From owner-freebsd-net@FreeBSD.ORG Sun Oct 22 03:50:31 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A23D16A415 for ; Sun, 22 Oct 2006 03:50:31 +0000 (UTC) (envelope-from prvs=julian=44322f810@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAC9C43D45 for ; Sun, 22 Oct 2006 03:50:30 +0000 (GMT) (envelope-from prvs=julian=44322f810@elischer.org) Received: from unknown (HELO [192.168.2.5]) ([10.251.60.42]) by a50.ironport.com with ESMTP; 21 Oct 2006 20:50:30 -0700 Message-ID: <453AEA86.4070103@elischer.org> Date: Sat, 21 Oct 2006 20:50:30 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Brett Glass References: <200610210648.AAA01737@lariat.net> In-Reply-To: <200610210648.AAA01737@lariat.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: net@freebsd.org Subject: Re: Avoiding natd overhead X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2006 03:50:31 -0000 Brett Glass wrote: > I'm working with a FreeBSD-based router that's using IPFW for policy > routing, traffic shaping, and transparent proxying and natd for network > address translation. IPFW does these things pretty well (in fact, I > don't know if another firewall, like pf, could even do some of these > things I'm doing with IPFW), but natd is by far the most CPU-intensive > process on the system and is causing it to crumple like a wet towel > under heavy loads. How can I replace just the functionality of natd > without moving to an entirely new firewall? Can I still select which > packets are routed to the NAT engine, and when this occurs during the > processing of the packet? > > --Brett Glass one thing that you need to name sure of is that only the packets that have potential of being on interest to natd are passed to natd. i.e. be VERY specific in your natd rules.. ipfw add 1000 divert natd ip from any to any out recv {inner-ineterface} xmit {outer-interface}. ipfw add 1001 divert natd ip from any to {inner-interface-address} in recv {outer-interface}. don't waste natd's time with packets it doesn't care about. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"