Date: Fri, 19 Nov 2004 10:20:50 -0700 From: "Stephane Raimbault" <segr@hotmail.com> To: cswiger@mac.com Cc: net@freebsd.org Subject: Re: using natd to load balance port 80 to multiple servers Message-ID: <BAY24-F203179185F6D96B66806CECCC30@phx.gbl> In-Reply-To: <417A82BD.1090100@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I finally got around to testing out FreeBSD 5.3 + pf to replace my FreeBSD 4.9 + natd to forward port 80 to multiple backend servers. I see a huge performance diffrence. FreeBSD 5.3 + pf runs about about < 5% where FreeBSD 4.9 + natd was doing the same thing for around 20% cpu. I'm very happy with the performance diffrence. During my testing, I noticed that sometimes traffic going thru pf was locking up if I was doing too many requests from the same IP concurrently. I was running ab from one machine with 50 concurrent and 50000 total requests. It seemed to lock up after hitting 500 requests. so I ran ab from 6 diffrent machines with < 500 requests and my tests revealed positive results. I have put this solution into production, however this problem seems to plague me again, apparently people behind firewalls are running into this problem as multiple users from an office would try to connect to the site. when I look at the pfctl -s state and grep for the IP address of one of these offices or firewall, I never see it go above 250 entries. Is there some sort of limitation or limit I'm reaching that I'm not aware of. Is this an anamoly or a bug? Otherwise it seems like the system is running quite well and I am very pleased. Thank you for your suggestion to pf, Stephane. >From: Chuck Swiger <cswiger@mac.com> >To: Stephane Raimbault <segr@hotmail.com> >CC: net@freebsd.org >Subject: Re: using natd to load balance port 80 to multiple servers >Date: Sat, 23 Oct 2004 12:11:41 -0400 > >Stephane Raimbault wrote: >>I'm currently using a freebsd box running natd to forward port 80 to >>several (5) web servers on private IP's. > >OK. > >>I have discovered that natd doesn't handle many requests/second all that >>well (seem to choke at about 200 req/second (educated guess)) > >Let's take that number as being right, although the first consideration >when doing performance tuning is that you need to measure things accurately >enough that you can see whether a change makes a meaningful difference. > >There are plenty of tools available in the ports tree, although you could >start with "ab" from apache. > >Next, you ought to read "man tuning" and look into adjusting HZ, >NMBCLUSTERS in your kernel config, using any hardware support for your NICs >(-link0 option) or try using device polling. > >You should probably investigate the net.inet sysctls, particularly those >controlling retransmit time intervals net.inet.tcp.rexmit_min and the >keepalive and net.inet.ip.fw.dyn*lifetime tunables. > >>There are other packet filtering options on FreeBSD and I wonder if I can >>use them to do what I'm trying to do with natd. > >It's true that natd runs in userspace, which creates more overhead, so >using PF instead might be worth doing, sure. > >>Would someone be able to point me to documentation or help me have either >>ipf/ipfw/pf forward port 80 traffic to private space IP's? > >Consider http://www.openbsd.org/faq/pf/index.html > >>Is there a better way of split port 80 traffic across multiple webservers >>that has elduded me? Other then a comercial content switch that is :) > >Oh, sure. > >The most obvious solution to the problem is to give all of the servers real >IPs and use some other form of balancing (DNS round-robin, or splitting the >content somehow [static vs dynamicly generated?]), and avoid dealing with >NAT altogether. > >-- >-Chuck _________________________________________________________________ Designer Mail isn't just fun to send, it's fun to receive. Use special stationery, fonts and colors. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNŽ Premium right now and get the first two months FREE*.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY24-F203179185F6D96B66806CECCC30>