strange "throttling" issue with pf on xDSL connection

[Patrick Proniewski]

Hi

Two of us have found out a very strange issue with pf on FreeBSD 6.2  
on a xDSL connection.

In both case:
- the FreeBSD system is pluged on a xDSL box provided by french ISP  
"free.fr" ("freebox")
- pf is used to firewall the connection and to share it on a LAN  
using NAT.
- pf.conf is relatively simple, and does not use ALTQ

We have discover that requests to files on <http://test-debit.free.fr/ 
 > yield to very poor download rates (aprox. 140 KB/s), but we can  
launch 3 or more simultaneous download (aprox 120 KB/s each). So the  
total bandwidth looks ok.
If we turn pf off (unload the kernel module or "set skip on $ext_if"  
in pf.conf), the download speed reaches 650-700 KB/s for the same  
file. (note: http://test-debit.free.fr is an official bandwidth test  
page for the ISP free.fr)

Two things are strange:

- pf acts like it's throttling the connection, while no throttling  
instruction is given
- with other servers, it happens that the download speed is ok (not  
all servers), even if pf is active, but it's never ok with http:// 
test-debit.free.fr unless pf is off.

I've come to the conclusion that pf alters in some way the TCP flow,  
and that this alteration is not compatible with some servers or  
network appliance, thus degrading the max transfer rates.

I have no particular sysctl options, ALTQ is not active (I've tested  
a kernel with and without ALTQ: same result). We've tested pf.conf  
without "scrub in all": same result.
Let me know if a tcpdumped transfert with and without pf could help.  
`dmesg`, `sysctl -a` and pf.conf upon request.

Any hint is welcome.

thanks,
patpro