Re: significantly slow IPFW + NATD + amd64
Peter Reo Molnar wrote: Hello, I tried setup NAT with IPFW, compiled my kernel and I found that there is very slow connection. After I disabled NAT and IPFW then speed was increased. 64-bit FreeBSD 9-CURRENT : With IPFW: 1.2 MB/sec Without IPFW: 33 MB/sec my ipfw work with i386 (stable) without speed decreasing: fw.test.conf: -f flush add 00050 divert 8668 ip4 from any to any via re0 add 00100 allow ip from any to any via lo0 add 00200 deny ip from any to 127.0.0.0/8 add 00300 deny ip from 127.0.0.0/8 to any This looks like you're using the old style NAT - divert to userland. That has always performed poorly. Perhaps not as poorly as this though. How much CPU is natd consuming? Have you considered using in-kernel NAT? See the 'NETWORK ADDRESS TRANSLATION' section in the ipfw manual. It's worth a try. Ian -- Ian Freislich ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: significantly slow IPFW + NATD + amd64
Ian FREISLICH wrote: Peter Reo Molnar wrote: Hello, I tried setup NAT with IPFW, compiled my kernel and I found that there is very slow connection. After I disabled NAT and IPFW then speed was increased. 64-bit FreeBSD 9-CURRENT : With IPFW: 1.2 MB/sec Without IPFW: 33 MB/sec my ipfw work with i386 (stable) without speed decreasing: fw.test.conf: -f flush add 00050 divert 8668 ip4 from any to any via re0 add 00100 allow ip from any to any via lo0 add 00200 deny ip from any to 127.0.0.0/8 add 00300 deny ip from 127.0.0.0/8 to any This looks like you're using the old style NAT - divert to userland. That has always performed poorly. Perhaps not as poorly as this though. How much CPU is natd consuming? Have you considered using in-kernel NAT? See the 'NETWORK ADDRESS TRANSLATION' section in the ipfw manual. It's worth a try. i never managed to figure out how to convert my pppoe nat config to ipfw natting. foo: set device PPPoE:vr0 set MTU 1454 accept CHAP enable lqr add default HISADDR nat enable yes nat port tcp 192.168.0.33:51332 51332 nat port udp 192.168.0.33:51332 51332 set authname blogovitch set authkey vitchoblog loop: set log phase chat connect lcp ipcp command set device localhost:pptp set dial set login set ifaddr 192.168.0.200 192.168.0.201 255.255.255.255 clue bat solicited randy ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: significantly slow IPFW + NATD + amd64
Am 06.09.2010 um 13:08 schrieb Randy Bush: i never managed to figure out how to convert my pppoe nat config to ipfw natting. I did not see a significant improvement going from ppp(8)+9 and ipfw to ppp(8) and pf+nat. Since ppp(8) already incurs the kernel/userland cost, having it handle NAT on top does not increase latency. I've recently switched to mpd (and pf), and things feel snappier. I haven't benchmarked it though, and my router box is rather oversized for the task anyway (C2D). Friends using a Soekris swear that it helps a lot though. The switchover is fairly painless, and the excellent mpd manual helps a lot. Using one of the many examples, I managed to set up the mpd.conf rather quickly; the only real adaptation was in the up and down scripts I was using (my ISP kicks the connection every 24 hours, and I get a new IP, so I like to bounce a couple of things when the connection comes up again.) Stefan -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811 mpd.conf: # # Default configuration is dialup default: load hansenet hansenet: # # PPPoE client: only outgoing calls, auto reconnect, # ipcp-negotiated address, one-sided authentication, # default route points on ISP's end # create bundle static hansenet #set bundle yes ipv6cp set iface route default set iface up-script /etc/ppp/hansenet.up set iface down-script /etc/ppp/hansenet.down set iface enable tcpmssfix create link static hansenet pppoe set pppoe iface vlan2 set pppoe service set link action bundle hansenet set link max-redial 0 set link keep-alive 10 60 set auth authname 04012345678 #set auth password MyPass set ipcp ranges 0.0.0.0/0 0.0.0.0/0 open My old ppp.conf: hansenet: set device PPPoE:vlan2: set mru 1492 set mtu 1492 set speed sync enable lqr enable echo set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname 04012345678 add default HISADDR ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: significantly slow IPFW + NATD + amd64
Randy Bush wrote:
Ian FREISLICH wrote:
Peter Reo Molnar wrote:
Hello,
I tried setup NAT with IPFW, compiled my kernel and I found that there
is very slow connection.
After I disabled NAT and IPFW then speed was increased.
64-bit FreeBSD 9-CURRENT :
With IPFW: 1.2 MB/sec
Without IPFW: 33 MB/sec
my ipfw work with i386 (stable) without speed decreasing:
fw.test.conf:
-f flush
add 00050 divert 8668 ip4 from any to any via re0
add 00100 allow ip from any to any via lo0
add 00200 deny ip from any to 127.0.0.0/8
add 00300 deny ip from 127.0.0.0/8 to any
This looks like you're using the old style NAT - divert to userland.
That has always performed poorly. Perhaps not as poorly as this
though. How much CPU is natd consuming?
Have you considered using in-kernel NAT? See the 'NETWORK ADDRESS
TRANSLATION' section in the ipfw manual. It's worth a try.
i never managed to figure out how to convert my pppoe nat config to ipfw
natting.
foo:
set device PPPoE:vr0
set MTU 1454
accept CHAP
enable lqr
add default HISADDR
nat enable yes
nat port tcp 192.168.0.33:51332 51332
nat port udp 192.168.0.33:51332 51332
set authname blogovitch
set authkey vitchoblog
loop:
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
set ifaddr 192.168.0.200 192.168.0.201 255.255.255.255
clue bat solicited
I should have prefaced this with last used ipfw in 2005. One of the
reasons for this was poor NAT performance because of all the kernel-user
and back again copies. I've always done it your way for 2 reasons:
1. In this country, PPPoE means you're using ADSL or some broadband
connection, and you can't get them fast enough that filling your
line will use more than 1% CPU doing NAT in userland.
2. The broadband in this country assigns a dynamic IP address and
until recently reset the connection every 24h, so your NAT had
to be aware of these changes and restart itself.
You can use the ppp.linkup and ppp.linkdown files to make scripts
for your ppp profiles to add and delete NAT rules and restart natd.
For instance I used to run a PPP over UDP tunnel over my PPPoE
connection to get a static IP address at home. The ppp profile
that was always on was called adsl. I had a seperate profile called
tunnel that would start only when the adsl profile had link:
ppp.linkup
---
adsl:
! sh -c pppctl -p pass 127.0.0.1:3001 quit all; sleep 30;
/usr/sbin/ppp -unit 1 -quiet -ddial tunnel
---
ppp.linkdown
---
[brane] /etc/ppp # cat ppp.linkdown
adsl:
! sh -c pppctl -p pass 127.0.0.1:3001 quit all
---
I'm sure you could coax these scripts to do what you want, but
unless you have more than 50mbps I doubt it's worth the effort.
pf just makes so much more sense for NAT, but it suffers the same
static addressing problem:
nat on vlan2 from { 41.154.7.0/24 } - 41.161.16.1
Ian
--
Ian Freislich
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: significantly slow IPFW + NATD + amd64
I'm sure you could coax these scripts to do what you want, but unless you have more than 50mbps I doubt it's worth the effort. i live in a first world country. 100/100 for 3250yen/mo (that's about 35usd. randy ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
