nat / rdr timeouts?

Tue Mar 8 05:08:07 GMT 2005

Okay, a bit of a Summary.

I was originally running ab on a 4.9 system... however, it seems like there 
was a problem with that as mentioned by Max.  I ran ab from a 5.2.1 system 
and didn't have any problems.  I could rack up the connections till I ran up 
to 10K states since that limit is set to that.  so no problem there.  I even 
cvsup'd back to 5.3-RELEASE-p5 and still no problems.

So there is no problem according to my benchmark test....  This still goes 
back to why I originally was doing this....

I'm currently running 4.9 + natd doing something similar with port 80.  I 
have no problems, however load on the box is quite a bit more then I like.  
5.3 + pf seems to be the solution as the load is much lower during my 
testing... Some time ago I had tried 5.3 + pf in the production environment, 
however  a few users were getting time outs to port 80... and it seemed like 
these few were behind corportate firewalls, where a few users were accessing 
the site at the same time from behind the same IP.  This led me to my ab 
test which "seemed" to duplicate the problem.

I'm at a loss now... the only thing I can think of is testing 5.3+pf in the 
production environment and see what happens... does anyone have any 
thoughts?

Thanks,
Stephane.

>From: "Stephane Raimbault" <segr at hotmail.com>
>To: max at love2party.net, freebsd-pf at freebsd.org
>Subject: Re: nat / rdr timeouts?
>Date: Mon, 07 Mar 2005 20:02:09 -0700
>
>
>
>>From: Max Laier <max at love2party.net>
>>To: freebsd-pf at freebsd.org
>>CC: "Stephane Raimbault" <segr at hotmail.com>, daniel at benzedrine.cx
>>Subject: Re: nat / rdr timeouts?
>>Date: Tue, 8 Mar 2005 01:52:05 +0100
>>
>>On Tuesday 08 March 2005 01:28, Stephane Raimbault wrote:
>> > Okay, I setup an OpenBSD 3.6 box with pf today as a test and I can not
>> > replicate the problem with OpenBSD.
>> >
>> > In fact, running the ab test returned MUCH beter results in terms of 
>>times
>> > to return the page and according to top the cpu barely budged when 
>>running
>> > the test on the openbsd pf box.  However running top on the freebsd pf 
>>box
>> > I clearly see a spike in cpu traffic as the cpu idle drops to 0% for a
>> > second.
>> >
>> >
>> > I'm currently running RELENG_5 on the freebsd box from this weekend... 
>>are
>> > there some debugging stuff turned on in the kernel that would explain 
>>the
>> > performance diffrence?
>> >
>> > I tried to replicate the test as closely as possible however there are 
>>some
>> > subtle diffrences in my test.
>> >
>> > OpenBSD test
>> >
>> > PowerBook laptop (running ab) to an IP on the local network (openbsd 
>>ext
>> > interface (vlan0)) thru to the same openbsd box int interface (vlan1) 
>>to
>> > the web servers (10.0.11.16 and 10.0.11.17).
>> >
>> > FreeBSD Test
>> >
>> > IBM server running freebsd (ab) to an IP on it's local network (freebsd 
>>ext
>> > interface (em0) thru to the same freebsd box int interface (em1) to the 
>>web
>> > severs (10.0.11.16 and 10.0.11.17).
>> >
>> > network wise it should be pretty much the same.  The only thing that 
>>came
>> > to mind, maybe it's because the powerbook is a better box then the IBM
>> > server running freebsd ?  but then seeing the CPU idle time and 
>>comparing
>> > the Freebsd +pf and the OpenBSD +pf being so diffrent... I ponder my
>> > question.
>> >
>> >
>> > Hope this makes sense.  Let me know if there is any other data I can
>> > provide ?
>>
>>I don't fully understand how your setup looks like.  Where are you running 
>>ab
>>from?  Is there a dedicated box you run it on or are you running it 
>>on/from
>>the redirecting box itself?  Could you get the following setup realized:
>>
>>              /----- OpenBSD ----\        WWW_1
>>              |                  |      / WWW_2
>>ab Client ---+                  +-----+-  ...
>>              |                  |      \ WWW_N
>>              \----- FreeBSD ----/
>>
>
>I don't know why I didn't setup my test like this in the first place... it 
>was pretty easy for me to set this up... Anyhow I've set this up now.
>
>And now that I have re run the tests... may I say "ARGH!" :)
>
>So yes... same problem when running the test on the OpenBSD + pf then I was 
>getting on the FreeBSD + pf.  But so what does this mean... I'm hitting a 
>bug on my FreeBSD box I'm running the ab test from?
>
>>It does not matter (too much) how the gateways are connected to the client 
>>and
>>the servers, what matters is that the client and the servers are the same 
>>for
>>both tests.  I suspect that (if you were running ab from the FreeBSD 
>>server)
>>you discovered a bug in FreeBSD's socket/tcp code much rather than in pf.
>>Please let me know if I misunderstood something and explain your test 
>>setup
>>with a bit more detail.
>>
>>Thanks a lot in advance.
>>
>><snipp - it is linewarpping as hell, anyway>
>>
>>--
>>/"\  Best regards,                      | mlaier at freebsd.org
>>\ /  Max Laier                          | ICQ #67774661
>>  X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
>>/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
>><< attach3 >>
>
>_________________________________________________________________
>Don't just Search. Find! http://search.sympatico.msn.ca/default.aspx The 
>new MSN Search! Check it out!
>
>_______________________________________________
>freebsd-pf at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen 
Technology  
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.