Date: Sun, 27 Nov 2011 15:43:09 -0500 (EST) From: "Mikhail T." <mi@aldan.algebra.com> To: net@FreeBSD.org Cc: brian@awfulhak.org, eivind@dimaga.com, archie@whistle.com, cm@linktel.net, suutari@iki.fi Subject: natd slow, eats up an entire CPU... Message-ID: <201111272043.pARKh9rZ047643@narawntapu.narawntapu>
next in thread | raw e-mail | index | archive | help
Hello! I recently upgraded a friend's computer to 8.2-STABLE and we are noticing some network performance problems... In particular, when a large file is being uploaded outside (via scp), two weird things happen: 1. Although it begins with a transfer rate of over 2Mb/s (as reported by scp itself), it quickly drops down to 10-15Kb/s and even completely stalls on occasion. 2. natd can be seen (in top) as chewing up an entire CPU (one of the four 1.8GHz Opterons). Although the first problem can be explained by some sort of attempts by an ISP to throttle long large file-transfers, I don't have an easy explanation for the second... If I flush the ipfw-rules, the natd disappears from top's list and the transfer speeds up to about 260Kb/s (still nowhere near the initial 2Mb/s, but much higher than the 10-15Kb/s). There are two network cards in the machine: nfe0 (external) and bge0 (internal). There is no IPv6 in the picture (world is built with NO_INET6). The daemon is running as: /sbin/natd -redirect_port tcp natasha:ssh 23 -redirect_port tcp isp.mail.ser.ver:smtp 2525 -dynamic -n nfe0 The ipfw rules are derived from the "simple" firewall: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0 to any in via nfe0 00500 deny ip from any to 10.0.0.0/8 via nfe0 00600 deny ip from any to 172.16.0.0/12 via nfe0 00700 deny ip from any to 192.168.0.0/16 via nfe0 00800 deny ip from any to 0.0.0.0/8 via nfe0 00900 deny ip from any to 169.254.0.0/16 via nfe0 01000 deny ip from any to 192.0.2.0/24 via nfe0 01100 deny ip from any to 224.0.0.0/4 via nfe0 01200 deny ip from any to 240.0.0.0/4 via nfe0 01300 deny ip from not one.special.foreign.ip to any dst-port 2525 01400 divert 8668 ip4 from any to any via nfe0 01500 deny ip from 10.0.0.0/8 to any via nfe0 01600 deny ip from 172.16.0.0/12 to any via nfe0 01700 deny ip from 192.168.0.0/16 to any via nfe0 01800 deny ip from 0.0.0.0/8 to any via nfe0 01900 deny ip from 169.254.0.0/16 to any via nfe0 02000 deny ip from 192.0.2.0/24 to any via nfe0 02100 deny ip from 224.0.0.0/4 to any via nfe0 02200 deny ip from 240.0.0.0/4 to any via nfe0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to me dst-port 22 setup 02600 allow tcp from any to me dst-port 25 setup 02700 allow tcp from any to me dst-port 53 setup 02800 allow udp from any to me dst-port 53 02900 allow udp from me 53 to any 03000 allow tcp from any to me dst-port 80 setup 03100 allow tcp from any to me dst-port 2875-3000 setup 03200 deny log logamount 100 ip4 from any to any in via nfe0 setup proto tcp 03300 allow tcp from any to any setup 03400 allow udp from me to any dst-port 53 keep-state 03500 allow udp from me to any dst-port 123 keep-state Please, advise. Thanks! Yours, -mi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201111272043.pARKh9rZ047643>