PF Redirection through GRE tunnel with PF in FreeBSD 9

[Bistromat]

Hi All,
I've a freebsd FreeBSD 8.4 and a freebsd FreeBSD 9.3 and I need to redirect all the traffic on port 80 to other servers, passing through a router. I've created gre(4) tunnels between my router and these servers and this is my pf.conf:

my_ip="{212.121.212.121}"
webpool="{111.111.111.111, 222.222.222.222}"
grehosts="{123.123.123.123}"
permitted_ips="{123.123.123.123}"
table <blacklist> persist file "/etc/blacklist"

pass in quick on em1 from $permitted_ips
rdr pass on em1 proto tcp from ! <blacklist> to $myip port 80 -> $webpool port 80
pass in quick on gre51 proto icmp all keep state

I force all traffic for my webpool to use the tunnel gre(4) with this rules in rc.conf

cloned_interfaces="gre61"
ifconfig_gre61="inet 172.16.0.61 172.16.0.161 netmask 255.255.255.255 tunnel 212.121.212.121 123.123.123.123 link1 up"
route_host1="-host 111.111.111.111/32 172.16.0.161
route_host2="-host 222.222.222.222/32 172.16.0.161

In freebsd FreeBSD 8.4 everything works fine. Instead with freebsd FreeBSD 9, when I do a GET in port 80, the network becomes very slowly.
Where is my mistake?

Any help will be appreciated
(and sorry I'm a newbie in freebsd FreeBSD world)

 

[junovitch@]

Hello, that looks straight forward enough. Can you be more specific on what you mean by the network behaving slowly? Is it a pure bandwidth thing? If you temporarily turn off your HTTP server you can bandwidth using benchmarks/iperf with iperf -s -p 80 on the server and iperf -c <host> -p 80 on the client. If not that, some ideas to look at would be a tcpdump on the firewall or end device to look for anything crazy like re-transmits or reset connections. Also any interesting errors in pfctl -s info could be useful.