PF HAproxy - FreeBSD shows good performance but pf (the firewall) eats half

nbari

nbari

From https://www.haproxy.org/ in the Reliability section I found:

FreeBSD shows good performance but pf (the firewall) eats half of it and needs to be disabled to come close to Linux.
Click to expand...


What set of tests/pf rules can be used to benchmark this? I am using the latest HAProxy 2.4 & PF under FreeBSD amd64 and so far working fine, but I would like to know if there is something I could consider of fine-tuning either PF or HAproxy to have better performance.
 
For a VM makes sense since it will use fewer resources but for a dedicated server (physical network cars) this still applies?
 
nbari said:
For a VM makes sense since it will use fewer resources but for a dedicated server (physical network cars) this still applies?
Click to expand...
It applies to both. It has nothing to do with resource usage. It's because PF and the hardware are both trying to do something with those segments and are interfering with each other. IPFW doesn't seem to have this issue, it looks specific to PF. Or simply do the firewalling on a real hardware (Cisco, Juniper, etc) firewall.
 
SirDice said:
It applies to both. It has nothing to do with resource usage. It's because PF and the hardware are both trying to do something with those segments and are interfering with each other. IPFW doesn't seem to have this issue, it looks specific to PF. Or simply do the firewalling on a real hardware (Cisco, Juniper, etc) firewall.
Click to expand...
I have not seen any recent examples of any such issues.
ipfw’s NAT does have issues with TSO, but I am not aware of any such issues with pf.
 
You must log in or register to reply here.
Back
Top