SG-3100 Slow Throughput
-
I've had the SG-3100 for about a year now and it has been pretty solid, until the last month or so. I have AT&T 1GB service, but when connecting through the pfsense, I cannot get more than ~40Mbit/s down and ~70Mbit/s up. I've been mucking with settings for the last week and I've finally hit a wall. I'm hoping someone may see something I've over looked. (I don't recall making any changes that would affect this, other than updating to the latest versions. I was using remote logging for a while, but have that disabled now for testing.)
Setup
Internet<-->ATT Residential Gateway<--->(WAN port)SG 3100(LAN port)<-->LAN
Version 2.4.4-RELEASE (arm)
built on Thu Sep 20 09:33:19 EDT 2018
FreeBSD 11.2-RELEASE-p3Tests
Directly connected to the RG - 650+ down / 400.0+ up
Directly connected to the SG-3100 - 43.2 / 70.0Interfaces:
"Relevant" Settings:
MBuf clusters
kern.ipc.nmbclusters=65536
Note: I had it set to 1M, just lowered it to 65K to see if anything changedTSO
net.inet.tcp.tso=0
Note: This keeps turning back on... I have it set to 0 in /boot/loader.conf, but upon boot it's back to 1I have openvpn (server) running, but nothing is connected.
I don't have anything else running (no squid, no suricata).Any help what-so-ever would be greatly appreciated.
Edit:
LAN Speed seems to be fine, iperf3 between the pfsense and a computer on the LAN is 705 Mbit/s
-
@torred
I don’t know. I have ATT gig service and SG-3100 and see 910 down, 940 up. I see the same using the provided gateway or bypassing the gateway. I have no idea what would cause you to see such low speeds. Your speeds through the gateway are off a bit too. Good luck.
-
The 2 sg3100 I have in production see their full internet speed as well.. Its not gig.. But way above the 40/70 your seeing... That screams something really wrong - maybe duplex mismatch?
So directly connect you only see about 1/2 of what your paying for - and you don't think that is a problem? If your paying for gig - ou should see high 800's if not low 900's at min.. If not I would be looking to what is wrong there.
You should not need to do any tweaking like your doing.. It sure and the hell is not going to make 40mbps jump to 600..
-
@johnpoz said in SG-3100 Slow Throughput:
So directly connect you only see about 1/2 of what your paying for - and you don't think that is a problem?
I chatted with AT&T about this, it would seem that 600Mbit is "within tolerance" for their 1Gb service, smh.
I agree that these tweaks shouldn't make such a huge difference, so should I be contacting Netgate about a possible hardware issue?
-
what about the crappy 400 up? Is that in their tolerance range as well... They should advertise it as you "MIGHT" get close to gig with our service.. But prob not ;) If you get 400 then we say its good! So Piss off and send us your money!!
How exactly are you testing this? Take your isp device out of the equation... run say iperf..
iperf server --- wan pfsense lan --- iperf client..
What do you see then? This should be damn close to this
ifperf server ---- iperf client
If no pfsense and iperf serv and client are good, and with pfsense and tested same cables its BAD... like what your seeing then yeah I would be contacting support abut bad hardware..
What speeds were you seeing with it before you switched to ATT?
-
So good idea removing the RG from the equation, here's what I came up with...
In summary, TCP looked "good" (~700Mbit - ~900Mbit), regardless of pfsense WAN or LAN ports used (also good if pfsense was not in the path, e.g. just across my switches). Sooo....hardware on the SG-3100 is good...hardware on RG is "good" (suspect)...but as soon as I connect the two they hate me.
I'm going to do some packet captures and see if I can gleam anything from those. If I find something interesting I'll reply back. If I don't reply in 3 days, I've thrown all of my equipment away and moved to the middle of Montana to start my life as a hermit.
Same cables used for all tests (Cat 5E)
--------------------- WAN-to-LAN tests (No ATT RG) -------------------
Laptop(iperf client)->(WAN port)pfsense (iperf server)
TCP: 737 Mbit/s
Reverse TCP: 809 MBit/sLaptop(iperf client)->(WAN port-NAT rule)pfsense(LAN port 1)->[2x Netgear ProSafe Switches]->Internal server(iperf server)
TCP: 863 Mbit/s
Reverse TCP: 759 MBit/s--------------------- LAN-to-LAN tests (No ATT RG) -------------------
Laptop(iperf client)->(LAN port 4)pfsense (iperf server)
TCP: 679 Mbit/s
Reverse TCP: 700 MBit/sLaptop(iperf client)->(LAN port 4)pfsense(LAN port 1)->[2x Netgear ProSafe Switches]->Internal server(iperf server)
TCP: 909 Mbit/s
Reverse TCP: 795 Mbit/s(Test without pfsense)
Laptop(iperf client)->Netgear Switch->Internal Server (iperf server)
TCP: 899 Mbit/s
Reverse TCP: 949 Mbit/s--------------------- LAN-to-Internet tests -------------------
(SG-3100 and ATT RG)
Laptop(iperf client)->[2x Netgear ProSafe Switches]->(LAN port 1)pfsense(WAN)->(LAN Port 1)ATT RG->Internet VPS(iperf server)
TCP: 14.4 Mbit/s (this would be me uploading) -- Likely an issue with my VPS, it throttles uploads
Reverse TCP: 43.7 Mbit/s (this would be me downloading)Same thing, except to http://speedtest.att.com/speedtest/
Upload: 47 MBit/s
Download: 76.6 MBit/s(Just ATT RG, no SG-3100)
(I used the same cable that was between the SG-3100 and the RG)
Laptop(iperf client)->(LAN Port 1)ATT RG->Internet VPS(iperf server)
TCP: 14.8 Mbit/s (this would be me uploading) -- Likely an issue with my VPS, it throttles uploads
Reverse TCP: 21.6 - 455 Mbit/s (this would be me downloading) (Why the huge difference??? IDK.. sometimes low, sometimes 200s sometimes 400s... over 10 tests)Same thing, except to http://speedtest.att.com/speedtest/
Upload: 124 - 459 MBit/s
Download: 268 - 828 MBit/s (Again, all over the place)@johnpoz said in SG-3100 Slow Throughput:
What speeds were you seeing with it before you switched to ATT?
I've had AT&T for 3 years. When I got the SG-3100 back in October 2017 (as soon as it was released), my speed was good (600-700+). I've only noticed the slow down in the last month or two.
-
@torred said in SG-3100 Slow Throughput:
pfsense (iperf server)
That is going to show you low results compared to routing THRU pfsense.. You need 2 boxes.. Do not use pfsense as client or server in your iperf testing.
-
@johnpoz I had only done that as one part of the test, as you can see, I did test through it in other tests.
I honestly do not know what is going on. I did a factory reset on the SG-3100 with the same results. Except now I'm experiencing a multitude of other failures.
I've removed my pfsense, and am just using the ATT RG and everything works perfectly.
Thanks for your help @johnpoz, I'll be contacting Netgate Support and see if they can help me out.
-
Alright, if anyone happens to read all the way down here, I never figured out what the problem between the two was, but I ended up bypassing the AT&T RG by doing this:
https://github.com/aus/pfattIt was fairly easy to compile the needed ng_etf.ko kernel module for armv6:
- Get a FreeBSD 11.2 amd64 VM going (for pfSense 2.4.4) -- make sure to include src when installing
- Get a shell, and do this:
$ cd /usr/src
$ make kernel-toolchain TARGET_ARCH=armv6
# Wait about an hour
$ make buildenv TARGET_ARCH=armv6 BUILDENV_SHELL=/bin/sh
$ cd /usr/src/sys/modules/netgraph/etf
$ make - You now have your own compile netgraph etf module, follow the rest of the guide.
- I used the OPT1 (mvneta0) port for the RG, and the WAN (mvneta2) port for the ONT
Everything works fine now.
-
@torred - you're one step (but light years) ahead of where I am. I simply need a trusted copy of ng_etf.ko for FreeBSD 11.2 to plop onto my SG-3100 and I'm done. Everything else in the pfatt project is ready for the reboot.
I don't have spare hardware lying around so have been trying to download the FreeBSD VMware image, but it has no source. And when I try to download the source, it fails. This simple step mocks me. Any thoughts?
Sean
-
@sean-allen, try following this: https://www.freebsd.org/doc/handbook/makeworld.html#updating-src-obtaining-src
TL;DR: svn update /usr/src
There's quite a few guides on setting up FreeBSD for qemu, virtualbox, and VMWare. Once you get it running it's pretty easy.
Edit: Also, you could...
wget ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.2-RELEASE/src.txz
tar -xz -C / -f src.txz
-
@torred I'm very thankful for your help with the ng_etf.ko. I have all in place and am bypassing the AT&T RG.
However, my speeds have not improved. At all. Quite the let down as I was assuming the interaction between RG and SG-3100 was the issue
- Directly through the RG I was seeing 900+Mbit up/down
- SG-3100 through RG in IP Passthrough yielded ~100Mbit up/down
- Same setup using PIA as my VPN gave ~75Mbit up/down
- I bypassed the RG with great expectation and the ~100Mbit and ~75Mbit numbers remained. <sad trombone>
Those numbers varied, but not nearly as wildly as @torred results. The speed tests I'm doing are speedtest.net, dslreports.com and att.com. I'm not familiar with iperf. I loaded it on pfSense and the dizzying array of config options had me walk away from that.
Other than the PIA VPN, I have:
- pfBlockerNG DNSBL
- OpenVPN Server (though no clients, it's just there to hit my network from outside while traveling)
- ntopng
Turning off DNSBL and ntopng have no measurable effect on speed tests. I have the laptop I'm running speed tests on directly connected to one of the switched ethernet ports on the back of the SG-3100 removing other switches from the test.
Any other thoughts or suggestions here? I feel like the SG-3100 should be able to keep up with these, even with VPN, based on what I've read. It surely should be going faster than it is.
Thank you!
SeanSide note: Anyone know why I can't access these forums through my PIA VPN? I have to bypass that before any page will load.
-
@sean-allen said in SG-3100 Slow Throughput:
Side note: Anyone know why I can't access these forums through my PIA VPN? I have to bypass that before any page will load.
-
@grimson thanks! I searched the forum, but I kept getting assorted posts about PIA/VPN/access/etc. - none having to do with the forum.
Sean
-
It's clear that personal VPNs are a contentious issue here, so let's remove that from the equation for now.
I can get 900Mbit speeds directly from the AT&T RG, but as soon as I introduce my SG-3100 into the path (either through or bypassing the RG) I start getting 100Mbit (not through VPN) - or a bit more than 10% of the available bandwidth.
Any ideas on how I've messed up my configuration such that the SG-3100 is pouring molasses on my link? I'm going through my entire network to make sure I have "good" cables and switches to remove that from the equation - but even when I plug a new cable directly into the switched ports on the SG-3100, same result.
Sean
-
The AT&T RG is a beast, unfortunately.
https://forum.netgate.com/topic/99190/att-uverse-rg-bypass-0-2-btc/1
-
@derelict Precisely why I went to such lengths to bypass it. Finally have that working (because @aus is a rockstar). Now the RG is not inline for standard (non EAP) traffic. It is SG-3100->ONT. That config yields less than 100Mbit, whereas if I do client->RG->ONT I get 900Mbit.
-
It must still be something in the bypass configuration then. Perhaps something in the traffic that is not marked in some way that AT&T expects it.
Or something that should be negotiating gigabit is negotiating at 100.
If it were me - and I couldn't find someone else who has put all the pieces together - I would put a switch with a SPAN port between the RG and the ONT in this configuration
client->RG->ONTand capture traffic on a mirror port.Then I would put the same switch between the SG-3100 and the ONT in this configuration
SG-3100->ONTand capture traffic and see if there is a difference in QoS bits, VLAN priority, or something.
-
Yup that is exactly the steps need to figure out what is going on
-
@Derelict and @johnpoz - thanks for the feedback!
Quick question, though: if
client->RG->ONTis at 900Mbit and (SG-3100->RG->ONTorSG-3100->ONT) are both sub 100Mbit - doesn't that point to an issue with the config or hardware of the SG-3100? The RG running in IP Passthrough, or being bypassed, yields the same result when the SG-3100 originates the traffic. The bypass method would seem to not be adding or subtracting anything relevant here, but I defer to your expertise. The bypass, if you're curious, uses netgraph to set aside the EAP auth traffic such that it only goes between RG and ONT (which are plugged into the two routed eth ports of the 3100). All other traffic sent directly from the SG-3100 to the ONT via a new interface (ngeth0) defined by netgraph to tag outbound as VLAN 0 (some odd AT&T requirement). It would appear that the only thing the RG is used for by AT&T is to make sure AT&T equipment is present - so the hard-coded cert in the RG is required to authenticate the channel. Full details on the bypass, if interested, are here: https://github.com/aus/pfattThe reason I ask is because it will not be easy for me to mirror and capture traffic as you've suggested. Partly because of hardware, partly because of expertise.
-
My SG-3100 runs in either bypass or IP-Passthrough with full speed. I would assume you have a config issue with the bypass setup. If you care to share screen shots I can look at what you have in comparison to what I have. I have been bypassed for better than a year now. I still put the gateway back from time to time to play with it but generally stay bypassed.
-
To do a span port all that is need is a 30$ smart switch and a box that can run wireshark..
So hardware constraint while you might not have on hand? What switch(es) are you currently using... And you do not have a laptop or pc - for that matter a current pi that you could sniff on?
You could even use your sg3100 as a sniff box for testing what is actually going on when your not using the sg3100 and seeing your 900mbps
Do you not have any smart switch?
-
@gsmornot - thank you for the offer! I am happy to share screen shots. Here or DM? What parts of my config are interesting for troubleshooting this? I used the bypass method described here. The only mods I made to pfatt.sh were to tell it which of my routed ethernet interfaces were connected to the RG versus ONT - and give it the MAC of my RG. Once it ran and did its thing, I configured the ngeth0 interface in pfSense to spoof the MAC of the RG. After that, traffic started flowing - just as slowly as through IP Passthrough :(
@johnpoz - this is my home network, I've just been using dumb switches. Netgear GS108, TP-Link (TL-SG1008D), etc. Yes, I can feel the impending mocking. I can go get a smart switch (recommendation?), no problem having a system to run wireshark. Interpreting the results is where I am quickly out of my depth. I wouldn't know what to look for. When my SG-3100 goes through the RG via "IP Passthrough" it sends supposedly unaltered traffic. When the RG is bypassed, it has been altered by netgraph, ostensibly just to tag it VLAN 0. Both paths out result in the same speed loss - so it doesn't make sense to me that it is something to do with the bypass config.
Is the theory that the SG-3100 does something to the packets, regardless how it makes it to the ONT, that slows things down? I did some experimenting with CoDel awhile ago because of massive bufferbloat on my former asymmetric link, but have since deleted everything under Traffic Shaping (because it didn't help anyway). Perhaps some remnant there? It's the only thing I can think of, but my scope of knowledge here barely scratches the surface of what y'all know.
-
You messing with limters and shapers.. Should of been mentioned in the OP..
Who wants to take book that is the problem... Flush the system..
pfsense is not going to "do" anything to the packets... Other than ROUTE and NAT them...
-
@johnpoz Fair enough. I just remembered tinkering with that a long time ago and mentioned it. However, running:
pftop -s1 -v queueshows:pfTop: Up Queue no entries, View: queue, Cache: 10000 QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/SDoesn't that mean that all shapers/limiters have been cleared out? If not, would deleting the interfaces in webConfigurator and re-adding them clear anything else out?
If pfSense isn't "doing" anything other than ROUTE or NAT, why is it doing that so slowly? The weak link (aside from my knowledge, which I'm trying to rapidly fix) in this seems to be the SG-3100 or pfSense - both of which should be beefy enough to handle it. I have traffic coming out of a laptop with a 1Gb NIC, over a short cat 5e cable, directly into a LAN port on the SG-3100. When it comes out the WAN port it seems to be traveling sub-100Mb.
Sorry if I'm being frustrating or thick - just trying to go path of least resistance. I can completely start over with my SG-3100, I'm just not seeing anything that says that effort will be worth it. It will take quite some time to walk through the webConfigurator writing down everything in there so I can manually recreate it.
-
@sean-allen said in SG-3100 Slow Throughput:
When it comes out the WAN port it seems to be traveling sub-100Mb.
This is a good test and takes the isp and internet out of the equation.. You seeing sub 100 would point to maybe not negotiating gig in the first place or a duplex mismatch problem or etc..
All I can say is I have 2 sg3100 in production and while they do not have gig connection they are doing full speed of the isp connection well above 100 and not even breaking a sweat.. So yes something is wrong - need to figure out what.
Did you look under diag, limiter info? Does that show blank as well
To be 100% sure you don't have something messed up since you were playing in that area.. Would be to wipe it and do your local test right out of the gate..
After validating your cables and test machines by using the cables your going to use and just connect the 2 test boxes directly together and running your iperf test.
If with your test you are showing good speeds and then putting a clean sg3100 in the middle your seeing low speeds then I would suggest you contact support.. Maybe there is something wrong with the hardware?
-
@johnpoz I say that it seems to be traveling sub-100Mb because those are all the results I get from speedtest from multiple sources (iperf from laptop to cloud iperf server, ookla, att, dslreports). I do several of those speedtests going around the SG-3100 and get 900Mb.
My
Diag->Limiter Infolooks the same as yours:Limiters: No limiters were found on this system.
-
Well the first thing to check would be the interface statistics to see if the link speed is fine and if there are any errors on the link, and then check with the most basic config on a fresh system if the interface looks good. But as you seem to like to ignore the basic steps and rather just whine around, I wish you good luck.
-
Yeah I am confused - you say you have had this for like a year... And say it was solid, but now your saying it can not do more than 70mbps?
Sure sounds like you playing with say shaping or limiting messed up something.
CLEAR IT!!! Do your local testing - if shows bad then call support.
-
If you were to do anything I would put an iperf server on the WAN and an iperf client on the LAN and see what the performance is in both directions. You should see results similar to the ones I just tested below, which are very close to the theoretical maximum payload throughput for gig-e.
There isn't really a setting other than shapers/limiters that can result in what you are seeing.
Hardware generally either fails or doesn't. I wouldn't expect a hardware issue to result in a consistent flow at a slower speed. Anything like that should manifest itself in interface errors, a duplex mismatch, etc. That has all but been relegated to the ash-heap of history with 1000BaseT though.
iperf3 server (i7 MacBook Pro) <-> WAN SG-3100 LAN <-> Switch <-> Proxmox <-> iperf3 client (2 cores allocated)
server
iperf3 -sclient
iperf3 -c 172.25.16.1930Mbit/sec
clientiperf3 -R -c 172.25.16.1934Mbit/sec
-
There you go - that is some screaming performance to be honest with 949 being pretty much max speed in theory, etc.
-
@johnpoz I have had the SG-3100 for a year, but my fiber line just got installed 10 days ago. Before that I had AT&T bonded 50Mb DSL that ran at about 40Mb with this SG-3100. That exact same config, when running through the new AT&T RG in "IP Passthrough mode" (poor-mans bridging) yielded sub-100Mb speed. I then implemented the netgraph-based RG bypass hoping the issue was double-natting or something else with the RG - but it didn't change the results. I haven't touched shaping/limiting in probably a year. Definitely not since I added fiber to the house. And I think we just saw that none of that still exists in my config.
-
@grimson In checking the interface statistics, hopefully correctly, I find that all are at 1000baseT or above with no errors or drops.
mvneta1is the four-port switched LAN group
mvneta2is the routed NIC that is plugged into the ONT
ngeth0is the interface created by netgraph that tags traffic VLAN 0 so AT&T will work with it without the RG
netstat -ishows zero errors or drops across all interfaces:
Apologies if that doesn't get the interface statistics you were talking about. The "basic steps" I've seen here are "buy a new switch, sniff the traffic, look for anything out of place" and "factory reset your SG-3100" - the reasons why they've been suggested don't make sense to me based on evidence. I'm not trying to argue with the superior hive mind here, I'm just trying to offer logic that says "there are no shapers or limiters in effect, how can it be that, so what does starting from scratch do?" and "I can buy a smart switch, but I can't read a packetcap or know what is out of place - and what are we hoping to learn as the problem persists whether I go through the AT&T RG or bypass it." Factory reset will take forever and I will likely screw something up trying to recreate everything I've done over the past five years to this install (across two hardware platforms for pfSense) without screwing it up. Certs, OpenVPN server and client, firewall rules, packages (and their configs), etc. If that comes across whiney, please forgive me. Not my intent. I appreciate any and all specific help that is being offered. Even when it comes with snark.
@Derelict Got it. I think we've ruled out limiters/shapers in my config.
ifconfig -ashows 1000BaseT or 2500BaseT full duplex. I'm reading your advice as replacing the WAN side of my network with a system running iperf and test. That makes sense. It isolates the SG-3100. If that's what was suggested prior by someone else, and I was too thick to see it, sorry. I was hoping to leave the ISP in the mix for convenience since it was proven to be 900Mb when goingclient->RG->ONT->speedtest server
-
You can back up the configuration, reset to defaults, and do a quick static WAN and test like I did there. Then maybe do a very basic configuration for the RG bypass and test that.
You're 2 minutes from being back where you were by simply restoring the configuration.
The object here is to isolate whether the hardware is bad or if it's something else in your environment.
AT&T is not doing anybody any favors with this arrangement. They are basically telling their customers to See Figure 1.
-
@sean-allen said in SG-3100 Slow Throughput:
Factory reset will take forever and I will likely screw something up trying to recreate everything I've done over the past five years to this install (across two hardware platforms for pfSense) without screwing it up.
Bullshit. Take a config backup, install a fresh 2.4.4 image, do the basic setup, test throughput. If you then get full speed you know something in your config is messed up, in that case restore the config section by section and check each time until it breaks again. If not restore the config backup and continue searching. That shouldn't take more than an hour.
Also if that config is five years old and spans multiple hardware platforms you might have at one point or the other added/changed system tunables that could negatively affect the performance on your current hardware. Also you experimented with fq_codel which before 2.4.4 required intervention in system files/the command line, there might still be remnant effects of that. So we need a known good baseline to start diagnosing from and that is a clean installation with a basic setup.
As it stands now your like a whining kid, expecting us to solve your problems while you are unwilling to put work into it. This is wasting the good will and time of the community.
-
Yeah. While you're down a fresh install of 2.4.4 certainly wouldn't hurt. Only takes a few minutes and then you know.
https://www.netgate.com/docs/pfsense/solutions/sg-3100/reinstall-pfsense.html
-
And that
ngethis completely untested by anyone here as far as I know. It is not part of pfSense. I don't think anyone here has to suffer Uverse for their internet.Any side effects or other issues are unknown. Anecdotal evidence suggests it is working for some people.
-
@derelict Ok. Interestingly, I had that exact URL up already (fresh install on SG-3100). Isolate the hardware, then isolate the bypass. Makes sense.
And totally agree on AT&T. Miserable and very AT&T of them.
ngeth0is untested here, I agree. However, I was seeing the same slowdown issues when it was not in the mix and I was simply using mvneta2 and WAN and attaching the to AT&T RG in IP Passthrough. And I know of at least one other person that implemented this same exact bypass, on an SG-3100, and is seeing no slowdown.@Grimson Are there any hacks to "restore the config section by section" - or just take really good notes on what you have and type it back in until things go bad?
Great points on rot being in the config over that time span. I don't recall doing tunables (except yesterday adding
net.inet.ip.fastforwardingto try and speed up OpenVPN - but that was after these general speed problems). Thanks for the great reasoning on cruft that could be in my config over time.I have kids. I hate it when they whine. Truly loathe it. However, I really love it when they ask questions, push back, and try to learn why they're being asked to do something. Shows me they're thinking - trying to learn so they don't need as much help in the future. And who knows, maybe someone else seeing/hearing the conversation that is afraid to ask the question (perhaps for fear of being flamed) learns from it, too.
Regardless, I sincerely appreciate y'all taking the time to help. I apologize that my approach rubs some the wrong way. Just trying to learn. I'm off to rebuild. Not afraid of the work, just want to know why I'm doing it.
-
@sean-allen said in SG-3100 Slow Throughput:
@Grimson Are there any hacks to "restore the config section by section" - or just take really good notes on what you have and type it back in until things go bad?
After 5 years you never looked at the backup and restore page of pfSense?
-
@grimson Uhm, shit, can we forget I said that part? Wow, I just earned every bit of your frustration/angst right there. Yep, I've been there several times. And double yep, I totally forgot that you could do it in sections...making my objection to rebuilding seem petty. Got it.
Mea culpa. Quite sorry.
It was worthwhile and helpful to know all the different bits of cruft that can be cleared out with this approach, but the process is nothing. I've already downloaded and created a USB drive of the fresh 2.4.4 image. Off I go.
