Date: Tue, 11 Oct 2016 08:34:53 +0000 From: Kamil Choudhury <Kamil.Choudhury@anserinae.net> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Slow NAT on 10.3-RELEASE Message-ID: <F9A7386EC2A26E4293AF13FABCCB32B3032E2813BF@janus.anserinae.net>
next in thread | raw e-mail | index | archive | help
Hey freebsd-pf:=20 I'm on FreeBSD 10.3-RELEASE, and attempting to route all traffic from jail1= to the=20 internet out of router.vtnet0 using PF. It *works*, but not well: boundary'= s=20 NAT tops out at a blistering 20KBps on a 100Mbps internet connection.=20 Here's the topology I'm working with:=20 client1.tap0 <--1--> tap1.intermediate1.tap0 <--2--> tap0.boundary.vtnet0= -> internet .vtnet0-->internet .vtnet0--> internet .vlan0 | +--> jail1 (10.0.0.33) There are layers of PF firewalls; stripped of all nonsense here are their p= f.confs: [client1] if_ext =3D "vtnet0" set skip on lo0 scrub in nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0) pass in all pass out all pass in quick on tap0 reply-to (tap0 192.168.53.1) proto tcp from any to an= y keep state (floating) pass out quick on $if_ext route-to (tap0 192.168.53.1) from 10.0.0.0/24 to = any keep state (floating) [intermediate] if_ext =3D "vtnet0" set skip on lo0 scrub in pass in all pass out all pass in quick on tap1 reply-to (tap1 192.168.2.1) proto tcp from any to any= keep state (floating) pass out quick on $if_ext route-to (tap1 192.168.2.1) from 10.0.0.0/24 to a= ny keep state (floating) [boundary] if_ext =3D "vtnet0" set skip on lo0 scrub in rdr on $if_ext proto tcp from any to $if_ext port 25 -> 10.0.0.33 nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0) pass in all pass out all Diagnostics:=20 iperf from jail1 to boundary.tap0 is about 50-60Mbps, so I am ruling out=20 configuration issues on Links 1 and 2.=20 All hosts can ping everyone, and ping packets to the internet from jail1 go= =20 out the door to the internet from boundary1. It looks, therefore, like rout= ing is set up correctly as well on all the hosts.=20 All of these hosts are virtualized on Vultr (haven't tried on DO or EC2).=20 Links 1 and 2 are OpenVPN connections, FWIW. I've seen some mention of checksum issues on NAT limiting performance, but = that=20 seems to have been fixed as of 10.2 in an errata. Have I stumbled upon an a= ctual=20 problem, or have I misconfigured something?=20 Thanks in advance,=20 Kamil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F9A7386EC2A26E4293AF13FABCCB32B3032E2813BF>