PF slowing down file copies

Tue Feb 20 23:29:19 UTC 2007

Hello,
I have a FreeBSD 6.2 acting as router between two LANs and the internet. I am 
using PF on it for filtering and I am allowing all the traffic to pass by 
between the two LANs:

pass from $lan0:network to $lan1:network keep state
pass from $lan1:network to $lan0:network keep state

My problem is that when I copy a file from one network to the other, the first 
128KB seems to be copied instantaneously, the second 128KB take more than two 
minutes and I've seen the third 128KB being copied very rarely. This is using 
Secure CoPy.
If I copy the file to the router and from the router to the other computer, it 
just works. And it seems people copying files with SMB (Window's protocol) 
have found the same problem.
Any ideas what might be going on?
Thanks.
-- 
José Pablo Fernández
pablo.fernandez at rs.com.ar

PS: My full firewall configuration:

# My interfaces.
lan0    = "re0"
lan1    = "re1"
wan     = "fxp0"
wan6to4 = "stf0"

# My me, me and I.
me = "{(" $lan0 ") (" $lan1 ") (" $wan ")}"

# Globally accessable services.
mi_tcp_services = "{domain ssh http jabber-client sjabber-client jabber-server 
5901}"
mi_udp_services = "{domain ssh http jabber-client sjabber-client 
jabber-server}"

# LAN-only accessable services.
mi_internal_tcp_services = "{ejabberd-admin bacula-fd http-proxy}"
mi_internal_udp_services = "{}"

# The network.
lans = "{" $lan0 $lan1 "}"
lans_network = "{" $lan0:network $lan1:network "}"

# Hosts that are free to reach the outside world directly.
table <free4> { plab.bsas.rs.com.ar dejavu.bsas.rs.com.ar }
table <free6> {}

# Available for everybody
tcp_for_everybody = "{smtp smtps pop3 pop3s imap imaps}"
udp_for_everybody = "{smtp smtps pop3 pop3s imap imaps}"

# Making a return of a no-go is better than droping a package because it hides 
the fact that there's a firewall.
set block-policy return

# No filtering on lo0.
set skip on lo

# This will normalize and defragment all packages. Filtering will work better 
and extrange packets will be droped.
scrub in

# NAT.
nat on $wan from <free4> to any -> ($wan)

# Port forwarding. See below for the assosiatde passing rules.
rdr on $wan proto tcp from any to any port 5901 -> dejavu.bsas.rs.com.ar port 
vnc # Andres' VNC. Pupeno, 2007-02-12 14:50:02.
# Temp port forwarding.
# None so far. Pupeno, 2007-02-12 14:50:25.

# Block everything in, latter allowing some stuff.
#block in

# Block RFC1918 (private) from the external card, private addresses in the 
public internet can't be good.
PrivateAddresses = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 
10.0.0.0/8 }"
#block in  quick on $wan from $PrivateAddresses to any
#block out quick on $wan from any to $PrivateAddresses

# Let the nated hosts go out.
pass on $lans from <free4> to any keep state
# Let the rest access some other services.
pass on $lans proto tcp to any port $tcp_for_everybody keep state
pass on $lans proto udp to any port $udp_for_everybody keep state

# Let me go out.
pass out from $me keep state

# Let forwarders pass and more importantly, be synproxied, whatever that is. 
See above for the assosiated rdr (redirection) rules.
pass in proto tcp from any to dejavu.bsas.rs.com.ar port vnc synproxy state # 
Andres' VNC. Pupeno, 2007-02-12 15:45:16.

# Services that should be reached from anywhere (including the LAN).
pass in proto tcp                     to $me port $mi_tcp_services           
keep state
pass in proto udp                     to $me port $mi_udp_services           
keep state
pass in proto {icmp, icmp6}           to $me                                 
keep state
# Services that should be reached only from the LAN.
pass in proto tcp from $lans_network  to $me port $mi_internal_tcp_services 
keep state
#pass in proto udp from $lans_network to $me port $mi_internal_udp_services 
keep state             # Enable when there are internal udp services. Pupeno, 
2007-01-31 18:17:15.

# Allow comunication between the two networks.
pass from $lan0:network to $lan1:network keep state
pass from $lan1:network to $lan0:network keep state