Date: Tue, 4 Oct 2016 13:02:38 +0200 (CEST) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no> To: Kristof Provost <kp@FreeBSD.org> Cc: FreeBSD questions <freebsd-questions@freebsd.org> Subject: Re: Best practice for virtualized pf based NAT router? Message-ID: <alpine.BSF.2.20.1610041259430.1040@mail.fig.ol.no> In-Reply-To: <2962E958-6570-4991-AC20-2A5FF39CC39C@FreeBSD.org> References: <alpine.BSF.2.20.1610041115010.1040@mail.fig.ol.no> <2962E958-6570-4991-AC20-2A5FF39CC39C@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Oct 2016 12:19+0200, Kristof Provost wrote: > On 4 Oct 2016, at 11:39, Trond Endrestøl wrote: > > I'm in the process of configuring a virtualized pf based NAT router. > > The NAT router is supposed be a supplement to our pool of public IPv4 > > addresses. > > > > FreeBSD is stable/11, r306639. XenServer 7.0.0, with all known > > updates, is the virtualization environment. > > > > I'm using xn0 as the external interface, and xn1 as the internal > > interface. > > > > The xn0 interface has a /30 IPv4 address and a /64 IPv6 address. > > The xn1 interface has a /20 IPv4 address (and a /64 IPv6 address for > > symmetry). > > > > I followed ch. 29.3.3.1 of the Handbook. > > > > In theory all is well, but with iftop(8) (net-mgmt/iftop) I only see a > > throughput of merely 1 Mbit/s, yes, that's one megabit per second. > > > There have been issues with pf and checksums in Xen before. I believe that the > version you’re running has all of the relevant fixes, but it’s worth trying to > disable TSO and other features on the network interfaces anyway. > > ifconfig xn0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso6 -tso4 -lro (and the same > for xn1). That made all the difference. Thank you. > If that makes a difference I’d be very interested in both network captures and > further debugging. I'm pretty sure you ment if your proposed changes _doesn't_ make any difference, but if you want network captures, etc, I'm sure I can arrange it. Thank you again. -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ From owner-freebsd-questions@freebsd.org Tue Oct 4 11:17:41 2016 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 258D8AF50C1 for <freebsd-questions@mailman.ysv.freebsd.org>; Tue, 4 Oct 2016 11:17:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AE2F8D67 for <freebsd-questions@freebsd.org>; Tue, 4 Oct 2016 11:17:40 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [172.16.5.2] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id F26FE159BD; Tue, 4 Oct 2016 13:17:37 +0200 (CEST) From: "Kristof Provost" <kp@FreeBSD.org> To: "Trond =?utf-8?q?Endrest=C3=B8l?=" <Trond.Endrestol@fagskolen.gjovik.no> Cc: "FreeBSD questions" <freebsd-questions@freebsd.org> Subject: Re: Best practice for virtualized pf based NAT router? Date: Tue, 04 Oct 2016 13:17:36 +0200 Message-ID: <43E11CD6-3B19-4807-A528-546D66C58962@FreeBSD.org> In-Reply-To: <alpine.BSF.2.20.1610041259430.1040@mail.fig.ol.no> References: <alpine.BSF.2.20.1610041115010.1040@mail.fig.ol.no> <2962E958-6570-4991-AC20-2A5FF39CC39C@FreeBSD.org> <alpine.BSF.2.20.1610041259430.1040@mail.fig.ol.no> MIME-Version: 1.0 X-Mailer: MailMate (2.0BETAr6056) Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 04 Oct 2016 11:17:41 -0000 On 4 Oct 2016, at 13:02, Trond Endrestøl wrote: > On Tue, 4 Oct 2016 12:19+0200, Kristof Provost wrote: >> ifconfig xn0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso6 -tso4 -lro (and >> the same >> for xn1). > > That made all the difference. Thank you. > Bah. I was hoping I’d put that bug to rest. >> If that makes a difference I’d be very interested in both network >> captures and >> further debugging. > > I'm pretty sure you ment if your proposed changes _doesn't_ make any > difference, but if you want network captures, etc, I'm sure I can > arrange it. > No, I meant if this helped. It means that a bug I thought was fully fixed is still there. The fix was done in r289316: pf: Fix TSO issues In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum. The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums. To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum. PR: 154428, 193579, 198868 Relnotes: yes Sponsored by: RootBSD It’s great that you’ve got a workaround, but the problem should be completely gone, and it’s clearly not. If you’re willing to spend a bit more time on this I’d like to dig into it a bit, and try to find out what I missed. Let’s start by looking at the network capture (with the offloads turned back on, so we can reproduce the problem). I expect we’ll see incorrect TCP checksums, which is the cause of your bad performance. It’s slightly surprising that it only happens in the forwarding path, but at least that’s something to go on. Regards, Kristof From owner-freebsd-questions@freebsd.org Tue Oct 4 13:23:08 2016 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7867BAC6FBC for <freebsd-questions@mailman.ysv.freebsd.org>; Tue, 4 Oct 2016 13:23:08 +0000 (UTC) (envelope-from b6163e77.ld1.m9R.1n.o7cqKX+freebsd-questions=freebsd.org@bnc.mailjet.com) Received: from o64.p4.mailjet.com (o64.p4.mailjet.com [178.33.221.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 13B2B269 for <freebsd-questions@freebsd.org>; Tue, 4 Oct 2016 13:23:07 +0000 (UTC) (envelope-from b6163e77.ld1.m9R.1n.o7cqKX+freebsd-questions=freebsd.org@bnc.mailjet.com) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; q=dns/txt; d=bnc.mailjet.com; i=sales=3Dlondonvintageguitars.com@bnc.mailjet.com; s=mailjet; h=message-id:mime-version:content-type:from:reply-to:to:subject:date:precedence:list-id:list-unsubscribe:x-csa-complaints; bh=YjIUzk921TsBf8B2PjSPqDsIi7Y=; b=FYwQhTaKc8g95sYXncyAA5uIqZcJzoxcPtLTBW/68790IHv3eWeep1nID142BcuAnsO25r0P6vAg/xxZgpkvHYTn/aB+eaB3vaksUAKP5gjuTF/JtG3FOPglrVbj3XuN1KjC3Z0dSn7KwJ2952EFzUYjBNi+rGwUKHX1qkEYwBc= Message-Id: <b6163e77.ld1.m9R.1n.o7cqKX@mailjet.com> Mime-Version: 1.0 From: =?utf-8?Q?sales@londonvintageguitars.com?= <sales@londonvintageguitars.com> Reply-To: <sales@londonvintageguitars.com> To: freebsd-questions@freebsd.org Subject: =?utf-8?Q?VINTAGE_STUDIO_GEAR_WANTED_-_BEST_PRICES_PAID?= Date: Tue, 4 Oct 2016 14:12:50 +0100 Precedence: bulk X-CSA-Complaints: whitelist-complaints@eco.de Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 04 Oct 2016 13:23:08 -0000 View online version <http://s1h3.mj.am/nl/s1h3/llso6.html?a=o7cqKX&b=b6163e77&c=s1h3&d=0c13ec86&e=218af0d0&email=freebsd-questions%40freebsd.org>; WANTEDFAIRCHILD 660 COMPRESSOR BEST MARKET PRICES PAID FOR THE RIGHT MODEL! GET IN TOUCH CASH WAITING!!! This email has been sent to freebsd-questions@freebsd.org <mailto:freebsd-questions@freebsd.org>, click here to unsubscribe <http://s1h3.mj.am/unsub?hl=en&a=o7cqKX&b=b6163e77&c=s1h3&d=0c13ec86&e=218af0d0&email=freebsd-questions%40freebsd.org>.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1610041259430.1040>