From owner-freebsd-net@FreeBSD.ORG Sat Oct 21 13:29:32 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EA2A16A407 for ; Sat, 21 Oct 2006 13:29:32 +0000 (UTC) (envelope-from chrishome@austin.rr.com) Received: from ms-smtp-02.texas.rr.com (ms-smtp-02.texas.rr.com [24.93.47.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD8BA43D5D for ; Sat, 21 Oct 2006 13:29:30 +0000 (GMT) (envelope-from chrishome@austin.rr.com) Received: from [10.200.0.85] (cpe-72-177-39-197.austin.res.rr.com [72.177.39.197]) by ms-smtp-02.texas.rr.com (8.13.6/8.13.6) with ESMTP id k9LDTSTJ026088; Sat, 21 Oct 2006 08:29:29 -0500 (CDT) X-Nat-Received: 10.200.0.85 Message-ID: <453A20B5.9010108@austin.rr.com> Date: Sat, 21 Oct 2006 08:29:25 -0500 From: Chris Bowman User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass References: <200610210648.AAA01737@lariat.net> In-Reply-To: <200610210648.AAA01737@lariat.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: net@freebsd.org Subject: Re: Avoiding natd overhead X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 13:29:32 -0000 I see this question come up now and then on the lists, so, I'll share what I've learned about natd and performance! First, if your running natd on a processor which supports more functions than just a standard 386, ie a Pentium, Athlon, etc. Then I've found compiling natd with make flags for that processor, and with O3 optimizations will make your jaw drop in comparison to the default installed version of natd. You can find if you have the sources downloaded for FreeBSD the natd source in /usr/src/sbin/natd , just recompile natd itself, or when you re-build world for your system, make sure you have make flags set in make.conf so everything will rebuild with optimized flags, however I don't recomend O3 at all for a build world, will almost definately break something, for natd itself, it works fine. That's about it! Very simple, but I think it's often overlooked, and of course there are a few variables with NAT and performance, number of hosts, number of connections each host is using simulataneously (Torrents *cough). You don't want to overload NATd itself, 65535 TCP, UDP ports, keep that in mind. If your doing nat for a large number of hosts, break down your ip range into sections and run natd multiple times to help balance the load. Thanks! Chris Bowman Brett Glass wrote: > I'm working with a FreeBSD-based router that's using IPFW for policy > routing, traffic shaping, and transparent proxying and natd for > network address translation. IPFW does these things pretty well (in > fact, I don't know if another firewall, like pf, could even do some of > these things I'm doing with IPFW), but natd is by far the most > CPU-intensive process on the system and is causing it to crumple like > a wet towel under heavy loads. How can I replace just the > functionality of natd without moving to an entirely new firewall? Can > I still select which packets are routed to the NAT engine, and when > this occurs during the processing of the packet? > > --Brett Glass > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >