Date: Sat, 21 Oct 2006 20:50:30 -0700 From: Julian Elischer <julian@elischer.org> To: Brett Glass <brett@lariat.net> Cc: net@freebsd.org Subject: Re: Avoiding natd overhead Message-ID: <453AEA86.4070103@elischer.org> In-Reply-To: <200610210648.AAA01737@lariat.net> References: <200610210648.AAA01737@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote:
> I'm working with a FreeBSD-based router that's using IPFW for policy
> routing, traffic shaping, and transparent proxying and natd for network
> address translation. IPFW does these things pretty well (in fact, I
> don't know if another firewall, like pf, could even do some of these
> things I'm doing with IPFW), but natd is by far the most CPU-intensive
> process on the system and is causing it to crumple like a wet towel
> under heavy loads. How can I replace just the functionality of natd
> without moving to an entirely new firewall? Can I still select which
> packets are routed to the NAT engine, and when this occurs during the
> processing of the packet?
>
> --Brett Glass
one thing that you need to name sure of is that only the packets that
have potential of being on interest to natd are passed to natd.
i.e. be VERY specific in your natd rules..
ipfw add 1000 divert natd ip from any to any out recv {inner-ineterface}
xmit {outer-interface}.
ipfw add 1001 divert natd ip from any to {inner-interface-address} in
recv {outer-interface}.
don't waste natd's time with packets it doesn't care about.
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?453AEA86.4070103>