netbsd-help: high bandwidth transfers fail through netbsd gateway ?

Subject: high bandwidth transfers fail through netbsd gateway ?
To: None <netbsd-help@netbsd.org>
From: None <jcline@ieee.org>
List: netbsd-help
Date: 06/02/2002 02:12:30
Hello all netbsd experts,

I have recently set up netbsd as a ipf/nat gateway between a
dsl modem and a win9x box.  This has taken a bit of effort,
but it's mostly working well:
 [ dsl modem ] --- eth tlp0 -- [netbsd] -- rtk0 -- [ hub ] -- [ PC ]

NetBSD rms1 1.5.3_RC2 NetBSD
1.5.3_RC2 (GENERIC) #2: Sat Apr 27 18:25:24 CEST 2002    
he@pepperoni.uninett.no:/usr/src/sys/arch/i386/compile/GENERIC i386

netbsd is running dhclient on the tlp0 side, and dhcpd on the rtk0
side.  The PC can access the net fine.  My ipf rules are currently
pass all in/out, so I am not doing any filtering (yet).  The NAT
maps the LAN side from 10.1.1.x to the ISP's assigned IP.  (My
DSL config does not use pppoe.)

The problem is that large PC transfers hang after ~1-2 megs.
i.e. an ftp to ftp.netbsd.org, or web video, etc, will stop
packet flow.  At this point I can kill the PC app and normal
ftp or web browsing works ok, however the transfer is toast.
What's the difference between a high bandwidth connection
and a slow one?  The DSL link is 768k downstream and 384k up
(supposedly though luckily I'm only 2 blocks from the CO so
it should be max rate).

I can ftp from the gateway (this netbsd box) just fine. Only
the PC has the problem.  Hmm, I guess I might mention that 
rtk0 is a 10/100 card, the hub is 10Mb, and the PC uses a 
10/100 card..  since this is a bandwidth related issue. 


I'd appreciate any ideas on this problem or how to debug it
further.  I think I've read everything I can point by browser
to regarding IPF and NAT but further pointers are welcome.

Also please reply to the list, since this box isn't set
up to retreive email (it's just supposed to be a secure
gateway...), I've set the reply-to accordingly.


...some other config stuff follows...

% ifconfig -a
tlp0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,
ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
	address: 00:a0:cc:e5:6d:13
	media: Ethernet 10baseT
	status: active
	inet 4.63.232.27 netmask 0xfffff800 broadcast 4.63.239.255
	inet6 fe80::2a0:ccff:fee5:6d13%tlp0 prefixlen 64 scopeid 0x1
rtk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	address: 00:50:ba:c1:78:39
	media: Ethernet autoselect (none)
	status: active
	inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
	inet6 fe80::250:baff:fec1:7839%rtk0 prefixlen 64 scopeid 0x2


# ipf.conf
pass in from any to any 
pass out from any to any


# ipnat.conf
# tlp0 is the WAN side ethernet link

map tlp0 10.1.1.1/24 -> 0/32 proxy port ftp ftp/tcp
map tlp0 10.1.1.1/24 -> 0/32 portmap tcp/udp 40000:60000
map tlp0 10.1.1.1/24 -> 0/32


# dhclient.conf
interface "tlp0" { 
	send host-name "rms1";
	request subnet-mask, broadcast-address, routers, domain-name-servers;
}

# dhcpd.conf

allow unknown-clients;
ddns-update-style ad-hoc;

subnet 10.1.1.0 netmask 255.255.255.0 {
	authoritative;
	range 10.1.1.100 10.1.1.200;
	default-lease-time 10000;
	max-lease-time 10002;
	option subnet-mask 255.255.255.0;
	option domain-name-servers 4.2.2.1, 4.2.2.2, 4.2.2.3;
	option domain-name "rms1.dsl-verizon.net";
	option routers 10.1.1.1;
}