On Fri, 11 May 2007, Todor Dragnev wrote:

Hello list,

I have about 4000 users behind NAT. I use ipnat(ipf) on single freebsd box(
v6.2) to translate RFC1918 ip addresses to real one.

All works fine, but my CPU usage is very high and router starts to drop
packets and sometimes freeze.
I fix freezes problem with POLLING but CPU usage is still very high.

Throughput on one interface is about 200Mbit/s, but next month I will need
more speed to pass through this box and I looking  for better solution

What is the throughput limit what I can expect from FreeBSD in this

Are someone in the list have experience with large NAT tables?
It is time to switch to Cisco or something similar - any suggestions ?

There is a comparison of ip-filter and packet filter here


Rather old now, but as I understand, pf does a better job when tables grow large when filtering is stateful.

Cheers, Erik

