PF enabled - decreased performance

Tue, 04 Aug 2009 06:48:55 -0700 

Hello misc,

I have strange problem when I use PF for traffic shaping.
No such problem with PF disabled.
It is OpenBSD 4.5 stable. Here is dmesg: http://paste.lisp.org/display/84738

The problem is that the router start to generate losses.
It generates losses even to directly connected hosts. Here is an example:

r...@core1.bg
~ # ping a.a.a.230
PING a.a.a.230 (a.a.a.230): 56 data bytes
ping: sendto: No route to host
ping: wrote a.a.a.230 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote a.a.a.230 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote a.a.a.230 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote a.a.a.230 64 chars, ret=-1
64 bytes from a.a.a.230: icmp_seq=4 ttl=255 time=0.954 ms
64 bytes from a.a.a.230: icmp_seq=5 ttl=255 time=1.363 ms
64 bytes from a.a.a.230: icmp_seq=6 ttl=255 time=1.288 ms
64 bytes from a.a.a.230: icmp_seq=7 ttl=255 time=1.213 ms
64 bytes from a.a.a.230: icmp_seq=8 ttl=255 time=1.136 ms
64 bytes from a.a.a.230: icmp_seq=9 ttl=255 time=1.214 ms
64 bytes from a.a.a.230: icmp_seq=10 ttl=255 time=1.022 ms
64 bytes from a.a.a.230: icmp_seq=11 ttl=255 time=1.409 ms
64 bytes from a.a.a.230: icmp_seq=12 ttl=255 time=1.334 ms
64 bytes from a.a.a.230: icmp_seq=13 ttl=255 time=1.741 ms
64 bytes from a.a.a.230: icmp_seq=14 ttl=255 time=1.183 ms

a.a.a.230 is on the other and of vlan600, my ip is a.a.a.229
It just happens to all directly connected hosts.

And also mtr to ibm.com:

http://paste.lisp.org/display/84728

Firs packets get lost and then the losses disappear.
Next time I issue ping or mtr command it starts with losses.
It also happen to web traffic and it is annoying for the users.

It does not happen with pf disabled.
There is no more than 10 to 15 Mbit per second load and maximum total pps I have seen according to systat ifstat is 8000, average 4000. 

Here is my pf.conf:

http://paste.lisp.org/display/84727

I really appreciate your help.
If you need more info I did not provide or explain correctly just let me know. If the links are broken I will paste the configs to the list. 

Thank you,
Ivo


__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 4304 (20090804) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Reply via email to