Date: Thu, 31 Aug 2017 13:01:43 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Graham Menhennitt <graham@menhennitt.com.au>, freebsd-ipfw@freebsd.org Subject: Re: ipfw kernel NAT performance much worse in 11-Stable than 10-Stable Message-ID: <ee7cbcc1-bb7a-02cc-fb73-247441b5935b@yandex.ru> In-Reply-To: <ca7be746-ff34-b7d6-1cae-02246066c83d@menhennitt.com.au> References: <ca7be746-ff34-b7d6-1cae-02246066c83d@menhennitt.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --r4FUPnAEhXLAlnLv6E7XOGH8xCDOrltab Content-Type: multipart/mixed; boundary="hbIqiIrExfMgihIbAfvQxsujbn9oxOKM7"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Graham Menhennitt <graham@menhennitt.com.au>, freebsd-ipfw@freebsd.org Message-ID: <ee7cbcc1-bb7a-02cc-fb73-247441b5935b@yandex.ru> Subject: Re: ipfw kernel NAT performance much worse in 11-Stable than 10-Stable References: <ca7be746-ff34-b7d6-1cae-02246066c83d@menhennitt.com.au> In-Reply-To: <ca7be746-ff34-b7d6-1cae-02246066c83d@menhennitt.com.au> --hbIqiIrExfMgihIbAfvQxsujbn9oxOKM7 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 29.08.2017 12:33, Graham Menhennitt wrote: > However, the performance on the 11-Stable box is much worse. For file > transfers I get about 1/10th the speed. Incoming TLS connections often > fail to establish. Looking (from outside the box) at the interface in > Wireshark shows lots of packets being retransmitted. >=20 > This appears to be due to the NAT rule. If I remove that, the > performance jumps up to be approximately the same as the 10-Stable box.= > The rules are pretty simple: > nat 1 config if igb1 deny_in same_ports redirect_port udp > XXX.XXX.XXX.XXX:YYYY YYYY > nat 1 ip4 from any to any via igb1 >=20 > I can provide the full set of rules if needed, but I think only those > two lines are relevant. >=20 > Does anybody please have any ideas on this, please? Can you show the output of `ifconfig igb1 | grep flags` on stable/10 and stable/11? --=20 WBR, Andrey V. Elsukov --hbIqiIrExfMgihIbAfvQxsujbn9oxOKM7-- --r4FUPnAEhXLAlnLv6E7XOGH8xCDOrltab Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlmn3ocACgkQAcXqBBDI oXolXQgAqDqR0ZYF98z8E8mFCKxnBWyn7YzSbDkuWuy/2Fk+7F+tlACQaWnuZcoY s/K3pbAWVochDXjobDPN1XQT/kdGtaVV8xv3xVHhKafj6UIyTueX6Ez2FEnrFi7U Ukdi3RwhkM07Nsb9+hSSNljmPkdhpioCWKWqCRSE5DEXm+k4sO69cayxI9YKHord M5g0n1/kh2RS06xyXYI0sXylMXPxqSDZZAP+elkL3gO6uUMCkzZzDcqYWASCC9ur GY+NXxqbqyXY1aJAPP6rLcQUNh4YRoTQ5z4POOD9QjzhmnxPV5CZPdhlba98UXYV 4y45Ti0fvO+qeGqqjEpWJiVfIwZddw== =xh9L -----END PGP SIGNATURE----- --r4FUPnAEhXLAlnLv6E7XOGH8xCDOrltab--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ee7cbcc1-bb7a-02cc-fb73-247441b5935b>