From owner-freebsd-questions@FreeBSD.ORG  Fri May 11 12:37:46 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 82B0516A400
	for <questions@freebsd.org>; Fri, 11 May 2007 12:37:46 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from strange.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97])
	by mx1.freebsd.org (Postfix) with ESMTP id 30DC013C4BF
	for <questions@freebsd.org>; Fri, 11 May 2007 12:37:45 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: by strange.locolomo.org (Postfix, from userid 1024)
	id F15822E04D; Fri, 11 May 2007 14:37:43 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by strange.locolomo.org (Postfix) with ESMTP id E583E2E048;
	Fri, 11 May 2007 14:37:43 +0200 (CEST)
Date: Fri, 11 May 2007 14:37:43 +0200 (CEST)
From: Erik Norgaard <norgaard@locolomo.org>
To: Todor Dragnev <todor.dragnev@gmail.com>
In-Reply-To: <f72a639a0705110442p757b683fj545c75f4cc71155e@mail.gmail.com>
Message-ID: <20070511143235.Y6855@strange.locolomo.org>
References: <f72a639a0705110442p757b683fj545c75f4cc71155e@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-isp@freebsd.org, questions@freebsd.org
Subject: Re: Large scale NAT
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2007 12:37:46 -0000

On Fri, 11 May 2007, Todor Dragnev wrote:

> Hello list,
>
> I have about 4000 users behind NAT. I use ipnat(ipf) on single freebsd box(
> v6.2) to translate RFC1918 ip addresses to real one.
>
> All works fine, but my CPU usage is very high and router starts to drop
> packets and sometimes freeze.
> I fix freezes problem with POLLING but CPU usage is still very high.
>
> Throughput on one interface is about 200Mbit/s, but next month I will need
> more speed to pass through this box and I looking  for better solution
>
> What is the throughput limit what I can expect from FreeBSD in this
> situation?
>
> Are someone in the list have experience with large NAT tables?
> It is time to switch to Cisco or something similar - any suggestions ?

There is a comparison of ip-filter and packet filter here

http://www.benzedrine.cx/pf-paper.html

Rather old now, but as I understand, pf does a better job when tables grow 
large when filtering is stateful.

Cheers, Erik