From owner-freebsd-net  Mon May 31 12:57:36 1999
Delivered-To: freebsd-net@freebsd.org
Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226])
	by hub.freebsd.org (Postfix) with ESMTP id 97AAE15332
	for <net@FreeBSD.ORG>; Mon, 31 May 1999 12:57:30 -0700 (PDT)
	(envelope-from dgilbert@trooper.velocet.ca)
Received: (from dgilbert@localhost)
	by trooper.velocet.ca (8.8.7/8.8.7) id PAA00368;
	Mon, 31 May 1999 15:57:20 -0400 (EDT)
From: David Gilbert <dgilbert@velocet.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14162.59808.260640.720788@trooper.velocet.ca>
Date: Mon, 31 May 1999 15:57:20 -0400 (EDT)
To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Cc: net@FreeBSD.ORG
Subject: natd question
In-Reply-To: <199905311555.RAA19371@labinfo.iet.unipi.it>
References: <199905311555.RAA19371@labinfo.iet.unipi.it>
X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs  Lucid
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>>>> "Luigi" == Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes:

Luigi> But i wonder, is there a way to tell NATD to act straight on
Luigi> incoming packets, instead of forcing forwarding on, and having
Luigi> another pass through the firewall and the protocol stack ?

We realized this pretty early on because our firewall sees a large
amount of traffic (800 or more K/s) only 10-20K/s of which needs
natd.  With a standard configuration, natd can consume a large amount
of CPU to accomplish it's task.

What we do is make natd run on an aliased interface (such that traffic 
would not normally go to/from it).  Here's the relavant config:

[I have abbreviated some of the output.  tx0 external, tx1 internal]

[1:25:325]root@hadrian:/u/dgilbert> ifconfig -a
tx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet ext.addr netmask 0xfffffff0 broadcast 
tx1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet int.addr1 netmask 0xfffffff0 broadcast
        inet int.addr2 netmask 0xfffffff0 broadcast

[1:31:331]root@hadrian:/u/dgilbert> ipfw show | grep diver  

10000   1540557   461442293 divert 8668 ip from 192.168.0.0/16 to any out xmit tx0
10002    172667    29213136 divert 8668 ip from 172.17.0.0/16 to any out xmit tx0
10010   2309105  2227895942 divert 8668 ip from any to int.addr2 in recv tx0

Then I run...

natd -alias_address int.addr2

Dave.

-- 
============================================================================
|David Gilbert, Velocet Communications.       | Two things can only be     |
|Mail:       dgilbert@velocet.net             |  equal if and only if they |
|http://www.velocet.net/~dgilbert             |   are precisely opposite.  |
=========================================================GLO================


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message