From nobody Tue Jan 30 03:27:31 2024
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TP9bV3ct2z5879T
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Tue, 30 Jan 2024 03:27:50 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from h1.out2.mxs.au (h1.out2.mxs.au [110.232.143.236])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TP9bV0Cp5z4Gmp
	for <freebsd-questions@freebsd.org>; Tue, 30 Jan 2024 03:27:48 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Authentication-Results: mx1.freebsd.org;
	none
Received: from s121.syd3.hostingplatform.net.au (s121.syd3.hostingplatform.net.au [103.27.34.4])
	by out2.mxs.au (Halon) with ESMTPS (TLSv1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	id 830f684e-bf1f-11ee-b49b-00163c1ebd60
	for <freebsd-questions@freebsd.org>;
	Tue, 30 Jan 2024 14:27:35 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=nimnet.asn.au; s=default; h=Message-ID:From:CC:To:Subject:
	Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:
	Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
	List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=2OxKIRbmPYBP1eKHex7D8VZ/nGXpoFJBxpDsg0THzV0=; b=DsN/+/l3ZklCUljbnE71K5m8rZ
	BkpeZh9Nh1+Ies/qhIyS6ILg7AvgAhXEKpZzo4fUcO4k+Qf0B/5DYsm8tnfQqm6Q2Io73fF2XTWvL
	hqgl9Fn7602fqhsHxOGu2eq7mn9Xf3P631J4vsKZTUYtTtS9PKN9nLd9Sz83K/FrgZlgZSL3SYusy
	t8VOeSGLfLoyTpS6fZ91Y1IC0RcPkwCGz5ZQ5q0oiflVygTU5hIE3G9yWi0xi7Ik4tzUz6gzW3CV5
	hsTSEjCgn0IGZBDnH1EZjZFdi9dIe7/5AAeweoptxMOm0svHaRaG5JHMzQGsE1pGV2Ja/uQhq1RoZ
	FhIp79xQ==;
Received: from [1.145.40.16] (port=1851 helo=[10.174.66.243])
	by s121.syd3.hostingplatform.net.au with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96.2)
	(envelope-from <smithi@nimnet.asn.au>)
	id 1rUemd-003hAZ-20;
	Tue, 30 Jan 2024 14:27:35 +1100
Date: Tue, 30 Jan 2024 14:27:31 +1100
User-Agent: K-9 Mail for Android
In-Reply-To: <Zbfwwnb0IupcVsVl@sfo.umpquanet.com>
References: <ZbfkhQXCobk0jKBg@sfo.umpquanet.com> <CAFbbPui_RX+k+tFd18yN2MHMfSAQSqqEjPLo3GY12AchnN0eCg@mail.gmail.com> <Zbfwwnb0IupcVsVl@sfo.umpquanet.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: VirtIO/ipfw/natd throughput problem in hosted VM
To: Jim Long <freebsd-questions@umpquanet.com>,Paul Procacci <pprocacci@gmail.com>
CC: freebsd-questions@freebsd.org
From: Ian Smith <smithi@nimnet.asn.au>
Message-ID: <AB79ABF9-2306-4EEB-A9AE-DBF5D780E71B@nimnet.asn.au>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - s121.syd3.hostingplatform.net.au
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - nimnet.asn.au
X-Get-Message-Sender-Via: s121.syd3.hostingplatform.net.au: authenticated_id: smithi@nimnet.asn.au
X-Authenticated-Sender: s121.syd3.hostingplatform.net.au: smithi@nimnet.asn.au
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Rspamd-Queue-Id: 4TP9bV0Cp5z4Gmp
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:45638, ipnet:110.232.143.0/24, country:AU]

On 30 January 2024 5:38:58 am AEDT, Jim Long <freebsd-questions@umpquanet=
=2Ecom> wrote:
 > On Mon, Jan 29, 2024 at 12:54:49PM -0500, Paul Procacci wrote:
 > >
 > > The most glaringly obvious thing to me is to use in-kernel nat
 > instead of
 > > natd=2E
 > > Packets won't have to leave the kernel at that point=2E
 > > It's detailed in ipfw(8)=2E
 > >=20
 > > ~Paul
 >=20
 > Thank you very much!  Your tip plus some cribbing from:
 >=20
 > https://www=2Eneelc=2Eorg/posts/freebsd-ipfw-nat/
 >=20
 > seems to have taken care of it=2E
 >=20
 > Regards,
 >=20
 > Jim

That's great,

but for future reference be sure to

a) only divert 'ip4', not 'ip' packets to natd(8) - i=2Ee=2E no ipv6 packe=
ts=2E

b) see section BUGS at the end of ipfw(8): you must disable TSO with ifcon=
fig(8) to use ipfw nat, which the above article doesn't mention=2E

cheers, Ian