Pf in 4.11

Christopher McGee chris at xecu.net
Thu May 12 11:39:54 PDT 2005 

Greg Hennessy wrote:

>I assume this is internet facing ? If so, do you really have a 25 megabit
>full duplex pipe to the net ? 
>
>You don't appear to have implemented any form of ACK prioritisation, 
>
>http://www.benzedrine.cx/ackpri.html
>
>Its not optional when running links flat out. 
>
>PRIQ/CBQ are not exactly precision instruments when it comes to packet
>shaping, HFSC is better IMHO.  
>
>On a side note, I've recently rolled out a 3.4 ghz xeon running 5.4 for a
>customer and it iperfed under soak test @ ~800 megabits/sec through a pair
>of em. 
>
>25 megabits wouldn't tax one of P2-350s I have here as crash and burn test
>servers. 
>
>
>Greg
> 
>
>
>
>  
>
>>-----Original Message-----
>>From: owner-freebsd-pf at freebsd.org 
>>[mailto:owner-freebsd-pf at freebsd.org] On Behalf Of Christopher McGee
>>Sent: 12 May 2005 18:17
>>To: Richard Tector
>>Cc: freebsd-pf at freebsd.org
>>Subject: Re: Pf in 4.11
>>
>>Richard Tector wrote:
>>
>>    
>>
>>>Christopher McGee wrote:
>>>
>>>      
>>>
>>>>The handbook states that pf is available through KAME in 4.11 and 
>>>>from my reading Kame is build into the system.  How do you 
>>>>        
>>>>
>>enable pf 
>>    
>>
>>>>and altq on 4.x then.  I have had trouble finding any how-to's on 
>>>>this since everything for pf points to 5.x.  I just can't justify 
>>>>running 5.x on a production firewall though unless the performance 
>>>>greatly improves over 5.3.
>>>>        
>>>>
>>>I can push over 300Mbit of sustained TCP traffic through a 
>>>      
>>>
>>celeron 1.3 
>>    
>>
>>>routing and firewalling with pf. It runs a 3 month old  
>>>      
>>>
>>RELENG_5 What 
>>    
>>
>>>sort of performance issues are you seeing that are stopping 
>>>      
>>>
>>you from 
>>    
>>
>>>moving to 5.x?
>>>
>>>Regards,
>>>
>>>Richard Tector
>>>      
>>>
>>When queue1 starts pushing it's maximum bandwidth, queue0(the 
>>default) seems to choke and services become unavailable from 
>>the outside.  I cut back queue1 by about 7 mbit/s and it has 
>>cleared it up for the most part.  Not completely though.  
>>Here's what I think is the relevant info, let me know if you 
>>need anything else:
>>
>>The box:
>>CPU: Intel(R) Pentium(R) 4 CPU 2.00GHz (1999.78-MHz 686-class 
>>CPU) real memory  = 1071906816 (1022 MB) avail memory = 
>>1039392768 (991 MB) fxp0-6, only 0, and 1 are being used, the 
>>others are for future projects, like pfsync, and some dmz type stuff.
>>
>>pf configuration:
>>set limit { states 100000, frags 5000 }
>>set loginterface $ext_if
>>set block-policy drop
>>all other options are default
>>
>>queue configuration:
>>altq on $ext_if bandwidth 25Mb cbq queue { queue0, queue1 } 
>>queue queue0 bandwidth 8Mb priority 4 qlimit 150 cbq(default, 
>>borrow) queue queue1 bandwidth 12Mb qlimit 5000 the 
>>additional bandwidth that is not included in the queues 
>>should be added to queue1 but when that is done, it causes 
>>problems.  At high traffic times, queue will use ALL of its 
>>bandwidth and queue0 usually only uses 3-5megs.
>>
>>There is no nat or anything running on this firewall.  Public 
>>IP addresses outside and inside.  I would rather not revert 
>>to 4.x if possible but I can't have this machine unstable.
>>
>>Thanks,
>>Chris
>>
>>_______________________________________________
>>freebsd-pf at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>
>>
>>    
>>
>
>_______________________________________________
>freebsd-pf at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>  
>
Yes, we do have a full 25meg full duplex pipe to the internet.  There is 
no ACK prioritization because this was migrated from ipfw and dummynet 
and there was none with that setup either.  Everything worked fine with 
that setup, we were just looking for some of the newer features, and 
unfortunately, we are close to going back to the old setup.  As for the 
queuing method, i've read that cbq is a more refined/reliable than hfsc 
right now.  Anyway, why would ACK prioritization be necessary on the 
pf/altq setup vs the ipfw/dummynet setup?

Chris

More information about the freebsd-pf mailing list