PF Performance

Contributed by jose on 2002-09-11 from the where-to-start? dept.

"Hi!
I just set up a bridged firewall with OpenBSD-3.1 stable. The outbound connection is an ADSL 1mbit line. Earlier other people on the network were able to see streaming video at 700kbps, while now only 300kbps seems to be possible. I have set up:
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
anything else I can do?
Thanx in advance!"

I, too, have been looking at ways to tune PF. I expect it will take kernel recompiles and not simple sysctl changes. There is Daniel's PF performance talk, but it didn't have much info on tuning. Any advice?

(Comments are closed)

Comments

By jose () on 2002-09-11 13:18 http://www.monkey.org/~jose/

in my pfvar.h file i see these parameters:
#define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */
#define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */
#define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */
#define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */

would adjusting any of these values help?
By Anonymous () on 2002-09-11 03:07

We were testing a similar system, a while back, and we noticed a dramatic improvement when we switched from 3Com to Intel Ethernet adapters.
By Anonymous Coward () on 2002-09-11 04:07

net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535

From what I know, these only change the buffer space the kernel allocates for sockets. I don't think they'd play a role in speeding up pf.
By RC () on 2002-09-11 05:49

I'm using a 200MHz PC with PF to route between several 100Mbps networks. I'm using stateful filtering, have hundreds of blocked IP addresses, a few blocked ports, etc. With that setup it doesn't even use up 100% of the CPU to provide full 100Mbps throughput.

I have a hard time believing that PF is causing any bottlnecks on your setup. The story was light on details, so I can't even suggest what the problem might be.
By Aasmund () on 2002-09-11 10:28

I do run quite a bit of services on it: mail, web, dns etc. and the performance did increase after setting the sysctl.conf parameters. I have 2 different network cards:

1 Intel for the internal network
1. RealTek for the external network.

Should I look into buying a new network card then?

Regards & Thanks for all the suggestions,

Aasmund.
By Marco Brigham () on 2002-09-11 12:58

Why don't you try to activate ALTQ?

You probably have a very high bandwidth difference on the bridge (1Mb 100/10 Mb), which is a perfect scenario for deploying ALTQ. With a good set of rules, clients and services behind/on the bridge should get consistent access times.

You can only use ALTQ for outgoing traffic. Since you're filtering in bridge mode, both incoming and outgoing traffic are outgoing in some interface, so you can use ALTQ for all traffic.

Try CBQ/RED.

Cheers
By obsd :: JGM () obsd@jgm.gov.ar on 2002-09-11 14:58 mailto:obsd@jgm.gov.ar

I have a similar problem with pf, since 3.0, I have big problems with that, my box (pII 350mhz - 64mb) freeze if States up 14000, I try sysctl, change options in kernel, pfctl -O aggressive, another 4 machines, but nothing work.

I supouse I have a bad config, but I don�t know what is...

if anybody know.. please.. mail me

**sorry my english
By Anonymous Coward () on 2002-09-11 16:28

That's a very small amount of bandwidth and should not requiring any sort of tweaking. I've easily handled higher rates on low end ( <110mhz) sparcs.

Either you're running some horribly slow hardware or you're experiencing some odd bug.

I'd try running -current, which has many pf optimizations over the release. Playing with some other networks cards may be a good idea as well. I doubt you'll find the solution hacking kernel defs and altering sysctls. Your machine just is not that busy.
By Peter Hessler () spambox@theapt.org on 2002-09-11 21:13 http://www.sfobug.org

Did you change net.inet.ip.forwarding=1? That speed things up /quite/ a bit, and dropped the CPU utilization to almost nil. There is also a .ip6. flag as well. /etc/sysctl.conf is a place that you can set that to survice across reboots. =)
By Patrick Giagnocavo () patrick@zill.net on 2002-11-06 22:53 http://www.zill.net

I have found that using the 3c905b in 100Mbps with full duplex, I get about a third of the performance vs. running it at 10BaseT. I have not tried just switching between full and half duplex however. Performance between a Sparc SS10 and my higher end notebook PC went from 100Kbytes/s to over 320Kbytes/s once I made this change.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]