Slow LAN speed because of pf.conf

F

Fireball

Hello all,

I find out that speed of downloading (from samba resources, www, etc) from my FreeBSD 7.4 in internal network is about 170-400 KB/s in maximum. If I turn off PF firewall, then speed of downloading is about 12 MB/s (~100 Mbit/s).

Configuration of PF (pf.conf)
Code: 
set state-policy if-bound

pass inet proto icmp all icmp-type { echoreq , unreach}

pass in quick on fxp0 \
         reply-to ( fxp0 169.254.107.1 ) \
         proto tcp from any to any \
        keep state ( floating )
 
pass in quick on fxp1 \
         reply-to ( fxp1  192.168.2.1 ) \
         proto tcp from any to any \
         keep state ( floating )

fxp0 - internal network (LAN) 169.254.107.0/24
server - 169.254.107.8

fxp1 - now not in use, but it will in future. This interface is connected to another inernet channel (ISP2). If I'll comment two lines (pass in quick), then I'll able to connect to only one interface from outside of the network, which corresponds to defaultrouter in rc.conf. For example, if in rc.conf defaultrouter is 169.254.107.1, then I can connect through fxp0, but I cannot through fxp1.

If I comment line with pass in quick on fxp0, then speed becomes ~100Mbit/s.

Can anybody explain this behavior of PF? How shall I tune PF in order to speed in LAN will 100 Mbit/s and leave possibility connect to server with different interfaces?
 
What's strange for me is that your last two pass rules are if-bound ("on fxp0"), but you're setting their state policy to floating?
 
if-bound state is used for all set of rules, but for last two rules I use floating policy. I don't know, is it right? I took this example from this forum in order to I'll be able connect to server through two interfaces: fxp0 and fxp1, which are located in different subnets. If I'll connect to these interfaces without these rules (if I'll clear attribute floating), that I can connect to ONLY one interface corresponding to defaultrouter in rc.conf.

I solved the problem! In PF rules I modify src address any to Non-LAN adresses like this:

Code: 
pass in quick on fxp0 \
         reply-to ( fxp0 169.254.107.1 ) \
         inet proto tcp from [B]!169.254.107.0/24[/B] to any \
         keep state ( floating )

 pass in quick on fxp1 \
         reply-to ( fxp1 192.168.2.1 ) \
         inet proto tcp from ![B]169.254.107.0/24[/B]  to any \
         keep state ( floating )

Now, I can connect to server from outside LAN, with these two rules and speed is ~100Mbps.
I made tcpdump and found that if in rules wrote
Code: 
inet proto tcp from any  to any
than I can connect from outside to server but speed is slow because I give ICMP redirects form default router. I guess that at samba connection server send packets not directly to client (in internal net) but to 169.254.107.1 (default router for FreeBSD, D-Link router), which resend packets to client. Maybe because of this circumstance was slow speed in LAN.
 
I know this, but this addreses was assigned to local network before me. Do you advise change this one to 192.168.0.0/24 for example?

Then I need reconfigure all network services which bind to network interface.
 
Fireball said:
I know this, but this addreses was assigned to local network before me. Do you advise change this one to 192.168.0.0/24 for example?
Click to expand...
Yes, to prevent any confusion and perhaps some other devices may block these ranges.
 
You must log in or register to reply here.
Back
Top