During my testing, I noticed that sometimes traffic going thru pf was locking up if I was doing too many requests from the same IP concurrently.
I was running ab from one machine with 50 concurrent and 50000 total requests. It seemed to lock up after hitting 500 requests. so I ran ab from 6 diffrent machines with < 500 requests and my tests revealed positive results. I have put this solution into production, however this problem seems to plague me again, apparently people behind firewalls are running into this problem as multiple users from an office would try to connect to the site.
when I look at the pfctl -s state and grep for the IP address of one of these offices or firewall, I never see it go above 250 entries. Is there some sort of limitation or limit I'm reaching that I'm not aware of. Is this an anamoly or a bug?
Otherwise it seems like the system is running quite well and I am very pleased.
Thank you for your suggestion to pf, Stephane.
From: Chuck Swiger <[EMAIL PROTECTED]> To: Stephane Raimbault <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] Subject: Re: using natd to load balance port 80 to multiple servers Date: Sat, 23 Oct 2004 12:11:41 -0400
Stephane Raimbault wrote:I'm currently using a freebsd box running natd to forward port 80 to several (5) web servers on private IP's.
OK.
I have discovered that natd doesn't handle many requests/second all that well (seem to choke at about 200 req/second (educated guess))
Let's take that number as being right, although the first consideration when doing performance tuning is that you need to measure things accurately enough that you can see whether a change makes a meaningful difference.
There are plenty of tools available in the ports tree, although you could start with "ab" from apache.
Next, you ought to read "man tuning" and look into adjusting HZ, NMBCLUSTERS in your kernel config, using any hardware support for your NICs (-link0 option) or try using device polling.
You should probably investigate the net.inet sysctls, particularly those controlling retransmit time intervals net.inet.tcp.rexmit_min and the keepalive and net.inet.ip.fw.dyn*lifetime tunables.
There are other packet filtering options on FreeBSD and I wonder if I can use them to do what I'm trying to do with natd.
It's true that natd runs in userspace, which creates more overhead, so using PF instead might be worth doing, sure.
Would someone be able to point me to documentation or help me have either ipf/ipfw/pf forward port 80 traffic to private space IP's?
Consider http://www.openbsd.org/faq/pf/index.html
Is there a better way of split port 80 traffic across multiple webservers that has elduded me? Other then a comercial content switch that is :)
Oh, sure.
The most obvious solution to the problem is to give all of the servers real IPs and use some other form of balancing (DNS round-robin, or splitting the content somehow [static vs dynamicly generated?]), and avoid dealing with NAT altogether.
-- -Chuck
_________________________________________________________________
Designer Mail isn't just fun to send, it's fun to receive. Use special stationery, fonts and colors. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNŽ Premium right now and get the first two months FREE*.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
