Date: Mon, 31 May 1999 15:57:20 -0400 (EDT) From: David Gilbert <dgilbert@velocet.ca> To: Luigi Rizzo <luigi@labinfo.iet.unipi.it> Cc: net@FreeBSD.ORG Subject: natd question Message-ID: <14162.59808.260640.720788@trooper.velocet.ca> In-Reply-To: <199905311555.RAA19371@labinfo.iet.unipi.it> References: <199905311555.RAA19371@labinfo.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Luigi" == Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes: Luigi> But i wonder, is there a way to tell NATD to act straight on Luigi> incoming packets, instead of forcing forwarding on, and having Luigi> another pass through the firewall and the protocol stack ? We realized this pretty early on because our firewall sees a large amount of traffic (800 or more K/s) only 10-20K/s of which needs natd. With a standard configuration, natd can consume a large amount of CPU to accomplish it's task. What we do is make natd run on an aliased interface (such that traffic would not normally go to/from it). Here's the relavant config: [I have abbreviated some of the output. tx0 external, tx1 internal] [1:25:325]root@hadrian:/u/dgilbert> ifconfig -a tx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet ext.addr netmask 0xfffffff0 broadcast tx1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet int.addr1 netmask 0xfffffff0 broadcast inet int.addr2 netmask 0xfffffff0 broadcast [1:31:331]root@hadrian:/u/dgilbert> ipfw show | grep diver 10000 1540557 461442293 divert 8668 ip from 192.168.0.0/16 to any out xmit tx0 10002 172667 29213136 divert 8668 ip from 172.17.0.0/16 to any out xmit tx0 10010 2309105 2227895942 divert 8668 ip from any to int.addr2 in recv tx0 Then I run... natd -alias_address int.addr2 Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14162.59808.260640.720788>