One problem I do find, is if one IP has 200 ~ 500 states, the user reports timeouts thru the nat.
In my particular situation, I'm forwarding port 80 to a webserver in the nat environment and the clients are internet users. I don't seem to have this problem when running natd on FreeBSD 4.9, however the load of the nat box is quite a bit higher (~ 10 times) then running pf on FreeBSD 5.3.
Any suggestions?
Here are my pf rules
# Set pf limits set limit states 100000
# NAT the internal network nat on $ext_vip from $web_servers port 80 to any -> ($ext_vip) nat on $ext_vip from $ssl_servers port 443 to any -> ($ext_vip) nat on $ext_if from $int_net to any -> ($ext_if)
# Forward ports from external to internal
rdr on $ext_if proto tcp from any to any port 80 -> $web_servers round-robin
rdr on $ext_if proto tcp from any to any port 443 -> $ssl_servers round-robin
# forward ports from internal to internal
rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> $web_servers round-robin
rdr on $int_if proto tcp from $int_net to $ext_if port 443 -> $ssl_servers round-robin
no nat on $int_if proto tcp from $int_if to $int_net
nat on $int_if proto tcp from $int_net to $web_servers port 80 -> $int_if
nat on $int_if proto tcp from $int_net to $ssl_servers port 443 -> $int_if
Thanks, Stephane.
--nextPart3120092.GfOCXkcoAV Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
On Monday 22 November 2004 19:29, Pawel Malachowski wrote:
I'm interested in opinions/comparisons how ipnat and pf perform on FreeBSD 5.x in real working large NAT setups (about 50Mbit/s, few thousands of workstations, 300k of mappings or more). Problems noticed, memory and CPU consumption, mbufs utilization etc.
While the state information in pf is slightly larger than that of ipfilter= =20 (and thus the memory consumption). pf offers many functionalities that make= =20 it the "easier-to-manage" tool. There are also a couple of optimizations in= =20 pf that should make it perform better, but only measuring your specific=20 application can tell you which is the better for you. I'd guess that pf can= =20 lift the load described above with an average workstation (good NICs and=20 plenty of RAM provided). Note, however, that for CPU consumption packets pe= r=20 second is the important factor. For pf - with it's stateful inspection -=20 connection initialization has some meaning as well (once established, passi= ng=20 more traffic through a connection is cheap).
Depending on your application, you might find pf's TABLES which greatly=20 improve management of large IP-sets. There are also many options to fine-tu= ne=20 the number of concurrent states that a (NAT)rule can create. This helps to= =20 keep down memory consumption during DDoS-Attacks. The additional "adaptive= =20 timeouts" can also help to manage load peaks.
That is comparing pf 3.5 (what is in RELENG_5) with ipfilter 3.x (also in=20 RELENG_5). ipfilter 4.x has gained some, but isn't included in FreeBSD.
=2D-=20 /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart3120092.GfOCXkcoAV Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBBoklfXyyEoT62BG0RAm44AJ97LltR9sDHGbE0MN8pkwMdt0722gCfbtiT A+s77MpaW1zInUydcy5qTok= =n0GP -----END PGP SIGNATURE-----
--nextPart3120092.GfOCXkcoAV--
_________________________________________________________________
Designer Mail isn't just fun to send, it's fun to receive. Use special stationery, fonts and colors. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNŽ Premium right now and get the first two months FREE*.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
