DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th June 2014
rawshack rawshack is offline
New User
 
Join Date: Dec 2011
Posts: 3
Default pf - Internet seem slow

Hi forum,

I think this is my first post since I registered, I'm sorry for that. I almost always search the web first before posting. I already setup my home Openbsd NAT gateway. I can browse some sites with no problem but others seems getting timeout, it wont load the page, most of it are bank sites I cannot login and some ipad games. Not sure where to start investigating the problem. my setup is Openbsd 5.5 with two nics one attached to linksys wifi router which I disabled the wifi and make it bridge to my gateway (4) pppoe0 and other dhcp for local switch and in my switch I attached a wifi router in AP mode wich I disabled dhcp. If it is oky to name the bank or even the ipad games? below are my basic setup of my openbsd NAT.

Code:
 
set limit states 100000
set limit frags 5000
set block-policy return

set skip on lo

int_if= "re0"
ipad="192.168.1.200"
localnet=$int_if:network

table <thinkpad>  {192.168.1.214, 192.168.1.215}

block return    # block stateless traffic
pass            # establish keep-state

block return in on ! lo0 proto tcp to port 6000:6010
match out on egress inet from $localnet to any nat-to (egress:0) port 1024:65535

block in all
block in quick inet proto tcp from ! <thinkpad> to 192.168.1.1 port 22
pass out quick inet from $localnet to egress keep state
pass in inet proto icmp all icmp-type echoreq
pass in on re0
Reply With Quote
  #2   (View Single Post)  
Old 20th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome! I'm glad you've stopped lurking and have joined the party!

Since you are using pppoe(4), I wonder if you are experiencing degradation due to MTU settings. If I recall correctly, PPPoE had an upper MTU bound of 1492 bytes until RFC 4638 was instituted at OpenBSD 5.1. If your Linksys equipment is not RFC 4638 capable, or is configured to a lower MTU, perhaps MTU needs to be adjusted. The pppoe(4) man page shows 1492 being used in its published configuration example.

I also wonder if the pool(9) limitation you instituted for frags is pouring oil on flames, if you happen to have fragmentation caused by mismatched MTUs.

But I'm not a pppoe(4) user, so I don't write from any operational knowledge.
Reply With Quote
  #3   (View Single Post)  
Old 20th June 2014
rawshack rawshack is offline
New User
 
Join Date: Dec 2011
Posts: 3
Default

Hi jggimi,

Thank you very much. I was able to browse and login smoothly. by adding the code below in my pf.conf. noted "I better read the man page twice". really appreciated your help.

Code:
match on pppoe0 scrub (max-mss 1440)
Reply With Quote
  #4   (View Single Post)  
Old 20th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Heh. I wouldn't call that "help". Help would have been to point you at the mss setting.

If I'd read the man page twice, I might have pointed you at the fix. But I didn't, so I didn't.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Slow SSH login flit OpenBSD General 3 16th May 2013 08:29 PM
Anonymous Ftp is too slow daemonfowl OpenBSD General 25 4th August 2012 12:50 AM
OpenBSD slow internet? guitarscn OpenBSD General 4 27th November 2010 05:25 PM
Why is FreeBSD dd so slow? sharris FreeBSD General 10 18th June 2010 08:33 AM
slow io from hdd knasbas OpenBSD General 3 25th July 2009 02:51 AM


All times are GMT. The time now is 06:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick