From owner-freebsd-net@FreeBSD.ORG Fri Nov 19 18:19:00 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E77816A4CE for ; Fri, 19 Nov 2004 18:19:00 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id B453343D41 for ; Fri, 19 Nov 2004 18:18:59 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.250] (pool-68-161-115-118.ny325.east.verizon.net [68.161.115.118]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id iAJIIrU8053721 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 19 Nov 2004 13:18:55 -0500 (EST) Message-ID: <419E3907.8000904@mac.com> Date: Fri, 19 Nov 2004 13:18:47 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephane Raimbault References: In-Reply-To: X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-4.4 required=5.5 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pi.codefab.com cc: net@freebsd.org Subject: Re: using natd to load balance port 80 to multiple servers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Nov 2004 18:19:00 -0000 Stephane Raimbault wrote: > I finally got around to testing out FreeBSD 5.3 + pf to replace my > FreeBSD 4.9 + natd to forward port 80 to multiple backend servers. I > see a huge performance diffrence. FreeBSD 5.3 + pf runs about about < 5% > where FreeBSD 4.9 + natd was doing the same thing for around 20% cpu. > I'm very happy with the performance diffrence. OK, that's good. > During my testing, I noticed that sometimes traffic going thru pf was > locking up if I was doing too many requests from the same IP concurrently. [ ... ] > when I look at the pfctl -s state and grep for the IP address of one of > these offices or firewall, I never see it go above 250 entries. Is > there some sort of limitation or limit I'm reaching that I'm not aware > of. Is this an anamoly or a bug? I don't know enough about PF to give you advice on tuning it, but no, it is not surprising that you run into anamolies when you put a sufficiently large # of connections through NAT. Re-writing every packet and keeping all of that dynamic state is somewhat expensive in terms of latency and resources, and these expenses grow in proportion to the amount of traffic present. I will repeat my suggestion that you use a real IP on your webserver and switch from doing PF + NAT to doing PF or IPFW + bridging instead. -- -Chuck