Firewall & DSL performance

Darryl Hoar darryl at osborne-ind.com
Wed Mar 10 06:57:15 PST 2004 

I didn't mean to imply that ipfilter itself had a 
performance problem, just that my configuration/hardware
exhibited a performance problem once my DSL was boosted
to 1.5Mb.

There is a box on the side of my house that the fiber
is connected to.  It has a network port for testing.
The tech connected his notebook to this port and
saw 1.5Mb performance.  There is a cat 5 run from this
external box to my office in my basement.  There is a jack
on the end of this run.  The tech connected to this jack
and saw roughly 1.48Mb performance.

Since both cards in the firewall are 3com 10Mb cards, they
won't show 100Mb.  When I did an ifconfig -a I see them 
represented as 10Mb/UTP.  I did not see any reference to
the duplex mode (half or full).  I will examine this to
see if it is somehow running in half duplex mode when
plugged into my DSL link.

>From the command line on my firewall, if I ftp down a file,
how do I figure the Mbps ?

thanks,
Darryl

> -----Original Message-----
> From: JJB [mailto:Barbish3 at adelphia.net]
> Sent: Wednesday, March 10, 2004 8:46 AM
> To: darryl at osborne-ind.com
> Subject: RE: Firewall & DSL performance
> 
> 
> If the ipfilter firewall had an performance problem, I am sure many
> people other that you would have been complaining about it. I use
> ipfilter and have no performance problem. You have to look else
> where for your problem.
> 
> Check all the Nic and switches or hubs in the path the test packets
> flow through to verify they are all operating in full duplex/100
> mode. Then start with the gateway box and run native FTP to your
> public FTP site and see what the through put is there. If it bad
> then you have isolated the problem to the nic card that connects you
> to the DSL modem.
> 
> Greater details about how you test from the lan is needed to help
> you.
> Also an detailed description of just what you mean by your
> statements
> "Testing at the box on the side of my house yielded  1.5Mb.
>  Testing  at the jack inside also yielded 1.5Mb".
> 
> 
> 
> 
> 
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Darryl Hoar
> Sent: Wednesday, March 10, 2004 9:10 AM
> To: 'Mike Jackson'
> Cc: freebsd-questions at freebsd.org
> Subject: RE: Firewall & DSL performance
> 
> Well,
> last night I changed the ipf.rules file to be:
> 
> pass in all  keep state
> pass out all keep state
> 
> to completely open my firewall to test my performance.
> 
> Well, it didn't make a lick of difference.  Still got
> 700K.
> 
> If I open the firewall like I did, shouldn't performance
> be a non issue ?
> 
> thanks,
> Darryl
> 
> > -----Original Message-----
> > From: Mike Jackson [mailto:mj at sci.fi]
> > Sent: Tuesday, March 09, 2004 11:55 AM
> > To: Darryl Hoar
> > Subject: Re: Firewall & DSL performance
> >
> >
> > Darryl Hoar (darryl at osborne-ind.com) wrote:
> > >
> > > Problem:
> > > Recently, our ISP upgraded (at no charge) our connection
> > from 512K to
> > > 1.5Mb.  When testing from a computer on my Lan, I was only
> > seeing about
> > > 700K.  Testing at the box on the side of my house yielded
> > 1.5Mb.  Testing
> > > at the jack inside also yielded 1.5Mb.  So, my firewall seems to
> be
> > > slowing things down.
> >
> > Run `top' and watch the memory and processor usage when
> > downloading an iso
> > from some internet site.
> >
> > Open another terminal and run `iostat -odICTw 2 -c 9', to
> > watch your io
> > performance.
> >
> > Open another terminal and run `vmstat -w 5', to watch virtual
> memory
> > statistics.
> >
> > Finally, a slow processor just might be the bottleneck. For
> > example, if
> > you put a gigabit ethernet card in a P4 and one in a P2, you will
> most
> > likely not get full speed - especially if there is kernel level
> packet
> > interception going, e.g. ipsec, nat, or firewall filters.
> >
> > HTH,
> > --
> > Mike Jackson
> >
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> 
>

More information about the freebsd-questions mailing list