Hello folks,
I have two machines (exact same hardware) that I'd like to use as a gateway/router for LAN clients to access the internet. I am using CARP for fail-over which is already working - therefore, let's refer to the two machines as "the gateway" from here on.
Here's a drawing for sanity:
It took me quite some reading but I managed to get it working: client1 is successfully able to access websites hosted on random webservers on the internet. However, everything is horribly slow.
The ISP uplink is a 1G/1G connection. Using iperf3 on silver1 and a server in a datacenter I do get over 900Mbps. Downloading files on silver1 works well too. The performance becomes bad once I try to access anything from client1: Everything is horribly slow. I am able to load webpages and downloading content in general, but it's slow. Running iperf3 on client1 towards the machine in the dataceter even times out.
My question: What's going on here? Where did I screw up in my setup/configuration?
Here's the network & routing configuration from silver1|2:
Here's the corresponding PF configuration:
And for completion, here's the routing table of silver1:
silver1 and silver2 specs:
- FreeBSD 11.2-RELEASE
- Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
- 8 GB DDR4 memory
- 128 GB NVMe drive
What did I miss? I'd appreciate any help on this!
In general I feel like my PF configuration is not really suitable for what I want to achieve - I'd be thankful for any input here as well!
I have two machines (exact same hardware) that I'd like to use as a gateway/router for LAN clients to access the internet. I am using CARP for fail-over which is already working - therefore, let's refer to the two machines as "the gateway" from here on.
Here's a drawing for sanity:
Code:
+-----------+
172.31.255.6/24 | | 192.168.100.1/24
+--------+ silver1 +---------+
| | | | 192.168.100.222/24
+-----------+ | +-----------+ | +-----------+
| | | | | |
+---------+ ISP GW +----------------+ +----------------+ client1 |
| |172.31.255.5 | | | |
+-----------+ | +-----------+ | +-----------+
| | | |
+--------+ silver2 +---------+
172.31.255.6/24 | | 192.168.100.1/24
+-----------+
The ISP uplink is a 1G/1G connection. Using iperf3 on silver1 and a server in a datacenter I do get over 900Mbps. Downloading files on silver1 works well too. The performance becomes bad once I try to access anything from client1: Everything is horribly slow. I am able to load webpages and downloading content in general, but it's slow. Running iperf3 on client1 towards the machine in the dataceter even times out.
My question: What's going on here? Where did I screw up in my setup/configuration?
Here's the network & routing configuration from silver1|2:
Code:
# Network
ifconfig_igb0="inet 192.168.8.12/24 up"
ifconfig_igb1="inet 192.168.1.12/24 up" # DNS access
ifconfig_igb2="inet 192.168.10.1/24 up"
ifconfig_igb2_alias0="inet vhid 1 advskew 100 pass testpass alias 192.168.100.1/24 up"
ifconfig_igb3="inet 192.168.10.3/24 up"
ifconfig_igb3_alias0="inet vhid 2 advskew 100 pass testpass alias 172.31.255.6/24 up"
defaultrouter="172.31.255.5"
# Routing
gateway_enable="YES"
static_routes="ispSwisscom"
route_ispSwisscom="-net 192.168.100.0/24 172.31.255.5"
Here's the corresponding PF configuration:
Code:
if_lan0="igb0" # Management
if_lan1="igb1" # DNS access
if_lan2="igb2" # Client gateway 1
if_lan3="igb3" # Swisscom modem
if_loc0="lo0" # Loopback
# Options
set block-policy drop
# Scrub
scrub in all
# Ignore loopback interface
set skip on $if_loc0
nat on $if_lan3 from $if_lan2:network to any -> ($if_lan3) static-port
table <bruteforce> persist
block quick from <bruteforce>
block in log all
antispoof for $if_lan3
antispoof for $if_lan4
pass out keep state
pass quick on $if_lan3 all
pass from {$if_loc0, $if_lan2:network } to any keep state
pass in quick on {$if_lan0, $if_lan3} proto tcp from any to any port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 50/3600, overload <bruteforce> flush global)
And for completion, here's the routing table of silver1:
Code:
root@silver1:~ # netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.31.255.5 UGS igb3
127.0.0.1 link#9 UH lo0
172.31.255.0/24 link#6 U igb3
172.31.255.6 link#6 UHS lo0
192.168.1.0/24 link#4 U igb1
192.168.1.12 link#4 UHS lo0
192.168.8.0/24 link#3 U igb0
192.168.8.12 link#3 UHS lo0
192.168.10.0/24 link#5 U igb2
192.168.10.1 link#5 UHS lo0
192.168.10.3 link#6 UHS lo0
192.168.100.0/24 link#5 U igb2
192.168.100.1 link#5 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
::1 link#9 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
fe80::/10 ::1 UGRS lo0
fe80::%lo0/64 link#9 U lo0
fe80::1%lo0 link#9 UHS lo0
ff02::/16 ::1 UGRS lo0
silver1 and silver2 specs:
- FreeBSD 11.2-RELEASE
- Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
- 8 GB DDR4 memory
- 128 GB NVMe drive
What did I miss? I'd appreciate any help on this!
In general I feel like my PF configuration is not really suitable for what I want to achieve - I'd be thankful for any input here as well!