Hints on diagnosing performance issue in OpenBSD firewall

Posted by Tom on Super User See other posts from Super User or by Tom
Published on 2012-01-10T21:45:52Z Indexed on 2012/03/26 5:33 UTC
Read the original article Hit count: 490

Filed under:

firewall

|

openbsd

My OpenBSD 4.6 pf firewall has started having really bad performance in the past few weeks. I've isolated the firewall (as opposed to the WAN connection, switch, cable, etc.) as the problem, but need a hint on how to further diagnose or fix the problem.

The facts:

Normal setup is: DSL Modem -> FW Ext. NIC -> FW Int. NIC -> Switch -> Laptop

Normal setup described above gives only 25 Kbps!
Plugging the laptop straight from the DSL modem gives a 1 MBps connection (full speed, as advertised). Therefore, the DSL connection seems to be OK.
Plugging the laptop directly into the firewall's internal NIC (bypassing the switch) also gives only 25 Kbps. Therefore, the switch does not seem to be a problem.
I've replaced the ethernet cables, but it didn't help.
Here's the weird thing. Reloading the ruleset (/sbin/pfctl -Fa -f /etc/pf.conf) causes the laptop's connection to go up to 1 Mbps (i.e. full speed) for a few minutes before it gradually degrades back down to 25Kbps again.

Any ideas on what's wrong or how I could further diagnose the problem?

© Super User or respective owner

Related posts about firewall

Managed hosting firewall vs managing own firewall

as seen on Server Fault - Search for 'Server Fault'
I posted on stackoverflow as to the overall benefits of managed hosting vs non-managed hosting. The more I think about it, it seems to boil down to one question: should I use a managed host because they take care of the firewall, or would I be okay managing my own, software firewall? The sites… >>> More
Hardware firewall vs VMWare firewall appliance

as seen on Server Fault - Search for 'Server Fault'
We have a debate in our office going on whether it's necessary to get a hardware firewall or set up a virtual one on our VMWare cluster. Our environment consists of 3 server nodes (16 cores w/ 64 GB RAM each) over 2x 1 GB switches w/ an iSCSI shared storage array. Assuming that we would be dedicating… >>> More
Firewall behind firewall

as seen on Server Fault - Search for 'Server Fault'
I've recently changed jobs and I've been set up with a new workstation. On all previous places where I've been working they've had some sort of local firewall installed on each and every workstation - but here I've been told not to activate it because it is not necessary since we're already behind… >>> More
We have no SW Firewall behind our office HW firewall, admin says its not req'd

as seen on Server Fault - Search for 'Server Fault'
I've recently changed jobs and I've been set up with a new workstation. On all previous places where I've been working they've had some sort of local firewall installed on each and every workstation - but here I've been told not to activate it because it is not necessary since we're already behind… >>> More
Can't get FTP to work on centOS 5.6

as seen on Server Fault - Search for 'Server Fault'
Hi guys I have been trying for a few hours to install and get FTP to work... I did yum install ftp and yum install vsftpd They all installed and are running but when I try to use filezilla or some other client I just can't connect....I've tried connecting on port 21 and port 990 ....nothing! These… >>> More

Related posts about openbsd

Practical differences between OpenBSD and FreeBSD?

as seen on Super User - Search for 'Super User'
I have OpenBSD installed as a router/firewall, and have been thinking about trying either OpenBSD or FreeBSD out as a desktop system, as well. What kind of practical differences (not philosophical, like "OpenBSD's focus is security" [those are well explained at wikipedia ) are there between FreeBSD… >>> More
Setting up dovecot on OpenBSD

as seen on Server Fault - Search for 'Server Fault'
I'm a *nix n00b that just installed dovecot (the selection with no ldap, mysql or pgsql) on OpenBSD 4.0 and I want to set it up for imap use, but I'm having a hard time finding documentation that I can understand. It currently running on port 143 (checked with telnet) but from there I need to do the… >>> More
Writing your own Makefile for OpenBSD ports

as seen on Server Fault - Search for 'Server Fault'
I have an OpenBSD box running Python 2.6. I want to install py-setuptools, but that package is built against 2.5. I was curious as to what the Makefile for py-setuptools [Someone with rep, fix me please][http://www.openbsd.org/cgi-bin/cvsweb/ports/devel/py-setuptools/Makefile?rev=1.13;content-type=text%2Fx-cvsweb-markup… >>> More
Install OpenBSD from a USB flashdrive : "No OS" message on boot

as seen on Super User - Search for 'Super User'
Hello everyone, I'm attempting to install OpenBSD on a fancy new home server equipment I just bought and here is my problem. I followed this guide to create a bootable USB flash drive from an OpenBSD VM I have on my laptop but when I try to boot my laptop on it all I get is a "No OS" message (I… >>> More
"jpeglib.h: No such file or directory" ghostscript port in OPENBSD

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello I have a problem with compiling a ghostscript from ports in openbsd 4.7. SO i have jpeg-7 installed, I have latest port tree for obsd4.7. ===> Building for ghostscript-8.63p11 mkdir -p /usr/ports/pobj/ghostscript-8.63p11/ghostscript-8.63/obj gmake LDFLAGS='-L/usr/local/lib -shared' GS_XE=… >>> More