Есть две машины FreeBSD 7.0 и windows 2003 server Фря - шлюз , все сервисы(кроме ната и днс) на виндах, большая часть портов редиректится на винду, НО РЕААЛЬНО ЛАГАЕТ инет. Причем потери пакетов нет...

PING ya.ru (213.180.204.8): 56 data bytes
64 bytes from 213.180.204.8: icmp_seq=0 ttl=56 time=43.582 ms
64 bytes from 213.180.204.8: icmp_seq=1 ttl=56 time=66.388 ms
64 bytes from 213.180.204.8: icmp_seq=2 ttl=56 time=48.806 ms
64 bytes from 213.180.204.8: icmp_seq=3 ttl=56 time=47.983 ms
64 bytes from 213.180.204.8: icmp_seq=4 ttl=56 time=44.951 ms

traceroute to ya.ru (213.180.204.8), 64 hops max, 40 byte packets
1  L0.GHSDR33-DP.alkar.net (195.248.176.235)  12.846 ms  12.346 ms  12.763 ms
2  V110.CORE1-DP.alkar.net (195.248.191.129)  13.281 ms  13.549 ms  13.770 ms
3  core-0-0GE-222dot1q.dniepr.ucomline.net (62.221.41.145)  14.557 ms  13.314 ms  13.330 ms
4  core-0-wsx670410ge-3-1GE.kiev.ucomline.net (213.130.29.202)  19.423 ms  19.923 ms  18.952 ms
5  * yandex-gw.ix.net.ua (195.35.65.88)  19.745 ms  18.757 ms
6  titanium-vlan904.yandex.net (213.180.208.94)  42.131 ms *  41.428 ms
7  silicon-vlan901.yandex.net (77.88.56.125)  41.613 ms  41.821 ms  41.862 ms
8  ortega-vlan4.yandex.net (213.180.210.188)  43.369 ms  42.907 ms  43.095 ms
9  ya.ru (213.180.204.8)  49.020 ms  47.599 ms  50.491 ms

Конфиги.

rc.conf

gateway_enable="YES"
keymap="ru.koi8-r"
linux_enable="YES"
nfs_client_enable="YES"
sshd_enable="YES"
named_enable="YES"

ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="prov"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pf_flags=""

ifconfig_re0="inet 172.17.17.2  netmask 255.255.255.0"
ifconfig_fxp0="inet 10.0.0.253 netmask 255.255.255.0"
ifconfig_rl0="inet 192.168.0.59 netmask 255.255.255.0"

defaultrouter="172.17.17.1"
hostname="freebsd.local"

pf.conf

#макросы
ext_if="tun0"
int_if="fxp0"
ext_if2="tun1"
#опции

set block-policy return
set loginterface $ext_if

set skip on lo

#нормализация траффика

scrub in

#NAT

nat on $ext_if from $int_if to any -> $ext_if

#проброс портов
rdr pass on $ext_if proto tcp from any to any port 3389 -> 10.0.0.254 port 3389
rdr pass on $ext_if proto gre from any to xxx.xxx.xxx.xxx -> 10.0.0.254
rdr pass on $ext_if proto tcp from any to xxx.xxx.xxx.xxx port { 3389, 1494, 1533, 8888, 1352, 1723, 25, 80, 4090, 5555, 8000 } -> 10.0.0.254

#фильтрация
block in all

pass out keep state

antispoof quick for { lo, $int_if } inet

pass in on {$ext_if, re0} inet proto tcp from any to xxx.xxx.xxx.xxx \
        port { 42740, 3389, 11445, 1494, 1533, 8888, 1352, 1723, 25, 80, 4090, 6767, 5555, 8000 } keep state

pass in on $ext_if inet proto tcp from any to 10.0.0.254 port { 42740, 11445, 6767, 3389, 1494, 1533, 8888, 1352, 1723, 25, 80, 4090, 5555, 8000 } \
        keep state
pass in on {$ext_if, re0 } inet proto tcp from any to xxx.xxx.xxx.xxx \
        port { 22, 113 } keep state

pass in inet proto icmp all icmp-type echoreq keep state

pass in on $ext_if inet proto tcp from any to any port 3389 keep state

pass quick on $int_if

named.conf(только изменённый кусок)

// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:

        forward only;

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.

        forwarders {
                 10.0.0.254; 195.248.191.67; 195.248.191.72;
        };

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND versions 8 and later
         * use a pseudo-random unprivileged UDP port by default.
         */
         query-source address * port 53;
};

resolv.conf

domain  local
nameserver 127.0.0.1
nameserver 195.24.145.138

ppp.conf

default:
set log Phase tun command
  enable dns                            

papchap:

set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255

prov:
        set device PPPoE:re0
        set authname login
        set authkey password
        set redial 100 10
        set reconnect 5 10
        set dial
        set login
        add default HISADDR