From owner-freebsd-pf@FreeBSD.ORG Tue Mar 8 05:08:07 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9991216A4CE for ; Tue, 8 Mar 2005 05:08:07 +0000 (GMT) Received: from hotmail.com (bay24-f17.bay24.hotmail.com [64.4.18.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BED243D31 for ; Tue, 8 Mar 2005 05:08:07 +0000 (GMT) (envelope-from segr@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 7 Mar 2005 21:08:07 -0800 Message-ID: Received: from 204.9.110.182 by by24fd.bay24.hotmail.msn.com with HTTP; Tue, 08 Mar 2005 05:08:06 GMT X-Originating-IP: [204.9.110.182] X-Originating-Email: [segr@hotmail.com] X-Sender: segr@hotmail.com In-Reply-To: From: "Stephane Raimbault" To: segr@hotmail.com, max@love2party.net, freebsd-pf@freebsd.org Date: Mon, 07 Mar 2005 22:08:06 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 08 Mar 2005 05:08:07.0142 (UTC) FILETIME=[D0980060:01C5239C] Subject: Re: nat / rdr timeouts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2005 05:08:07 -0000 Okay, a bit of a Summary. I was originally running ab on a 4.9 system... however, it seems like there was a problem with that as mentioned by Max. I ran ab from a 5.2.1 system and didn't have any problems. I could rack up the connections till I ran up to 10K states since that limit is set to that. so no problem there. I even cvsup'd back to 5.3-RELEASE-p5 and still no problems. So there is no problem according to my benchmark test.... This still goes back to why I originally was doing this.... I'm currently running 4.9 + natd doing something similar with port 80. I have no problems, however load on the box is quite a bit more then I like. 5.3 + pf seems to be the solution as the load is much lower during my testing... Some time ago I had tried 5.3 + pf in the production environment, however a few users were getting time outs to port 80... and it seemed like these few were behind corportate firewalls, where a few users were accessing the site at the same time from behind the same IP. This led me to my ab test which "seemed" to duplicate the problem. I'm at a loss now... the only thing I can think of is testing 5.3+pf in the production environment and see what happens... does anyone have any thoughts? Thanks, Stephane. >From: "Stephane Raimbault" >To: max@love2party.net, freebsd-pf@freebsd.org >Subject: Re: nat / rdr timeouts? >Date: Mon, 07 Mar 2005 20:02:09 -0700 > > > >>From: Max Laier >>To: freebsd-pf@freebsd.org >>CC: "Stephane Raimbault" , daniel@benzedrine.cx >>Subject: Re: nat / rdr timeouts? >>Date: Tue, 8 Mar 2005 01:52:05 +0100 >> >>On Tuesday 08 March 2005 01:28, Stephane Raimbault wrote: >> > Okay, I setup an OpenBSD 3.6 box with pf today as a test and I can not >> > replicate the problem with OpenBSD. >> > >> > In fact, running the ab test returned MUCH beter results in terms of >>times >> > to return the page and according to top the cpu barely budged when >>running >> > the test on the openbsd pf box. However running top on the freebsd pf >>box >> > I clearly see a spike in cpu traffic as the cpu idle drops to 0% for a >> > second. >> > >> > >> > I'm currently running RELENG_5 on the freebsd box from this weekend... >>are >> > there some debugging stuff turned on in the kernel that would explain >>the >> > performance diffrence? >> > >> > I tried to replicate the test as closely as possible however there are >>some >> > subtle diffrences in my test. >> > >> > OpenBSD test >> > >> > PowerBook laptop (running ab) to an IP on the local network (openbsd >>ext >> > interface (vlan0)) thru to the same openbsd box int interface (vlan1) >>to >> > the web servers (10.0.11.16 and 10.0.11.17). >> > >> > FreeBSD Test >> > >> > IBM server running freebsd (ab) to an IP on it's local network (freebsd >>ext >> > interface (em0) thru to the same freebsd box int interface (em1) to the >>web >> > severs (10.0.11.16 and 10.0.11.17). >> > >> > network wise it should be pretty much the same. The only thing that >>came >> > to mind, maybe it's because the powerbook is a better box then the IBM >> > server running freebsd ? but then seeing the CPU idle time and >>comparing >> > the Freebsd +pf and the OpenBSD +pf being so diffrent... I ponder my >> > question. >> > >> > >> > Hope this makes sense. Let me know if there is any other data I can >> > provide ? >> >>I don't fully understand how your setup looks like. Where are you running >>ab >>from? Is there a dedicated box you run it on or are you running it >>on/from >>the redirecting box itself? Could you get the following setup realized: >> >> /----- OpenBSD ----\ WWW_1 >> | | / WWW_2 >>ab Client ---+ +-----+- ... >> | | \ WWW_N >> \----- FreeBSD ----/ >> > >I don't know why I didn't setup my test like this in the first place... it >was pretty easy for me to set this up... Anyhow I've set this up now. > >And now that I have re run the tests... may I say "ARGH!" :) > >So yes... same problem when running the test on the OpenBSD + pf then I was >getting on the FreeBSD + pf. But so what does this mean... I'm hitting a >bug on my FreeBSD box I'm running the ab test from? > >>It does not matter (too much) how the gateways are connected to the client >>and >>the servers, what matters is that the client and the servers are the same >>for >>both tests. I suspect that (if you were running ab from the FreeBSD >>server) >>you discovered a bug in FreeBSD's socket/tcp code much rather than in pf. >>Please let me know if I misunderstood something and explain your test >>setup >>with a bit more detail. >> >>Thanks a lot in advance. >> >> >> >>-- >>/"\ Best regards, | mlaier@freebsd.org >>\ / Max Laier | ICQ #67774661 >> X http://pf4freebsd.love2party.net/ | mlaier@EFnet >>/ \ ASCII Ribbon Campaign | Against HTML Mail and News >><< attach3 >> > >_________________________________________________________________ >Don't just Search. Find! http://search.sympatico.msn.ca/default.aspx The >new MSN Search! Check it out! > >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _________________________________________________________________ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.