Re: overall thruput quite bad

[Daniel Hartmeier <daniel@benzedrine.cx>]

On Tue, Feb 26, 2002 at 04:02:14PM +0200, Rommel, Florian wrote:

> hi, can i somehow "test" my thruput or optimize in on my OBSD firewall?.. i got a P1 MMX 266  with 128MB RAM and 4GB HDD laptop with 2 10/100mbit NICs. One to the LAN oe to the Internet over cable modem. I get 900+KB/s from a server in the local university to my workstation if i connect the cable modem to it but only 300+KB/s when the OBSD Firewall is inbetween. I wonder if there is anything i can do, i have a 100mbit hub and all cables are checked.

First, disable pf (pfctl -d) and check performance. No matter how you
optimize pf, you will not beat this throughput. If this shows that pf is
the bottleneck, you can try the following things. Otherwise, you might
want to check the hardware (not all nics perform equally well).
   
Make sure you run -current, as several changes have been made since
-release that can affect performance considerably.
   
Use states. If you have more than a dozen filter rules, it pays off to
create state just to prevent rule set evluations. That means create
state for anything you can, including udp and icmp.
   
Order your rules in such a way that the 'skip steps' optimization has
maximum effect:
   
  1. type of rule (scrub vs. block/pass)
    2. interface
      3. direction (in vs. out)
        4. address family (inet vs. inet6)
          5. protocol (tcp vs. udp vs. icmp)
            6. source address, source port,
               destination address, destination  port
   
Finally, kernel profiling (see kgmon(8)) is good way to find out where a
busy machine is spending it's cycles. It's easy to enable, and safes you
the trouble of optimizing the wrong thing prematurely.
 
Daniel