Date: Mon, 07 Mar 2005 22:08:06 -0700 From: "Stephane Raimbault" <segr@hotmail.com> To: segr@hotmail.com, max@love2party.net, freebsd-pf@freebsd.org Subject: Re: nat / rdr timeouts? Message-ID: <BAY24-F172E3C533F1668FAB19DEECC500@phx.gbl> In-Reply-To: <BAY24-F66017610A1B43B8776007CC500@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Okay, a bit of a Summary. I was originally running ab on a 4.9 system... however, it seems like there was a problem with that as mentioned by Max. I ran ab from a 5.2.1 system and didn't have any problems. I could rack up the connections till I ran up to 10K states since that limit is set to that. so no problem there. I even cvsup'd back to 5.3-RELEASE-p5 and still no problems. So there is no problem according to my benchmark test.... This still goes back to why I originally was doing this.... I'm currently running 4.9 + natd doing something similar with port 80. I have no problems, however load on the box is quite a bit more then I like. 5.3 + pf seems to be the solution as the load is much lower during my testing... Some time ago I had tried 5.3 + pf in the production environment, however a few users were getting time outs to port 80... and it seemed like these few were behind corportate firewalls, where a few users were accessing the site at the same time from behind the same IP. This led me to my ab test which "seemed" to duplicate the problem. I'm at a loss now... the only thing I can think of is testing 5.3+pf in the production environment and see what happens... does anyone have any thoughts? Thanks, Stephane. >From: "Stephane Raimbault" <segr@hotmail.com> >To: max@love2party.net, freebsd-pf@freebsd.org >Subject: Re: nat / rdr timeouts? >Date: Mon, 07 Mar 2005 20:02:09 -0700 > > > >>From: Max Laier <max@love2party.net> >>To: freebsd-pf@freebsd.org >>CC: "Stephane Raimbault" <segr@hotmail.com>, daniel@benzedrine.cx >>Subject: Re: nat / rdr timeouts? >>Date: Tue, 8 Mar 2005 01:52:05 +0100 >> >>On Tuesday 08 March 2005 01:28, Stephane Raimbault wrote: >> > Okay, I setup an OpenBSD 3.6 box with pf today as a test and I can not >> > replicate the problem with OpenBSD. >> > >> > In fact, running the ab test returned MUCH beter results in terms of >>times >> > to return the page and according to top the cpu barely budged when >>running >> > the test on the openbsd pf box. However running top on the freebsd pf >>box >> > I clearly see a spike in cpu traffic as the cpu idle drops to 0% for a >> > second. >> > >> > >> > I'm currently running RELENG_5 on the freebsd box from this weekend... >>are >> > there some debugging stuff turned on in the kernel that would explain >>the >> > performance diffrence? >> > >> > I tried to replicate the test as closely as possible however there are >>some >> > subtle diffrences in my test. >> > >> > OpenBSD test >> > >> > PowerBook laptop (running ab) to an IP on the local network (openbsd >>ext >> > interface (vlan0)) thru to the same openbsd box int interface (vlan1) >>to >> > the web servers (10.0.11.16 and 10.0.11.17). >> > >> > FreeBSD Test >> > >> > IBM server running freebsd (ab) to an IP on it's local network (freebsd >>ext >> > interface (em0) thru to the same freebsd box int interface (em1) to the >>web >> > severs (10.0.11.16 and 10.0.11.17). >> > >> > network wise it should be pretty much the same. The only thing that >>came >> > to mind, maybe it's because the powerbook is a better box then the IBM >> > server running freebsd ? but then seeing the CPU idle time and >>comparing >> > the Freebsd +pf and the OpenBSD +pf being so diffrent... I ponder my >> > question. >> > >> > >> > Hope this makes sense. Let me know if there is any other data I can >> > provide ? >> >>I don't fully understand how your setup looks like. Where are you running >>ab >>from? Is there a dedicated box you run it on or are you running it >>on/from >>the redirecting box itself? Could you get the following setup realized: >> >> /----- OpenBSD ----\ WWW_1 >> | | / WWW_2 >>ab Client ---+ +-----+- ... >> | | \ WWW_N >> \----- FreeBSD ----/ >> > >I don't know why I didn't setup my test like this in the first place... it >was pretty easy for me to set this up... Anyhow I've set this up now. > >And now that I have re run the tests... may I say "ARGH!" :) > >So yes... same problem when running the test on the OpenBSD + pf then I was >getting on the FreeBSD + pf. But so what does this mean... I'm hitting a >bug on my FreeBSD box I'm running the ab test from? > >>It does not matter (too much) how the gateways are connected to the client >>and >>the servers, what matters is that the client and the servers are the same >>for >>both tests. I suspect that (if you were running ab from the FreeBSD >>server) >>you discovered a bug in FreeBSD's socket/tcp code much rather than in pf. >>Please let me know if I misunderstood something and explain your test >>setup >>with a bit more detail. >> >>Thanks a lot in advance. >> >><snipp - it is linewarpping as hell, anyway> >> >>-- >>/"\ Best regards, | mlaier@freebsd.org >>\ / Max Laier | ICQ #67774661 >> X http://pf4freebsd.love2party.net/ | mlaier@EFnet >>/ \ ASCII Ribbon Campaign | Against HTML Mail and News >><< attach3 >> > >_________________________________________________________________ >Don't just Search. Find! http://search.sympatico.msn.ca/default.aspx The >new MSN Search! Check it out! > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _________________________________________________________________ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY24-F172E3C533F1668FAB19DEECC500>