Re: firewall performance throughput between Linux and OpenBSD

From: Sean (seconway_at_mts.net)
Date: 07/19/04 

Date: 18 Jul 2004 16:31:16 -0700

Greg Hennessy <me@privacy.net> wrote in message news:<tnekf0pf9s4m4hfoer7mpee4n0cknumt2j@4ax.com>...
> On 17 Jul 2004 16:30:59 -0700, seconway@mts.net (Sean) wrote:
>
> >G'Day,
> >Can anyone suggest a cause for the performance difference between a
> >OBSD 3.5 pf firewall and a RH7.3 ipfilter firewall.
>
> Yes, a problem between the chair and keyboard.
>
> >The throughput
> >performance on OBSD is a 10th of the throughput on the RH firewall.
> >
> >
>
> 1/10th of the 'throughput' as measured by *what* exactly ?
>
>
>
> greg

Thanks to the people that suggested to move to a "better" O/S. I am
not interested. If I cannot solve the problem on OBSD I will stay with
Linux.

Enclosed are the hardware platforms that have been used to conduct the
tests:
Motherboard: P/I-P55TVP4
CPU:233MMX
RAM:64M
NIC: Dlink 530TX

Motherboard: P6B
CPU:433MMX
RAM:393M
NIC: Dlink 530TX

Internet: DSL using PPPOE

The firewall is used to connect a private network to the internet. The
private network is running a variety of windows boxes. All boxes show
the same slow performance symptom.

Enclosed is the the pf.conf and ppp.conf files. Some information has
been altered to eliminate the obvious.

PF.CONF
# Macros
# ext_if -- the interface to the outside world
ext_if="tun0"

# prv_if -- the interface to the private hosts
prv_if="vr3"

# prv_hosts -- the list of addresses of hosts on the
# screened LAN
prv_hosts = "{192.168.2.1, 192.168.2.107, 192.168.2.10}"

# Options
set require-order yes
set block-policy drop
set optimization normal
set loginterface none

# Normalize packets
scrub in all
scrub out all

# Translate packets
nat on $ext_if inet proto {tcp, udp, esp} from $prv_hosts to any ->
($ext_if) static-port

PPP.CONF
default:
 set log all Phase Chat LCP IPCP CCP tun command

pppoe:
 set device "!/usr/sbin/pppoe -i vr3"
 set mtu max 1492
 set speed sync
 disable acfcomp protocomp
 deny acfcomp
 set login
 set authname ###################
 set authkey ####################
 add! default HISADDR
 enable dns
 enable mssfixup

I have used two tests to gauge performance.
www.pcpitstop.com/internet/BandwidthResults.asp has a crude
measurement tool. I have also tried doing ftp downloads. The same
result exists but it is not a true measure since the OBSD is using
ftp-proxy and the linux box does not.

Here are some performance stats using the above web link
Linux (233MHZ)
1071kbit/sec
1082
1111
OBSD3.4(233Mhz)
72
74
75
OBSD3.5(433Mhz)
144
143
142

I also tried an informal test by replacing the firewall without
notifying the clients. I was called within an hour of the new install
with complaints about slow performance. I switched the old unit back
in place and told the users there was an ISP problem.

I am a newbie at OBSD but have some experience with other unix's. My
research using the books recommended on the OpenBSD site has not
provided any insight. This new's group did have a reference back in
2003 regarding performance issues. It was centered around the rules in
pf.conf. Running with a full pf rules file or the wideopen version
listed nets the same performance results. The linux box is running a
full rules file using iptables. I didn't try the performance test on
that box without rules.

I am stepping back to let un-biased eyes examine the setup to see if
there is something I am missing. I am open to suggestions. The
firewall works. The through put performance is the issue.

Relevant Pages

  • Re: firewall performance throughput between Linux and OpenBSD
    ... > The firewall is used to connect a private network to the internet. ... > ftp-proxy and the linux box does not. ... Running with a full pf rules file or the wideopen version ... > full rules file using iptables. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: ipfw logging
    ... Alright, I figured something out. ... The firewall is using ... Does anyone know how to designate the proper ...
    (comp.unix.bsd.freebsd.misc)