Pf in 4.11
Christopher McGee
chris at xecu.net
Thu May 12 10:17:31 PDT 2005
Richard Tector wrote:
> Christopher McGee wrote:
>
>> The handbook states that pf is available through KAME in 4.11 and
>> from my reading Kame is build into the system. How do you enable pf
>> and altq on 4.x then. I have had trouble finding any how-to's on
>> this since everything for pf points to 5.x. I just can't justify
>> running 5.x on a production firewall though unless the performance
>> greatly improves over 5.3.
>
>
> I can push over 300Mbit of sustained TCP traffic through a celeron 1.3
> routing and firewalling with pf. It runs a 3 month old RELENG_5
> What sort of performance issues are you seeing that are stopping you
> from moving to 5.x?
>
> Regards,
>
> Richard Tector
When queue1 starts pushing it's maximum bandwidth, queue0(the default)
seems to choke and services become unavailable from the outside. I cut
back queue1 by about 7 mbit/s and it has cleared it up for the most
part. Not completely though. Here's what I think is the relevant info,
let me know if you need anything else:
The box:
CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class CPU)
real memory = 1071906816 (1022 MB)
avail memory = 1039392768 (991 MB)
fxp0-6, only 0, and 1 are being used, the others are for future
projects, like pfsync, and some dmz type stuff.
pf configuration:
set limit { states 100000, frags 5000 }
set loginterface $ext_if
set block-policy drop
all other options are default
queue configuration:
altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 }
queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, borrow)
queue queue1 bandwidth 12Mb qlimit 5000
the additional bandwidth that is not included in the queues should be
added to queue1 but when that is done, it causes problems. At high
traffic times, queue will use ALL of its bandwidth and queue0 usually
only uses 3-5megs.
There is no nat or anything running on this firewall. Public IP
addresses outside and inside. I would rather not revert to 4.x if
possible but I can't have this machine unstable.
Thanks,
Chris
More information about the freebsd-pf
mailing list