From owner-freebsd-net@FreeBSD.ORG Tue Mar 8 22:13:43 2005 Return-Path: Delivered-To: freebsd-net@www.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09FD216A4CF for ; Tue, 8 Mar 2005 22:13:43 +0000 (GMT) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35D2143D55 for ; Tue, 8 Mar 2005 22:13:42 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [127.0.0.1] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id B2D1A1088B5; Tue, 8 Mar 2005 23:13:05 +0100 (CET) Message-ID: <422E240B.7010502@mr0vka.eu.org> Date: Tue, 08 Mar 2005 23:15:39 +0100 From: =?UTF-8?B?xYF1a2FzeiBCcm9taXJza2k=?= User-Agent: Mozilla Thunderbird 1.0.1 (Windows/20050227) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Goran Gajic References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scan-Module: SMTP[2005.03.08 (2004.11.26)] cc: freebsd-net@www.freebsd.org Subject: Re: ipfilter 4.1.6 won't build on FreeBSD5.3 amd64 (fwd) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2005 22:13:43 -0000 Goran Gajic wrote: > Actually I was interested if Dual Opteron with FBSD5.3 > can compare with Cisco7206 with NPE-G1 running only for NAT You'll need good motherboard, NICs, 1-2GB of RAM and quite capable CPU. Two won't help much, but sometimes the motherboards for two CPUs provide higher standard (separate buses for PCI, PCI-X slots instead of regular PCI etc.), so it may be beneficial, but YMMV. > purpose of some 7000 hosts (and sadly more then ~80k pps can easly bring > it down and no one can comfirm that 7206 with NPE-G1 can actually > process 1M pps:). Yes, the 7206VXR with NPE-G1 can quite easily do 1Mpps, but the figures usually published are for routing. FreeBSD will also do this on properly configured hardware - google should return some useful usenet posts and discussions. 7200 is positioned as a router for ISPs, and they don't often do NAT - and as such, routing figures quite reliably put it in the 400-500kpps area (1Mpps full duplex). If Your problem lies in large NAT, either segregate the NAT process in few smaller chunks closer to end-users, by making few groups of "NAT-routers" that aggregate already NATed sessions on one main router, that's just routing (7200 will do just fine in that scenario), or buy some solution, that will do NAT in hardware. As for the 7200, if You wish, drop me an e-mail with some more details (running-config, exact version of IOS, modules loaded) and I can try to look for possible causes of poor performance. However please bear in mind, that NAT always requires first packet to be process/fast switched and some other requirements usually need to be met. For starters, check if You have CEF configured (`ip cef'), dropping all the usual Win$shit traffic (to not produce NAT translations for trashy traffic on the internal, ingress interface (via ACLs) and preferably control-plane configured - because sometimes DoS/semi-DoS scenarios arise from the fact, that router itself is slammered with packets. > Ipfilter that is included in FreeBSD 5.3 is an old > 3.4.35, I was not satisifed with its performance so I thoght that since > ipf 4.1.6 is newer and has some new features maybe it can better cope > with high NAT traffic. Unfortunately it won't compile cleanly on > FBSD5.3-amd64 without supplied patch. I have compiled it with #define > LARGE_NAT but so far I have tested it - only on few machines on local > LAN and it works fine and I'm sure I will try it on live network with > high traffic load :) You should try pf, it's usually faster. -- this space was intentionally left blank | Ɓukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net