Date: Thu, 13 Sep 2012 22:41:56 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Soren Dreijer <dreijer+bsd@echobit.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: Significant network latency when using ipfw and in-kernel NAT Message-ID: <20120913221758.E51539@sola.nimnet.asn.au> In-Reply-To: <CALoZf3hfZDQQ4ZEXMrGUkYiGvb5QPoAcbpUikAq1adqVY4fLyg@mail.gmail.com> References: <CALoZf3hfZDQQ4ZEXMrGUkYiGvb5QPoAcbpUikAq1adqVY4fLyg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Sep 2012 23:09:27 -0500, Soren Dreijer wrote: > Hi there, > > We're running freebsd 9.0-RELEASE on a box whose primary purpose is to > act as a firewall and a gateway. Up until today, we've been using ipfw > in conjunction with natd and the divert action in ipfw to forward > packets between the freebsd box (i.e. the public Internet) and our > private servers. > > Unfortunately, natd appears to be quite the CPU hog and we therefore > decided to switch to the in-kernel NAT support in ipfw. The issue > we're running in to is that the network latency appears to be > skyrocketing when ipfw contains nat rules. Basically all TCP traffic > originating from the box times out and pinging google.com on the box > gives an average of ~10 SECONDS -- and that's even if I explicitly > allow all ICMP traffic before the packets even get to the nat rules in > ipfw. > > The really odd part, however, is that I can ping the freebsd box just > fine externally. For instance, pinging the server from my home > connection gives an average of 45 ms. I'm also able to communicate > just fine with the internal servers through the freebsd box. > > Does anybody have any idea what's going on? I assume I must've > misconfigured something big here... Or maybe only something small .. but without seeing your basic ruleset and network config - obscured as need be - we can only guess. Maybe an 'ifconfig', 'ipfw show' and 'ipfw nat show config' would illustrate? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120913221758.E51539>