Poor performance ipf in combination p2p software!

Hi, i have no idea what the problem is and are hoping for pointers or maybe
even a solution.



Main description.

My bro's P2P software makes my firewall/internet soo slow its not normal,
and his download speed is terrible as well.



Problem 1.

Now my bro complains the download speed of bit torent is terrible, like I
dint do my job well? And I must say I cant blame him, the download speed is
about 3-40kb and we have a 300+kb cable connection!



Problem 2.

I limited the upload of his pc so that bit torent doesn't consume all
bandwidth. But when the BT client is running and hes gone I cant internet
properly till I reboot the IPF firewall en stop those downloads. It seems
that all connection are congested, my firewall runs at about 3% cpu load.



My work.

I forwarded the ports for Bit Torent to his PC, like documentation says.



-Ipf.rules

pass in quick on ed0 proto tcp from any to 10.50.0.30 port 6880 >< 6890 #
Bit torent



-Ipnat

rdr ed0 213.51.252.9/32 port 6881 -> 10.50.0.30 port 6881 tcp # Bit
Torent:6881

rdr ed0 213.51.252.9/32 port 6882 -> 10.50.0.30 port 6882 tcp # Bit
Torent:6889

rdr ed0 213.51.252.9/32 port 6883 -> 10.50.0.30 port 6883 tcp # Bit
Torent:6889

rdr ed0 213.51.252.9/32 port 6884 -> 10.50.0.30 port 6884 tcp # Bit
Torent:6889

rdr ed0 213.51.252.9/32 port 6885 -> 10.50.0.30 port 6885 tcp # Bit
Torent:6889

rdr ed0 213.51.252.9/32 port 6886 -> 10.50.0.30 port 6886 tcp # Bit
Torent:6889

rdr ed0 213.51.252.9/32 port 6887 -> 10.50.0.30 port 6887 tcp # Bit
Torent:6889

rdr ed0 213.51.252.9/32 port 6888 -> 10.50.0.30 port 6888 tcp # Bit
Torent:6889

rdr ed0 213.51.252.9/32 port 6889 -> 10.50.0.30 port 6889 tcp # Bit
Torent:6889



I tried playing around whit a less restrictive configuration, but that seems
to make situation worse. I have no idea what this crap is, the logs look
like other BT clients connect at random ports that are not listen in de
ruleset (sofar the documentation), so get turn away whit a
return-icmp-as-dest(port-unr). This could be a explanation for the poor
download speed of BT.



Well if some1 knows a beter explanation or solution that could help, PLZ
post ur thoughts.



grtz Sno__

Sno__ wrote:

> Now my bro complains the download speed of bit torent is terrible, like I
> dint do my job well? And I must say I cant blame him, the download speed is
> about 3-40kb and we have a 300+kb cable connection!

Remember there's a huge difference between Kb and KB. A 512 Kb/s cable
link will allow downloads of about 60 KB/s (roughly, divide Kb/s by 8 to
find KB/s).

So, a 300 Kb/s link will allow downloads of up to (about) 37 KB/s.
However, you're limited by the connectivity between you and the host
you're downloading from. If part of the connection between you and that
host is limited to 1 KB/s then that's the fastest download you'll get.

--
Rob MacGregor (BOFH) Oh my God! They killed init! You bastards!
The light at the end of the tunnel is an oncoming dragon.

> > Now my bro complains the download speed of bit torent is terrible, like
I
> > dint do my job well? And I must say I cant blame him, the download speed
is
> > about 3-40kb and we have a 300+kb cable connection!
>
> Remember there's a huge difference between Kb and KB. A 512 Kb/s cable
> link will allow downloads of about 60 KB/s (roughly, divide Kb/s by 8 to
> find KB/s).

Ok, ur right but its 300+ KB/sec, so i have the right to complain :)

> > Its written flags S keep state yes, but u get the general idea. So have
any
> > suggestions that could give some preformanceboost?
> >
> >
>
> Yes, ipfilter unlike the openbsd pf (which uses an avl tree to keep
> state information internally) uses a hash to access state data. This
> means that if the hash size is too small there are a lot of collisions,
> long buckets are created and the searching performance (you need to
> search state information for each packet) degrades to linear search.
> Hence it is crucial to size the hash table correctly. There is an
> adjustable variable, either as a sysctl or in a header, i don't remember
> but you should find it easily.


thx man!

Found this so far, i think this is what u ment but can u give me some
pointers on the values? ( as i need to reinstall for a kernel recompile)

(what values should i try? )
1.. Keep state stops working - it won't make new states.
There may be many reasons for this including that mentioned in question
1 of this section. However, there are other possibilities such as you have a
very busy firewall and you're filling the state table. For this you have a
few options: you can enlarge the state table, tweak some IPF values, or
both. See the III-25 for details on enlarging the state table. Here are some
values to tweak though.
ipf.fr_tcpidletimeout=7200
ipf.fr_tcpclosewait=120
ipf.fr_tcplastack=120
ipf.fr_tcptimeout=240
ipf.fr_tcpclosed=60
ipf.fr_tcphalfclosed=300
ipf.fr_udptimeout=90
ipf.fr_icmptimeout=35

These values will be in very different places depending on your OS, such
as /etc/rc.sysctl, /etc/sysctl.conf, or /etc/system.


(needs recompiled kernel)

2. How do I enlarge the state table? What else should be tweaked for
high-stress installs?
Edit ipf_state.h and look for the lines:

#ifndef IPSTATE_SIZE
# define IPSTATE_SIZE 5737
#endif
#ifndef IPSTATE_MAX
# define IPSTATE_MAX 4013 /* Maximum number of states held */
#endif

IPSTATE_MAX should be approx. 70% of IPSTATE_SIZE and both numbers should
be prime. The exact values you need depend highly upon the situation, but do
NOT go crazy. Numbers in the 6 digits are very excessive. If you are having
trouble with your state tables check out section IV-12 first.

For very high-traffic installations this will need to be tweaked. A good
number to start with is 10 connections per workstation and adjust from
there. Other things that might need tweaking depending on your situation is
NMBCLUSTERS and NAT_SIZE.

"Sno__" <Dont@mail.me> wrote in message news:<bl9tji$4db$1@news1.tilbu1.nb.home.nl>...
> Hi, i have no idea what the problem is and are hoping for pointers or maybe
> even a solution.
>

I've been more or less succesfull with a combination of ALTQ and
ipfilter/ipnat for use at my office.

Basicly I wanted to still keep my torrent seeds/downloads up at
daytime, but with less priority than after working hours -
( I have a nice little crontab switching altq config files for me at
16:00 :)

It might be kinda overkill to do it this way, but hey - it works!
..... and it was a good excuse for learning (well.. some of) it.

Some links:
http://www.csl.sony.co.jp/person/kjc...ware.html#ALTQ <- ALTQ
homepage
http://www.rofug.ro/projects/freebsd-altq/ <- ALTQ integration
in FreeBSD project


Mvh/Rock on
Thomas Kolstø
- thomas@kolsto.no