Low network performance after upgrade from FreeBSD 4.8 to 6.0

[Bohuslav Plucinsky]

Hello,

I use the FreeBSD box as the firewall with NAT (ipfw + natd). 
When I've upgraded the box from 4.8-20030810-STABLE to 6.0-RELEASE
I've noticed a performance degradation. 

I've only one workstation behind the firewall and throughput 
of downloading an ISO image through the firewall with 6.0-RELEASE 
booted, is only 24Mbps. (When I reboot the machine with 4.8-20030810-STABLE
installation, the throughput is 80Mbps). The firewall_type was "open" 
during the download:

# ipfw show
00050 105842 106637407 divert 8668 ip from any to any via xl0
00100      0         0 allow ip from any to any via lo0
00200      0         0 deny ip from any to 127.0.0.0/8
00300      0         0 deny ip from 127.0.0.0/8 to any
65000 211701 213100988 allow ip from any to any
65535     11       665 deny ip from any to any


The "top" utility shows 100% CPU load:
-------------------------------------

last pid:   771;  load averages:  0.25,  0.06,  0.02                                                                   up 0+00:24:30  14:08:32
27 processes:  2 running, 25 sleeping
CPU states:  8.8% user,  0.0% nice, 59.6% system, 31.6% interrupt,  0.0% idle
Mem: 16M Active, 4752K Inact, 11M Wired, 8144K Buf, 22M Free
Swap: 500M Total, 500M Free

  PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
  229 root        1 105    0  1428K   904K RUN      0:35 40.82% natd
  680 plk         1  96    0  6076K  3112K select   0:01  0.00% sshd
  688 plk         1  96    0  2100K  1804K select   0:01  0.00% screen
  739 root        1  20    0  4420K  2868K pause    0:00  0.00% tcsh
  760 root        1   5    0  4416K  2856K ttyin    0:00  0.00% tcsh
  694 plk         1  20    0  4416K  2856K pause    0:00  0.00% tcsh
  478 root        1  96    0  1328K   904K select   0:00  0.00% syslogd
  677 root        1   4    0  6100K  3100K sbwait   0:00  0.00% sshd
  690 plk         1  20    0  4916K  3504K pause    0:00  0.00% tcsh
  681 plk         1  20    0  3984K  2584K pause    0:00  0.00% tcsh
  767 plk         1  20    0  4088K  2688K pause    0:00  0.00% tcsh
  598 root        1  96    0  3416K  2692K select   0:00  0.00% sendmail
  751 root        1   5    0  1632K  1320K ttyin    0:00  0.00% less
  771 plk         1  96    0  2268K  1544K RUN      0:00  0.00% top
  685 plk         1  20    0  1928K  1512K pause    0:00  0.00% screen
  614 root        1   8    0  1312K  1032K nanslp   0:00  0.00% cron
  668 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  665 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  671 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  664 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  667 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  666 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  669 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  670 root        1   5    0  1264K   936K ttyin    0:00  0.00% getty
  592 root        1  96    0  3352K  2500K select   0:00  0.00% sshd
  602 smmsp       1  20    0  3296K  2724K pause    0:00  0.00% sendmail
  449 root        1 111    0   500K   352K select   0:00  0.00% devd



The HW is:
----------
 CPU: Pentium II Celeron 400MHz
 RAM: 64MB
 NIC: 2x 3Com905B

Kernel config:
--------------
machine		i386
cpu		I586_CPU
cpu		I686_CPU
ident		FW
maxusers	64

makeoptions	DEBUG=-g		# Build kernel with gdb(1) debug symbols

options		HZ=100
options 	SCHED_4BSD		# 4BSD scheduler
options 	INET			# InterNETworking
options 	FFS			# Berkeley Fast Filesystem
options 	SOFTUPDATES		# Enable FFS soft updates support
options 	UFS_ACL			# Support for access control lists
options 	UFS_DIRHASH		# Improve performance on big directories
options 	NFSCLIENT		# Network Filesystem Client
options 	NFSSERVER		# Network Filesystem Server
options 	NFS_ROOT		# NFS usable as /, requires NFSCLIENT
options 	MSDOSFS			# MSDOS Filesystem
options 	CD9660			# ISO 9660 Filesystem
options 	PROCFS			# Process filesystem (requires PSEUDOFS)
options 	PSEUDOFS		# Pseudo-filesystem framework
options 	GEOM_GPT		# GUID Partition Tables.
options 	COMPAT_43		# Compatible with BSD 4.3 [KEEP THIS!]
options 	COMPAT_FREEBSD4		# Compatible with FreeBSD4
options 	COMPAT_FREEBSD5		# Compatible with FreeBSD5
options 	SCSI_DELAY=5000		# Delay (in ms) before probing SCSI
options 	KTRACE			# ktrace(1) support
options 	SYSVSHM			# SYSV-style shared memory
options 	SYSVMSG			# SYSV-style message queues
options 	SYSVSEM			# SYSV-style semaphores
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug
					# output.  Adds ~128k to driver.
options 	AHD_REG_PRETTY_PRINT	# Print register bitfields in debug
					# output.  Adds ~215k to driver.
options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.

options		MROUTING		# Multicast routing
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #print information about dropped packets
options         IPFIREWALL_FORWARD      #enable transparent proxy support
options         IPFIREWALL_FORWARD_EXTENDED     #all packet dest changes
options         IPSTEALTH               #support for stealth forwarding
options		IPDIVERT		#divert sockets
options		TCPDEBUG
options		DUMMYNET
options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
options 	INCLUDE_CONFIG_FILE     # Include this file in kernel
options 	IPSEC			#IP security
options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
options 	IPSEC_DEBUG		#debug for IP security

# Devices
device		apic			# I/O APIC

...

(I'll send whole config if it is needed)

When I change the IP addresses on inside interface from private to public
and disable NAT, the throughput is again 80Mbps.

Can somebody advise me, if this is some configuration problem 
or the requirement of FreeBSD 6.0 kernel has been increased and HW 
of my firewall is not enough?


Thanks,
Bohus Plucinsky