From owner-freebsd-questions@FreeBSD.ORG Tue Nov 27 06:48:04 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE65916A418 for ; Tue, 27 Nov 2007 06:48:04 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 66FF813C442 for ; Tue, 27 Nov 2007 06:48:04 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDESK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id lAR6m3IA094273; Mon, 26 Nov 2007 22:48:03 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Jerahmy Pocott" Date: Mon, 26 Nov 2007 22:49:35 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 In-Reply-To: Importance: Normal Cc: FreeBSD Questions Subject: RE: Difficulties establishing VPN tunnel with IPNAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 06:48:04 -0000 > -----Original Message----- > From: Jerahmy Pocott [mailto:quakenet1@optusnet.com.au] > Sent: Sunday, November 25, 2007 4:48 AM > To: Ted Mittelstaedt > Cc: FreeBSD Questions > Subject: Re: Difficulties establishing VPN tunnel with IPNAT > > > Perhaps, but I'v heard a lot of good things about IPF and IPNAT, > especially since the nat is all in kernel where as natd is userland, so > there is a slight performance boost possibly there as well.. > I will address this one point here since it's enough to make someone scream, it's such an old chestnut. natd is always criticized because going to userland is slow. So, people who have slowness problems think that is the issue. In reality, the problem is that the DEFAULT setup and man page examples for natd use the following ipfw divert rule: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any This produces a rule such as the following: 00050 divert 8668 ip from any to any via de0 The problem though, is this is wrong. What it is doing is that ALL traffic that comes into and out of the box - no matter what the source and destination is - will be passed to the natd translator. What you SHOULD be using is a set of commands such: ipfw add divert natd ip from any to [outside IP address] in recv [outside interface] ipfw add divert natd ip from not [outside IP address] to any out recv [inside interface] xmit [outside interface] What these rules do is ONLY pass traffic to natd that needs natting - that is, traffic that is passing through the FreeBSD box onward to the Internet. Traffic that is broadcast, or traffic that is a destination of the nat box itself (such as if the nat box is also running a proxy server, mailserver, fileserver, etc.) or sourced from the nat box, is NOT passed to natd. There are some pretty fast Internet connections circuits out there these days - DSL and Cable can both offer up to 10Mbt of bandwidth. But, these are nothing compared to the bandwidth of a 100BaseT ethernet card, or the PCI bus of a computer. If someone is saturating their natd with filesharing traffic to the nat box, why then no wonder they are seeing things run slow. Ted