From owner-freebsd-questions@FreeBSD.ORG Fri May 11 12:11:24 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9C11916A403 for ; Fri, 11 May 2007 12:11:24 +0000 (UTC) (envelope-from todor.dragnev@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id 1537313C468 for ; Fri, 11 May 2007 12:11:23 +0000 (UTC) (envelope-from todor.dragnev@gmail.com) Received: by py-out-1112.google.com with SMTP id f31so742147pyh for ; Fri, 11 May 2007 05:11:23 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=OQVDLGNZojBnTBHq5bsuilXBBDn+CiMcKffAfkZXHeYsf7zLSlXHfGUjVzql+9FkBvy2nPE6fXxeRUeWengNr6b/0/jat3QrpIWGmTY+fUnOATDaW3NMzRtmHAFNiSoWKWu5+bIVVj6KoWjtMu6xtLiJgaRDjr32o+O7FBoZAnE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=d2J/rqW8UIXe4V37dya8QEbxYVMal7M5gcXF0vDnww6/rm1tiwN7/A6EJObHCI8oNFNp5tX5vRSCaMAa3vNbdfgFPYefBZ6rboIE9bDzwyqjW0p3s6NBlEUeLtCLv/Obe17Y5Io6y3YtCFlfwnWWH/eo12Z7JCFbVzFXAQLZTfE= Received: by 10.35.8.1 with SMTP id l1mr4841813pyi.1178883757090; Fri, 11 May 2007 04:42:37 -0700 (PDT) Received: by 10.35.71.18 with HTTP; Fri, 11 May 2007 04:42:37 -0700 (PDT) Message-ID: Date: Fri, 11 May 2007 14:42:37 +0300 From: "Todor Dragnev" To: questions@freebsd.org, freebsd-isp@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Large scale NAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2007 12:11:24 -0000 Hello list, I have about 4000 users behind NAT. I use ipnat(ipf) on single freebsd box( v6.2) to translate RFC1918 ip addresses to real one. In ipnat.conf I have: --- map vlan0 10.X.0.0/16 -> a.b.c.X/32 proxy port ftp ftp/tcp map vlan0 10.X.0.0/16 -> a.b.c.X/32 portmap tcp/udp auto map vlan0 10.X.0.0/16 -> a.b.c.X/32 --- Where X is in range from 0 to 40. $ "ipnat -s" mapped in 1192241264 out 1082773308 added 58509192 expired 0 no memory 65394 bad nat 9642 inuse 212292 rules 1160 wilds 2 $ netstat -w 1 input (Total) output packets errs bytes packets errs bytes colls 75681 0 47043801 73193 0 38853537 0 74908 0 46345012 72391 0 37946719 0 CPU: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz (1864.81-MHz 686-class CPU) network cards em0: sk0: <3Com Gigabit NIC (3C2000) rev. (0x1) - Marvell Semiconductor, Inc. Yukon> All works fine, but my CPU usage is very high and router starts to drop packets and sometimes freeze. I fix freezes problem with POLLING but CPU usage is still very high. Throughput on one interface is about 200Mbit/s, but next month I will need more speed to pass through this box and I looking for better solution What is the throughput limit what I can expect from FreeBSD in this situation? Are someone in the list have experience with large NAT tables? It is time to switch to Cisco or something similar - any suggestions ? Thanks, Todor Dragnev -- There are no answers, only cross references