openBSD 3.8 firewall using 3com 3C509B nic speed problem

Hi,
I'm building a firewall using OpenBSD 3.8 and 2 ISA 3com 3C509B
etherlink III cards. At first I was using 2 cheap NE2000 compatible
cards, but the speed was suffering (half the normal speed). I saw
everywhere that building a firewall with NE2000 ISA NICs is not
recommended so I ordered 2 3C509B cards from ebay (These cards seems
the most recommended ISA cards for a firewall + openbsd) and thought
that it would fix my problem. But to my surprise it seems even worst
(not much, but at least not better).

One of the 3C509B is revision B (which is supposed to be very good)
and one is revision A (I saw that its limited buffering can cause
terrible speed performance drop on
http://www.holland-consulting.net/tech/OBSDCommProbs.html).

Here's my system
- Pentium 150Mhz
- 32 Meg RAM
- 3com 3C509B rev A
- 3com 3C509B rev B

My normal internet (Ultra High Speed ADSL) speed (downloads):
4400-4600 Kbits/s

Using the NE2000 cards I get
2000-2200 Kbits/s

Using the 3C509B cards I get
1400-2000 Kbits/s

I use pf on the firewall for filtering and it is setup with NAT. I
was sure that a Pentium 150Mhz/32Megs was more than enough for this
kind of firewall & a ADSL connection. I have another firewall running
at 75Mhz with 48Megs RAM with IPCOP 3.0 (linux with 1 NE2000 & 1 3C509B
NIC) and it's more than fast enough (no noticiable speed drop).

I tried everything in openbsd's configuration to found out what was
the problem, like setting the net.inet.tcp.recvspace &
net.inet.tcp.sendspace to 65535 instead of 16284. Right now the 3C509B
NICs are configured in PNP and full-duplex enabled (but not enabled in
openbsd), I tried to disable full-duplex with the 3com configuration
utility but it doesn't change anything. I was not able to disable PNP
(I know it's better to disable it when using openbsd) because the cards
were not detected by openbsd is PNP is off (tried several manual
combinations, even the one detected by PNP).

One thing I have noticed if I run top on the firewall while
downloading a large file is the in the CPU utilisation, the interrupt
section is between 50-78% while downloading the file. Is it normal?

Anyone has any idea of what could cause this speed drop? What could I
do to diagnostic the problem (useful openbsd tools). Can the problem be
caused by the revision A card? or because PNP is enabled? or since the
speed is almost the same same with NE2000 cards, by an openbsd
misconfiguration or because there's not enough RAM?

Any informations will be greatly welcome.

.

Relevant Pages

  • RE: Cracking a server without services (filtering bridges)
    ... I run a filtering bridge on my home system between the DSL and the DMZ. ... cards. ... through another firewall for my internal stuff. ...
    (Security-Basics)
  • Re: IP access restriction
    ... > Would a 'firewall' like machine with IPTABLES be able to accomplish this, ... Then create a bridge ... then you add ethernet cards to the bridge (you can have multiple cards in ... acknowledges that a bridging firewall is a possibility is fwbuilder, ...
    (Fedora)
  • Re: five adapters in a single comp and no more switch
    ... My "firewall PC" could then ... :: PC (or some "multi-ethernet" PCI cards, ... :: correct name for those ethernet cards providing several RJ45 ... * I think you will have difficulties getting that many network cards to ...
    (comp.security.misc)
  • Re: What to do with an old machine.
    ... that I should at some time install my own firewall. ... cards are cheap and reliable and probably? ... need at least two network cards) I imagine your machine you would ... Smoothwall was the linux firewall ...
    (uk.comp.os.linux)
  • Re: Network card recommendation
    ... It's safe in the same way that a Pinto was safe in a rear end ... I'll add my voice for this, the Realtek chips (at least the 100mbit ... That said, their 10mbit cards were pretty good, and I hear their gigabit ... and I have yet to see one break (even had a firewall on ...
    (Debian-User)