Date: Fri, 11 May 2007 14:37:43 +0200 (CEST) From: Erik Norgaard <norgaard@locolomo.org> To: Todor Dragnev <todor.dragnev@gmail.com> Cc: freebsd-isp@freebsd.org, questions@freebsd.org Subject: Re: Large scale NAT Message-ID: <20070511143235.Y6855@strange.locolomo.org> In-Reply-To: <f72a639a0705110442p757b683fj545c75f4cc71155e@mail.gmail.com> References: <f72a639a0705110442p757b683fj545c75f4cc71155e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 11 May 2007, Todor Dragnev wrote: > Hello list, > > I have about 4000 users behind NAT. I use ipnat(ipf) on single freebsd box( > v6.2) to translate RFC1918 ip addresses to real one. > > All works fine, but my CPU usage is very high and router starts to drop > packets and sometimes freeze. > I fix freezes problem with POLLING but CPU usage is still very high. > > Throughput on one interface is about 200Mbit/s, but next month I will need > more speed to pass through this box and I looking for better solution > > What is the throughput limit what I can expect from FreeBSD in this > situation? > > Are someone in the list have experience with large NAT tables? > It is time to switch to Cisco or something similar - any suggestions ? There is a comparison of ip-filter and packet filter here http://www.benzedrine.cx/pf-paper.html Rather old now, but as I understand, pf does a better job when tables grow large when filtering is stateful. Cheers, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070511143235.Y6855>