From owner-freebsd-performance@FreeBSD.ORG Mon May 5 21:20:51 2003 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0EAE37B401 for ; Mon, 5 May 2003 21:20:51 -0700 (PDT) Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by mx1.FreeBSD.org (Postfix) with SMTP id C887943F85 for ; Mon, 5 May 2003 21:20:45 -0700 (PDT) (envelope-from veedee@c7.campus.utcluj.ro) Received: (qmail 84680 invoked by uid 1008); 6 May 2003 04:20:44 -0000 Date: 6 May 2003 07:20:44 +0300 Message-ID: <20030506042044.GA84589@c7.campus.utcluj.ro> From: veedee@c7.campus.utcluj.ro To: "Eric Anderson" References: <3EB67822.3070802@centtech.com> <20030505182756.093fb1c3.sheep.killer@cultdeadsheep.org> <3EB6A0BF.1040803@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3EB6A0BF.1040803@centtech.com> cc: freebsd-performance@freebsd.org cc: Clement Laforet Subject: Re: NAT performance tweaks X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 04:20:52 -0000 On Mon, May 05, 2003 at 12:34:55PM -0500, Eric Anderson wrote: > Clement Laforet wrote: > >On Mon, 05 May 2003 09:41:38 -0500 > >Eric Anderson wrote: > > > >>Does anyone have any tweaks they apply to NAT firewalls that pass a > >>lot of connections through them? Here's the ony tweak I have in place > >>already, but I'm not sure they're needed yet (or if there are any > >>tweaks needed at all): > > > >which NAT solution do you use ? > > IPNAT and ipfilter.. > > >>sysctl kern.ipc.somaxconn=8192 > > > > > >NAT'ing (except for natd which uses IPDIVERT (but not more than 3)) > >doesn't use socket to translate packets. > >Generally, packets are tagged by firewall control software and > >translated within the IP stack (at leat in kernel land). > > Oh yea, that's right.. So can you think of any kernel or other tweaks to > be done, to ensure optimal usage of the machine in this environment? > What about mail coming in/out of the machine? I do a fair amount of mail > through it (out through NAT, in through Sendmail) also.. If you have a large network behind your NAT server, defining LARGE_NAT in src/contrib/ipfilter/ip_nat.h and src/sys/contrib/ipfilter/netinet/ip_nat.h might help. Don't forget to recompile the kernel and ipfilter. Strange enough, I used to have huge pings (up to 80ms in a totally switched gigabit network) after a few hours of utilization before fiddling with LARGE_NAT. > Eric > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > Attitudes are contagious, is yours worth catching? > ------------------------------------------------------------------ -- | Radu Bogdan Rusu | Network Administrator @ campus.utcluj.ro | | cvsup3.ro/www4.ro.freebsd.org maintainer |->5b736c616d215d<-| | Faculty of Automation & Computer Science @ UTCluj , Romania | |-------------------------------------------------------------|