32JL7boMWQU/VEv2TPKs xKkYhmoFze9w+wZiHtsZ0Y5tBfKEDDkN4uPSArcxlEAi9YVTbCeox8HKOW3L4COQ2vxS sy5w== MIME-Version: 1.0 X-Received: by 10.180.11.36 with SMTP id n4mr25156461wib.4.1396875455236; Mon, 07 Apr 2014 05:57:35 -0700 (PDT) Received: by 10.216.61.203 with HTTP; Mon, 7 Apr 2014 05:57:35 -0700 (PDT) Date: Mon, 7 Apr 2014 13:57:35 +0100 Message-ID: Subject: FreeBSD 10-R, Xen 4.1 guest, pf/NAT performance question From: "seanrees@gmail.com" To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 12:57:37 -0000 Hi there freebsd-questions, I've been batting my head against this problem for a few days now and not having much progress, so I'm hoping to get pointers at what to look at next. I've got a FreeBSD 10-R guest in Xen 4.1 (I am just a customer of the Xen provider; I don't run the Xen hypervisor myself). I use this instance to terminate a VPN, for which I also NAT VPN clients with PF. I am seeing unusually slow packet forwarding performance: 0.5mbit internet -> vpn client, 2.0 mbit vpn client -> internet. (the numbers should be closer to 10mbit/5mbit). This guest is a duplicate of another Xen instance I have in another data centre. I manage the configurations and packages centrally and aside from IP address differences, the machines are configured identically. The differences: it's 30ms closer to me and runs in Xen 3.4. I see performance from this machine in the 10mbps range. I've eliminated the obvious: - The problem VPS is fine network wise; can download tarballs from the Internet at 100mbps. - VPS -> Home is fine; can download at ~10mbps; the problem is isolated to forwarding Home -> VPS -> Internet and back. - I excluded OpenVPN as the cause by replicating the setup with ssh -w; same performance. - SSH port forwarding (ssh -L) is fast; indicating to me the issue is somewhere in the PF/kernel. - I checked TCP options by capturing traffic at varying points; these seem fine. I see a good deal of TCP retransmits but the window sizes stay the same. Any thoughts on what to check next? Thanks, Sean