FreeBSD 9.0, pf, altq and igb = no go?

[romeor]

Hello,

I've installed FreeBSD 9.0-Beta 3 and then patched it up to FreeBSD 9.0-RELEASE. Next I've recompiled the kernel to include ALTQ support in kernel. There are 2 NICs in my server, both are Intel. One of them uses the em driver, other uses igb.

So I've started the pf with this simple config:

set optimization aggressive
set skip on lo0
scrub in all

altq on igb0 cbq bandwidth 1000Mb queue {std_up}
    queue std_up bandwidth 5Mb cbq (default ecn)


altq on igb1 cbq bandwidth 1000Mb queue {std_down}
    queue std_down bandwidth 5Mb cbq (default ecn)

nat on vlan1041 from {vlan1112:network} to any -> $lan_wrk_ext

pass in quick from 178.21.240.249
block in log all
pass out
#discard traffic from or to bogon nets on external interfaces
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
#drop any ipv6 as not implemented in our net
block drop in log quick proto ipv6
#allow poc network to pass
pass in on vlan10 from vlan10:network
#allow ping
pass in on vlan1041 proto icmp from any
#allow incomming connections from our tower,juniper and roman
pass in on vlan1041 from $my to $gw
pass in on vlan1041 from 178.21.240.249
#discard traffic from or to bogon nets on external interfaces
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
#drop any ipv6 as not implemented in our net
block drop in log quick proto ipv6
#allow poc network to pass
pass in on vlan10 from vlan10:network
#allow ping
pass in on vlan1041 proto icmp from any
#allow incomming connections from our tower,juniper and roman
pass in on vlan1041 from $my to $gw
pass in on vlan1041 from 178.21.240.249
################## LAN RULES #########################
pass in on vlan1112 from vlan1112:network no state


############### out
pass out on vlan1041 from 178.21.240.242 queue std_up
pass out on vlan1112 to vlan1112:network queue std_down no state

And here we go. I go to check how does it work to the speedtest.net site and it takes ages to connect to it. Then it shows download speed about 0,01 Mbit/sec and kind of random upload. It goes even further: latency from local network to the router becomes around 1000 ms (and then just fails to ping it, says unreachable). The next step is - OSPF and BGP sessions go down.
pftop shows that queues are up and some traffic passes by.

As soon as I switch cables to the integrated NIC, change the config files to use em and reboot the server - everything goes fine.

Can someone help me to resolve it or it is not supported really?

 

[SirDice]

igb(4) should be a supported device. From altq(4):

SUPPORTED DEVICES
     The driver modifications described in altq(9) are required to use a cer-
     tain network card with ALTQ.  They have been applied to the following
     hardware drivers: ae(4), age(4), alc(4), ale(4), an(4), ath(4), aue(4),
     axe(4), bce(4), bfe(4), bge(4), cas(4), cxgbe(4), dc(4), de(4), ed(4),
     em(4), ep(4), epair(4), fxp(4), gem(4), hme(4), [b]igb(4)[/b], ipw(4), iwi(4),
     ixgbe(4), jme(4), le(4), msk(4), mxge(4), my(4), nfe(4), nge(4), npe(4),
     nve(4), ral(4), re(4), rl(4), rum(4), sf(4), sge(4), sis(4), sk(4),
     ste(4), stge(4), txp(4), udav(4), ural(4), vge(4), vr(4), vte(4), wi(4),
     and xl(4).

 

[romeor]

Yes, but it does not work right. A bug?

 

[SirDice]

That's always possible :e

Not sure if the bug is in ALTQ, igb(4) or your ruleset thought. I don't know enough about ALTQ to make that call

 

[bbzz]

Have you tried using simple pf rules, without ALTQ?

 

[romeor]

Yes, I tried to just a moment ago. It works fine! I don't even really have to insert any rule into a queue, just define the ALTQ in the beginning and it just freezes on the next speed test. As soon as I switch cables and change config files - it runs stable and ALTQ works fine.

 

[ondra_knezour]

Something close has been discussed in this tread time ago, may be some guide for you? Mentioned PR is still not closed.

 

[romeor]

Sorry, but discussed subject in this thread is not related to my problem in any way. I can see traffic in queues, but connection just too slow and then it gives me time outs until I reload the pf (so states are cleared) and then it comes again back (just a few moments question).

I think, I'll get another NIC to test with today.

 

[romeor]

Well, got another NIC, but this one came with the em driver. No problems anymore. So either there is a bug in new igb driver or it was previous NIC defect.

 

[ecazamir]

Try counting the number of "states" before getting another NIC. Make the ruleset simpler, remove references to non-existing NICs. Check the pf.conf man page, the paragraph about 'set limits'. pf has a bad habit: when the state limit is reached. it silently starts dropping connections. This, used with 'aggressive' optimization, may lead to behaviour similar to what you've encountered. The pftop port may help you easily count matches, states, etc.

 

[romeor]

Hey,
Thank you for your post. But the little problem is that same ruleset works with another NIC.