[afnog] IPfw + natd
Brian Candler
B.Candler at pobox.com
Thu Dec 1 18:51:01 EAT 2005
On Thu, Dec 01, 2005 at 05:06:34PM +0200, Mark Tinka wrote:
> I'm testing IPfw + natd on FreeBSD 6.0 for Sparc/64. For
> the most part, it's working, but I can't help feeling
> like it's a tad sluggish - bumping connections a few
> times.
>
> Because IPfw + natd run in userland, could it be slower
> because it's not processed in the kernel? Anyone else
> experience anything like this?
Can you describe "bumping"? Got any numbers? Are you testing large transfers
(e.g. FTP) or noticing pauses in interactive sessions (e.g. ssh)? Is the
machine heavily loaded?
If you are noticing pauses, I would first guess that some packet loss is
taking place. Enough packet loss to be noticable (1-2%) is generated by an
ethernet 100baseTX duplex mismatch, for example. I would test using
# ping -s1472 -c300 x.x.x.x
where x.x.x.x is one hop away (then try two hops, then three hops etc).
Unless your Sparc machine is very slow and/or heavily loaded, I would doubt
that kernel vs. userland is significant here. However, there are two
in-kernel implementations ('pf' and 'ipf') you can try instead. Both are
much easier to configure for NAT than natd anyway, especially if your policy
is any more complex than just "NAT everything going out of interface fxp0"
See: pf.conf(5), ipf(5). IIRC, pf can be loaded as a kernel module, but ipf
requires you to rebuild your kernel. pf is newer and comes from OpenBSD.
Regards,
Brian.
More information about the afnog
mailing list