Site Navigation

Date:      Mon, 31 May 1999 15:57:20 -0400 (EDT)
From:      David Gilbert <dgilbert@velocet.ca>
To:        Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Cc:        net@FreeBSD.ORG
Subject:   natd question
Message-ID:  <14162.59808.260640.720788@trooper.velocet.ca>
In-Reply-To: <199905311555.RAA19371@labinfo.iet.unipi.it>
References:  <199905311555.RAA19371@labinfo.iet.unipi.it>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

>>>>> "Luigi" == Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes:

Luigi> But i wonder, is there a way to tell NATD to act straight on
Luigi> incoming packets, instead of forcing forwarding on, and having
Luigi> another pass through the firewall and the protocol stack ?

We realized this pretty early on because our firewall sees a large
amount of traffic (800 or more K/s) only 10-20K/s of which needs
natd.  With a standard configuration, natd can consume a large amount
of CPU to accomplish it's task.

What we do is make natd run on an aliased interface (such that traffic 
would not normally go to/from it).  Here's the relavant config:

[I have abbreviated some of the output.  tx0 external, tx1 internal]

[1:25:325]root@hadrian:/u/dgilbert> ifconfig -a
tx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet ext.addr netmask 0xfffffff0 broadcast 
tx1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet int.addr1 netmask 0xfffffff0 broadcast
        inet int.addr2 netmask 0xfffffff0 broadcast

[1:31:331]root@hadrian:/u/dgilbert> ipfw show | grep diver  

10000   1540557   461442293 divert 8668 ip from 192.168.0.0/16 to any out xmit tx0
10002    172667    29213136 divert 8668 ip from 172.17.0.0/16 to any out xmit tx0
10010   2309105  2227895942 divert 8668 ip from any to int.addr2 in recv tx0

Then I run...

natd -alias_address int.addr2

Dave.

-- 
============================================================================
|David Gilbert, Velocet Communications.       | Two things can only be     |
|Mail:       dgilbert@velocet.net             |  equal if and only if they |
|http://www.velocet.net/~dgilbert             |   are precisely opposite.  |
=========================================================GLO================


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14162.59808.260640.720788>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact