From owner-freebsd-ipfw@FreeBSD.ORG  Thu Sep 13 12:42:05 2012
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 90C9B106566B
	for <freebsd-ipfw@freebsd.org>; Thu, 13 Sep 2012 12:42:05 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id 11FED8FC08
	for <freebsd-ipfw@freebsd.org>; Thu, 13 Sep 2012 12:42:04 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q8DCfu1w091269;
	Thu, 13 Sep 2012 22:41:57 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Thu, 13 Sep 2012 22:41:56 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Soren Dreijer <dreijer+bsd@echobit.net>
In-Reply-To: <CALoZf3hfZDQQ4ZEXMrGUkYiGvb5QPoAcbpUikAq1adqVY4fLyg@mail.gmail.com>
Message-ID: <20120913221758.E51539@sola.nimnet.asn.au>
References: <CALoZf3hfZDQQ4ZEXMrGUkYiGvb5QPoAcbpUikAq1adqVY4fLyg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Significant network latency when using ipfw and in-kernel NAT
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2012 12:42:05 -0000

On Wed, 12 Sep 2012 23:09:27 -0500, Soren Dreijer wrote:
 > Hi there,
 > 
 > We're running freebsd 9.0-RELEASE on a box whose primary purpose is to
 > act as a firewall and a gateway. Up until today, we've been using ipfw
 > in conjunction with natd and the divert action in ipfw to forward
 > packets between the freebsd box (i.e. the public Internet) and our
 > private servers.
 > 
 > Unfortunately, natd appears to be quite the CPU hog and we therefore
 > decided to switch to the in-kernel NAT support in ipfw. The issue
 > we're running in to is that the network latency appears to be
 > skyrocketing when ipfw contains nat rules. Basically all TCP traffic
 > originating from the box times out and pinging google.com on the box
 > gives an average of ~10 SECONDS -- and that's even if I explicitly
 > allow all ICMP traffic before the packets even get to the nat rules in
 > ipfw.
 > 
 > The really odd part, however, is that I can ping the freebsd box just
 > fine externally. For instance, pinging the server from my home
 > connection gives an average of 45 ms. I'm also able to communicate
 > just fine with the internal servers through the freebsd box.
 > 
 > Does anybody have any idea what's going on? I assume I must've
 > misconfigured something big here...

Or maybe only something small .. but without seeing your basic ruleset 
and network config - obscured as need be - we can only guess.  Maybe an 
'ifconfig', 'ipfw show' and 'ipfw nat show config' would illustrate?

cheers, Ian