Olá pessoal,
Estava com o mesmo problema: chegava em 30000 conexoes o servidor refugava com alguns timeouts e outras coisas estranhas Abaixo o trecho e codigo que modifiquei em /usr/src/sys/contrib/ipfilter/netinet/ip_nat.h: # ifdef LARGE_NAT # define NAT_TABLE_MAX 180000 # else # define NAT_TABLE_MAX 100000 /* estava 30000 */ # endif #endif #ifndef NAT_TABLE_SZ # ifdef LARGE_NAT # define NAT_TABLE_SZ 16383 /* Estava a metade */ # else # define NAT_TABLE_SZ 2047 # endif #endif #ifndef APR_LABELLEN #define APR_LABELLEN 16 #endif #define NAT_HW_CKSUM 0x80000000 Espero que ajude. sds, Paulo Coimbra IPZERO Informática > > Pessoal, > > Tenho encontrado alguns problemas com NAT em relação a grandes > quantidades de nat da minha rede. Principalmente com autenticação com > MSN aparentemente de trás do mesmo ip válido. > Na minha rede tenho em torno de 2000 máquinas onde faço uma média de > 1 IP valido por cada 50 estações usando um exemplo assim: > > map xl0 192.168.10.0/24 -> 200.200.200.132/32 proxy port ftp ftp/tcp > map xl0 192.168.10.0/24 -> 200.200.200.132/32 portmap tcp/udp auto > map xl0 192.168.10.0/24 -> 200.200.200.132/32 > > > server01# ipnat -s > mapped in 86375104 out 91318147 > added 7872766 expired 0 > no memory 0 bad nat 4169 > inuse 21239 > rules 163 > wilds 0 > server01# > > > Eu já habilitei o LARGE_NAT no > /usr/src/sys/contrib/ipfilter/netinet/ip_nat.h > > > #define LARGE_NAT /* define this if you're setting up a > system to NAT > * LARGE numbers of networks/hosts - i.e. in the > * hundreds or thousands. In such a case, you > should > * also change the RDR_SIZE and NAT_SIZE below > to more > * appropriate sizes. The figures below were > used for > * a setup with 1000-2000 networks to NAT. > > > Passando de undef para define. Melhorou muito o desempenho : > > server01# ipf -T list > fr_flags min 0 max 0xffffffff current 0 > fr_active min 0 max 0 current 0 > fr_control_forwarding min 0 max 0x1 current 0 > fr_update_ipid min 0 max 0x1 current 0 > fr_chksrc min 0 max 0x1 current 0 > fr_minttl min 0 max 0x1 current 4 > fr_icmpminfragmtu min 0 max 0x1 current 68 > fr_pass min 0 max 0xffffffff current 134217730 > fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000 > fr_tcpclosewait min 0x1 max 0x7fffffff current 480 > fr_tcplastack min 0x1 max 0x7fffffff current 480 > fr_tcptimeout min 0x1 max 0x7fffffff current 480 > fr_tcpclosed min 0x1 max 0x7fffffff current 120 > fr_tcphalfclosed min 0x1 max 0x7fffffff current 14400 > fr_udptimeout min 0x1 max 0x7fffffff current 240 > fr_udpacktimeout min 0x1 max 0x7fffffff current 24 > fr_icmptimeout min 0x1 max 0x7fffffff current 120 > fr_icmpacktimeout min 0x1 max 0x7fffffff current 12 > fr_iptimeout min 0x1 max 0x7fffffff current 120 > fr_statemax min 0x1 max 0x7fffffff current 4013 > fr_statesize min 0x1 max 0x7fffffff current 5737 > fr_state_lock min 0 max 0x1 current 0 > fr_state_maxbucket min 0x1 max 0x7fffffff current 26 > fr_state_maxbucket_reset min 0 max 0x1 current 1 > ipstate_logging min 0 max 0x1 current 0 > fr_nat_lock min 0 max 0x1 current 0 > ipf_nattable_sz min 0x1 max 0x7fffffff current 16383 > ipf_nattable_max min 0x1 max 0x7fffffff current 180000 > ipf_natrules_sz min 0x1 max 0x7fffffff current 2047 > ipf_rdrrules_sz min 0x1 max 0x7fffffff current 2047 > ipf_hostmap_sz min 0x1 max 0x7fffffff current 8191 > fr_nat_maxbucket min 0x1 max 0x7fffffff current 28 > fr_nat_maxbucket_reset min 0 max 0x1 current 1 > nat_logging min 0 max 0x1 current 0 > fr_defnatage min 0x1 max 0x7fffffff current 1200 > fr_defnatipage min 0x1 max 0x7fffffff current 120 > fr_defnaticmpage min 0x1 max 0x7fffffff current 6 > ipfr_size min 0x1 max 0x7fffffff current 257 > fr_ipfrttl min 0x1 max 0x7fffffff current 120 > ippr_ftp_debug min 0 max 0xa current 0 > server01# > > > > Mas ainda encontro esse problema do MSN. Alguem sabe mais algum truque > aprofundado? > > > -- > .:Abraços:. > > <<< Jonatas M. Victor >>> > [EMAIL PROTECTED] > UIN: 138431258 > MSN: [EMAIL PROTECTED] > BSD User: BSD051240 > Linux User: #278922 > http://www.vetorial.net > > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
