Slow NAT on 10.3-RELEASE

Tue, 11 Oct 2016 01:41:21 -0700 

Hey freebsd-pf: 

I'm on FreeBSD 10.3-RELEASE, and attempting to route all traffic from jail1 to 
the 
internet out of router.vtnet0 using PF. It *works*, but not well: boundary's 
NAT tops out at a blistering 20KBps on a 100Mbps internet connection. 

Here's the topology I'm working with: 

client1.tap0  <--1--> tap1.intermediate1.tap0  <--2--> tap0.boundary.vtnet0 -> 
internet
       .vtnet0-->internet               .vtnet0--> internet
       .vlan0
          |
          +--> jail1 (10.0.0.33)

There are layers of PF firewalls; stripped of all nonsense here are their 
pf.confs:

[client1]
if_ext = "vtnet0"
set skip on lo0
scrub in
nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0)
pass in all
pass out all
pass in quick on tap0 reply-to (tap0 192.168.53.1) proto tcp from any to any 
keep state (floating)
pass out quick on $if_ext route-to (tap0 192.168.53.1) from 10.0.0.0/24 to any 
keep state (floating)

[intermediate]
if_ext = "vtnet0"
set skip on lo0
scrub in
pass in all
pass out all
pass in quick on tap1 reply-to (tap1 192.168.2.1) proto tcp from any to any 
keep state (floating)
pass out quick on $if_ext route-to (tap1 192.168.2.1) from 10.0.0.0/24 to any 
keep state (floating)

[boundary]
if_ext = "vtnet0"
set skip on lo0
scrub in
rdr on $if_ext proto tcp from any to $if_ext port 25 -> 10.0.0.33
nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0)
pass in all
pass out all

Diagnostics: 

iperf from jail1 to boundary.tap0 is about 50-60Mbps, so I am ruling out 
configuration issues on Links 1 and 2. 

All hosts can ping everyone, and ping packets to the internet from jail1 go 
out the door to the internet from boundary1. It looks, therefore, like routing
is set up correctly as well on all the hosts. 

All of these hosts are virtualized on Vultr (haven't tried on DO or EC2). 

Links 1 and 2 are OpenVPN connections, FWIW.

I've seen some mention of checksum issues on NAT limiting performance, but that 
seems to have been fixed as of 10.2 in an errata. Have I stumbled upon an 
actual 
problem, or have I misconfigured something? 

Thanks in advance, 
Kamil
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to