From owner-freebsd-net@FreeBSD.ORG Sat Oct 21 09:38:41 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4614E16A403 for ; Sat, 21 Oct 2006 09:38:41 +0000 (UTC) (envelope-from baldur@foo.is) Received: from gremlin.foo.is (gremlin.foo.is [194.105.250.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A332443D6B for ; Sat, 21 Oct 2006 09:38:40 +0000 (GMT) (envelope-from baldur@foo.is) Received: from 127.0.0.1 (localhost.foo.is [127.0.0.1]) by injector.foo.is (Postfix) with SMTP id 3C3F8DA8DE; Sat, 21 Oct 2006 09:38:39 +0000 (GMT) Received: by gremlin.foo.is (Postfix, from userid 1000) id 51C1FDA87F; Sat, 21 Oct 2006 09:38:35 +0000 (GMT) Date: Sat, 21 Oct 2006 09:38:35 +0000 From: Baldur Gislason To: Brett Glass Message-ID: <20061021093835.GY804@gremlin.foo.is> References: <200610210648.AAA01737@lariat.net> In-Reply-To: <200610210648.AAA01737@lariat.net> User-Agent: Mutt/1.4.2.1i X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gremlin.foo.is X-Spam-Level: X-Spam-Status: No, score=-5.9 required=6.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 X-Sanitizer: Foo MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline Cc: net@freebsd.org Subject: Re: Avoiding natd overhead X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 09:38:41 -0000 In that situation I have used IPFW for filtering and IPF for doing NAT. But NAT is in it's nature a very processor and memory intensive process, I wouldn't recommend to anyone to run NAT if they have more than 10Mb bandwidth and more than 100 nodes on their network. Baldur On Sat, Oct 21, 2006 at 12:47:54AM -0600, Brett Glass wrote: > I'm working with a FreeBSD-based router that's using IPFW for > policy routing, traffic shaping, and transparent proxying and natd > for network address translation. IPFW does these things pretty well > (in fact, I don't know if another firewall, like pf, could even do > some of these things I'm doing with IPFW), but natd is by far the > most CPU-intensive process on the system and is causing it to > crumple like a wet towel under heavy loads. How can I replace just > the functionality of natd without moving to an entirely new > firewall? Can I still select which packets are routed to the NAT > engine, and when this occurs during the processing of the packet? > > --Brett Glass > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >