From owner-freebsd-performance@FreeBSD.ORG Fri Jun 4 10:35:09 2010 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3FBB1065676 for ; Fri, 4 Jun 2010 10:35:09 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id AA3BB8FC18 for ; Fri, 4 Jun 2010 10:35:09 +0000 (UTC) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1OKU05-0003iO-HT for freebsd-performance@freebsd.org; Fri, 04 Jun 2010 03:19:41 -0700 Message-ID: <28778099.post@talk.nabble.com> Date: Fri, 4 Jun 2010 03:19:41 -0700 (PDT) From: "Nikol@y" To: freebsd-performance@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Nabble-From: cosmic17@gmail.com Subject: pf nat & ipfw kernel nat & ng_nat - what uses less computer resources? X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jun 2010 10:35:09 -0000 Hello. We have a network. Now we are using pf NAT. But we are interested in some question: 1. What type of NAT uses less computer resources? a) pf NAT b) ipfw kernel NAT c) NG_NAT ? 2. BINAT or NAT - what is better? Which one of them is more faster and uses less computer resources with one of firewall? In theory I think that BINAT faster than NAT, because there is no necessary to track connections. 3. I know that the firewall PF does not support threads. I read that IPFW i= s (in FreeBSD 8.0, for example). But in my test I haven`t seen threads when used IPFW. Maybe there are some special options to compile kernel or configure IPFW? For tests I compiled kernel with: options SMP # IPFW options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET options IPFIREWALL_NAT options LIBALIAS options HZ=3D"2000" 4. I can`t find any information about BINAT in ipfw+ng_nat? Does anyone use this technology? Or maybe you know interesting information about it? I have a test computer (border nat): - dmesg | less: FreeBSD 8.0-STABLE-201004 #0: Mon Apr 5 15:59:06 UTC 2010 CPU: Intel(R) Pentium(R) 4 CPU 3.20GHz (3200.01-MHz K8-class CPU) real memory =3D 536870912 (512 MB) age0: mem 0xfeac0000-0xfeafffff irq 17 at device 0.0 on pci2 rl0: port 0xe800-0xe8ff mem 0xfebffc00-0xfebffcff irq 19 at device 0.0 on pci4 Test scheme: laptop(192.168.0.188)-->age0(192.168.0.1)-->rl0(10.1.2.142)-->internet age0 - internal interface rl0 - external interface IP Pool for nat is 10.1.6.0/24. I have completed 2 tests: 1. with utility "ping": ping -c 500 -f 192.168.1.112 2. with utility "iperf": iperf -c 192.168.1.112 -n 1M -i 1 -t 180 You can see the results of these tests below: 1. pf NAT: There is one rule for NAT in /etc/pf.conf.ports: nat pass on $ext_if from to any -> 10.1.6.0/24 source-hash test static-port a). ping -c 500 -f 192.168.1.112: PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data. --- 192.168.1.112 ping statistics --- 500 packets transmitted, 398 received, 20% packet loss, time 1658ms rtt min/avg/max/mdev =3D 0.239/0.339/5.425/0.262 ms, ipg/ewma 3.323/0.328 m= s b) On the server 192.168.1.112: iperf -s 80 On the laptop: iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180 There are results of =E2=80=9Cnetstat=E2=80=9D: netstat -w1d -I age0: input (age0) output packets errs idrops bytes packets errs bytes =20 colls 5247 0 0 7332276 1600 0 83700 0 5286 0 0 7331330 1578 0 82296 0 5278 0 0 7339278 1589 0 83754 0 5312 0 0 7380344 1570 0 82728 0 5328 0 0 7337764 1567 0 83160 0 netstat -w1d -I rl0: input (rl0) output packets errs idrops bytes packets errs bytes = =20 colls 1556 0 0 93508 5133 0 7275788 0 1547 0 0 92832 5169 0 7337174 0 1551 0 0 93072 5161 0 7321088 0 1539 0 0 92352 5199 0 7381268 0 1520 0 0 91212 5195 0 7367642 0 top =E2=80=93S: last pid: 6320; load averages: 0.07, 0.02, 0.00 up 1+18:19:20 10:08:26 70 processes: 3 running, 55 sleeping, 12 waiting CPU: 0.0% user, 0.0% nice, 1.2% system, 4.7% interrupt, 94.2% idle Mem: 21M Active, 136M Inact, 89M Wired, 44K Cache, 59M Buf, 237M Free Swap: 2048M Total, 2048M Free 2. pf BINAT: There are about 1000 rules for BINAT in /etc/pf.conf.ports: ... binat on $ext_if from 10.10.10.2 to any -> 10.1.6.13 binat on $ext_if from 10.10.10.3 to any -> 10.1.6.14 ... And the last one is for our laptop: binat on $ext_if from 192.168.0.188 to any -> 10.1.6.188 a) ping -c 500 -f 192.168.1.112: PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data. --- 192.168.1.112 ping statistics --- 500 packets transmitted, 398 received, 20% packet loss, time 1688ms rtt min/avg/max/mdev =3D 0.238/0.357/1.006/0.078 ms, ipg/ewma 3.383/0.330 m= s b) On the server 192.168.1.112: iperf -s 80 On the laptop: iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180 There are results of =E2=80=9Cnetstat=E2=80=9D: netstat -w1d -I age0: input (age0) output packets errs idrops bytes packets errs bytes =20 colls 5294 0 0 7318272 1585 0 84996 = 0 0 0 0 7357824 0 0 83862 = =20 0 5314 0 0 7367854 1591 0 83268 = 0 5302 0 0 7290642 1591 0 83646 = 0 5270 0 0 7332276 1577 0 85914 = 0 netstat -w1d -I rl0: input (rl0) output packets errs idrops bytes packets errs bytes =20 colls 1586 0 0 95172 5172 0 7341148 0 1567 0 0 94038 5177 0 7344514 0 1537 0 0 92232 5198 0 7373698 0 1565 0 0 93912 5166 0 7328090 0 1561 0 0 93672 5139 0 7301596 0 top =E2=80=93S: last pid: 8622; load averages: 0.16, 0.07, 0.01 up 2+13:22:43 05:11:49 61 processes: 3 running, 46 sleeping, 12 waiting CPU: 0.0% user, 0.0% nice, 4.4% system, 5.1% interrupt, 90.5% idle Mem: 14M Active, 127M Inact, 89M Wired, 59M Buf, 251M Free Swap: 2048M Total, 2048M Free 3.IPFW KERNEL NAT: a). ping -c 500 -f 192.168.1.5: PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data. --- 192.168.1.112 ping statistics --- 500 packets transmitted, 425 received, 15% packet loss, time 1598ms rtt min/avg/max/mdev =3D 0.253/1.081/1.576/0.414 ms, ipg/ewma 3.203/0.895 m= s b) On the server 192.168.1.112: iperf -s 80 On the laptop: iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180 There are results of =E2=80=9Cnetstat=E2=80=9D: netstat -w1d -I age0: input (age0) output packets errs idrops bytes packets errs bytes = =20 colls 3966 0 0 5501336 1086 0 56646 = =20 0 4380 0 0 6140036 1100 0 58266 = =20 0 4315 0 0 5654698 1089 0 55424 = =20 0 3703 0 0 5291538 990 0 54182 = =20 0 3548 0 0 4910778 992 0 52292 = =20 0 3894 0 0 5399218 1140 0 60770 = =20 0 netstat -w1d -I rl0: input (rl0) output packets errs idrops bytes packets errs bytes =20 colls 1085 0 0 65112 4004 0 5680576 0 1053 0 0 63296 4432 0 6289586 0 972 0 0 58508 3668 0 5195190 = 0 944 0 0 56672 3550 0 5033916 = 0 1109 0 0 66981 3813 0 5408090 0 1099 0 0 65972 3952 0 5604760 0 top =E2=80=93S: last pid: 2397; load averages: 0.06, 0.05, 0.04 up 0+00:09:13 14:25:50 66 processes: 3 running, 51 sleeping, 12 waiting CPU: 0.0% user, 0.0% nice, 0.5% system, 3.5% interrupt, 96.1% idle Mem: 14M Active, 9248K Inact, 55M Wired, 92K Cache, 11M Buf, 403M Free Swap: 2048M Total, 2048M Free 4.IPFW KERNEL BINAT a) ping -c 500 -f 192.168.1.112: PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data. --- 192.168.1.112 ping statistics --- 500 packets transmitted, 398 received, 20% packet loss, time 1968ms rtt min/avg/max/mdev =3D 0.284/1.147/1.568/0.406 ms, ipg/ewma 3.944/1.055 m= s b) On the server 192.168.1.112: iperf -s 80 On the laptop: iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180 There are results of =E2=80=9Cnetstat=E2=80=9D: netstat -w1d -I age0: input (age0) output packets errs idrops bytes packets errs bytes =20 colls 4138 0 0 4716350 1138 0 47682 0 3458 0 0 5812454 862 0 58374 0 4144 0 0 5768360 1143 0 59670 0 4164 0 0 5540888 1132 0 62640 0 3954 0 0 4803024 1195 0 50598 0 netstat -w1d -I rl0: input (rl0) output packets errs idrops bytes packets errs bytes =20 colls 1007 0 0 60492 3609 0 5118682 0 950 0 0 57012 3614 0 5126988 0 1146 0 0 68772 4034 0 5723108 0 1121 0 0 67272 4088 0 5801266 0 1048 0 0 62892 3488 0 4946638 0 top =E2=80=93S: last pid: 4852; load averages: 0.07, 0.03, 0.00 up 0+16:06:15 05:53:04 63 processes: 4 running, 47 sleeping, 12 waiting CPU: 0.0% user, 0.0% nice, 7.3% system, 6.7% interrupt, 86.0% idle Mem: 15M Active, 142M Inact, 110M Wired, 100K Cache, 59M Buf, 214M Free Swap: 2048M Total, 2048M Free 5.NG_NAT: a) ping -c 500 -f 192.168.1.112: PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data. --- 192.168.1.112 ping statistics --- 500 packets transmitted, 422 received, 15% packet loss, time 1624ms rtt min/avg/max/mdev =3D 0.254/1.038/8.862/0.551 ms, ipg/ewma 3.255/0.961 m= s b) On the server 192.168.1.112: iperf -s 80 On the laptop: iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180 There are results of =E2=80=9Cnetstat=E2=80=9D: netstat -w1d -I age0: input (age0) output packets errs idrops bytes packets errs bytes colls 4812 0 0 6634038 1268 0 66474 0 4765 0 0 6702092 1234 0 66150 0 4848 0 0 6616932 1263 0 66636 0 4764 0 0 6582868 1237 0 70686 0 4746 0 0 6494680 1403 0 76032 0 netstat -w1d -I rl0: input (rl0) output packets errs idrops bytes packets errs bytes =20 colls 1219 0 0 73170 4680 0 6634886 0 1225 0 0 73512 4720 0 6696960 0 1219 0 0 73170 4655 0 6603440 0 1380 0 0 82812 4630 0 6570166 0 1414 0 0 84864 4585 0 6504178 0 Crossposted to freebsd-net. --=20 View this message in context: http://old.nabble.com/pf-nat---ipfw-kernel-na= t---ng_nat---what-uses-less-computer-resources--tp28778099p28778099.html Sent from the freebsd-performance mailing list archive at Nabble.com.