On Fri, Oct 05, 2007 at 11:40:07AM -0400, Chris Smith wrote:
<SNIP>
> The performance issue is that normal web access is horrifically slow, yet
> when
> doing a download test the results show the proper bandwidth.
It takes a while for the packets to figure out how to get through the
router, once they do, the states are set up and everything works as it
should. I can see that.
<SNIP>
> Basic scenario is 2 internal interfaces (2 separate subnets) and three
> external (gateway) interfaces (a T1 line - the default gateway, a 4Mb/s cable
> line, and an 8Mb/s cable line). My current testing is just using one system
> to route-to one of the non-default gateways.
This means that each interface has a separate subnet with separate
gateways and all that?
What is $ext_if and what is $wow_8_if? You seem to use them kind of
randomly in your ruleset below. I am guessing that $ext_if is the T1
(default gateway) and that $wow_8_if is one of the cable lines.
I think your problem is that if you route-to on your outbound interface
it happens after NAT. NAT and route-to on egress is I think a bad
combination. That it works at all is to me more surprising than that it
is slow.
> Simplified ruleset:
> ==================================================================
> nat on $ext_if inet tag WOW_8_NAT tagged WOW_8 -> $wow_8_ad1
> nat on $ext_if inet from $s3_if:network to any -> $ext_ad
>
> pass in on $s3_if inet from $s3_if:network to !$alt_if flags S/SA keep state
> pass in on $s3_if inet from $orion7 to !$alt_if flags S/SA keep state tag W
> OW_8
>
> pass out on $s3_if from any to $s3_if:network flags S/SA keep state
>
> pass out on $ext_if all keep state flags S/SA
> pass out on $ext_if route-to ( $wow_8_if $wow_8_gw ) all keep state flags
> S/SA
> tagged WOW_8_NAT
> ==================================================================
Perhaps try this (I didn't):
(and keep state is default now so that simplifies the rules)
==================================================================
nat on $ext_if inet from $s3_if:network to any -> $ext_ad
nat on $wow_8_if inet from $s3_if:network to any -> $wow_8_ad1
pass in on $s3_if inet from $s3_if:network to !$alt_if
pass in on $s3_if route-to ( $wow_8_if $wow_8_gw ) \
inet from $orion7 to !$alt_if
pass out on $s3_if from any to $s3_if:network
pass out on $ext_if
pass out on $wow_8_if
==================================================================
You may also want some of the rules like are shown in the FAQ
http://www.openbsd.org/faq/pf/pools.html
To ensure that packets with a source address belonging to $ext_if1 are
always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the
following two lines should be included in the ruleset:
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \
to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \
to any
I am NOT sure that I am correct, but this may give you something else to
try.
I also think tcpdump on the different external interfaces when you are
trying this would probably help a lot.
l8rZ,
--
andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED]
BOFH excuse of the day: Not enough interrupts
