nat / rdr timeouts?

Max Laier max at
Tue Mar 8 00:52:15 GMT 2005

On Tuesday 08 March 2005 01:28, Stephane Raimbault wrote:
> Okay, I setup an OpenBSD 3.6 box with pf today as a test and I can not
> replicate the problem with OpenBSD.
> In fact, running the ab test returned MUCH beter results in terms of times
> to return the page and according to top the cpu barely budged when running
> the test on the openbsd pf box.  However running top on the freebsd pf box
> I clearly see a spike in cpu traffic as the cpu idle drops to 0% for a
> second.
> I'm currently running RELENG_5 on the freebsd box from this weekend... are
> there some debugging stuff turned on in the kernel that would explain the
> performance diffrence?
> I tried to replicate the test as closely as possible however there are some
> subtle diffrences in my test.
> OpenBSD test
> PowerBook laptop (running ab) to an IP on the local network (openbsd ext
> interface (vlan0)) thru to the same openbsd box int interface (vlan1) to
> the web servers ( and
> FreeBSD Test
> IBM server running freebsd (ab) to an IP on it's local network (freebsd ext
> interface (em0) thru to the same freebsd box int interface (em1) to the web
> severs ( and
> network wise it should be pretty much the same.  The only thing that came
> to mind, maybe it's because the powerbook is a better box then the IBM
> server running freebsd ?  but then seeing the CPU idle time and comparing
> the Freebsd +pf and the OpenBSD +pf being so diffrent... I ponder my
> question.
> Hope this makes sense.  Let me know if there is any other data I can
> provide ?

I don't fully understand how your setup looks like.  Where are you running ab 
from?  Is there a dedicated box you run it on or are you running it on/from 
the redirecting box itself?  Could you get the following setup realized:

             /----- OpenBSD ----\        WWW_1
             |                  |      / WWW_2
ab Client ---+                  +-----+-  ...
             |                  |      \ WWW_N
             \----- FreeBSD ----/

It does not matter (too much) how the gateways are connected to the client and 
the servers, what matters is that the client and the servers are the same for 
both tests.  I suspect that (if you were running ab from the FreeBSD server) 
you discovered a bug in FreeBSD's socket/tcp code much rather than in pf.  
Please let me know if I misunderstood something and explain your test setup 
with a bit more detail.

Thanks a lot in advance.

<snipp - it is linewarpping as hell, anyway>

/"\  Best regards,                      | mlaier at
\ /  Max Laier                          | ICQ #67774661
 X  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-pf mailing list