Date: Mon, 27 Sep 2004 12:22:34 -0300 (ART) From: gkullak@fi.uba.ar To: freebsd-net@freebsd.org Subject: ipnat of ipfilter crash with too many mapping? Message-ID: <32934.161.190.1.253.1096298554.squirrel@161.190.1.253>
next in thread | raw e-mail | index | archive | help
Hi!
I'm running FreeBSD 4.10 with ProFTP,Apache, Tomcat, Samba, Squid,SSH
Server, MySQL and PostgreSQL.
This machine is direct connected to Internet and is a firewall for an
internet LAN.
For firewall I am using ipfilter (ipf and ipnat).
|-> 172.16.0.2
Internet ---> (200.0.0.1)FreeBSD Box (172.16.0.254) |
fxp0 fxp1 |-> 172.16.0.3
Te problem is that when I run Overnet from 172.16.0.2, the NAT die.
What it mean: FreeBSD run transparent proxy to Squid in port 8080. ipnat
redirect all request to outside 80 to 8080.
This work fine but when I start Overnet the nat table begin to grow up to
600 mapping!!!
The bandwith of my Internet connection is of 512Kbps.
If I view the system status (top), the system was normal = 98% iddle.
I am really thinking that ipnat daemon work not to fine for this type of
connection, because in my work I have the same schema with more machines
in the LAN but for firewalling I am using "iptables" in Red Hat Linux 7.3
box with 2 overnet programs runnig in diferents machines and the
connection never die.
I refer in all case to "connection", but I don't know if the die is the
connection, the system, the ipnat program or other thing.
I try ipnat compiled in the kernel and i try ipnat loaded like module in
rc.conf (actual form).
The really thing is that when I stop the overnet and run "ipnat -CF -
/etc/ipnat.rules" for flush and reload the NAT rules, the connection run
fast again.
Example: If it running Overnet in 172.16.0.2 and I want to start
RealPlayer for listen a radio channel in 172.16.0.3 and got an error (can
not connect). In this same case, I try to navegate to www.yahoo.com, but a
got "Page not found" (remmeber transparent proxy use ipnat to resolve).
But in this situation, I set to use the proxy server in Internet Options
of my browser, the Yahoo page load (slow but load).
I know that Overnet use very much bandwith of Internet connection, but I
am thinking that ipnat not work very well with this type of load.
For probe I will go to try putting a Red Hat Linux box to manage the NAT
and look if work better.
Do you have another idea that I can try to resolve the problem?
Thanks!
Regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32934.161.190.1.253.1096298554.squirrel>