I finally got around to testing out FreeBSD 5.3 + pf to replace my FreeBSD 4.9 + natd to forward port 80 to multiple backend servers. I see a huge performance diffrence. FreeBSD 5.3 + pf runs about about < 5% where FreeBSD 4.9 + natd was doing the same thing for around 20% cpu. I'm very happy with the performance diffrence.
OK, that's good.
During my testing, I noticed that sometimes traffic going thru pf was locking up if I was doing too many requests from the same IP concurrently.[ ... ]
when I look at the pfctl -s state and grep for the IP address of one of these offices or firewall, I never see it go above 250 entries. Is there some sort of limitation or limit I'm reaching that I'm not aware of. Is this an anamoly or a bug?
I don't know enough about PF to give you advice on tuning it, but no, it is not surprising that you run into anamolies when you put a sufficiently large # of connections through NAT. Re-writing every packet and keeping all of that dynamic state is somewhat expensive in terms of latency and resources, and these expenses grow in proportion to the amount of traffic present.
I will repeat my suggestion that you use a real IP on your webserver and switch from doing PF + NAT to doing PF or IPFW + bridging instead.
-- -Chuck
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
