Date: Mon, 31 May 1999 12:24:49 +0200 From: Thierry Herbelot <Thierry.Herbelot@alcatel.fr> To: Len Conrad <lconrad@Go2France.com> Cc: freebsd-questions@freebsd.org Subject: Re: "ipfw add fwd ipaddr ip ..." syntax Message-ID: <37526370.9B85B036@telspace.alcatel.fr> References: <4.2.0.56.19990530180943.00a93530@go2france.com> <4.1.19990531114320.00c53f00@mail.go2france.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------6ADAF43E4251E1C3DD157B38
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Salut,
I don't think running natd and ipfw creates a big CPU load on a recent
machine : I've got a p5-200 runnning as a FW + NAT for a home network
and I go very seldom to more than 8-10 % of load (as indicated by
top(1)), even when downloading @ 250KB/s (when my cable connection works
fine ...)
I've got an ancient 386sx-16 which is doomed to become my future router
(as soon as I buy a 2nd ISA NIC) - and I expect it to forward at this
kind of rates ; there was a message hinting on this possibility :
---------------------------------------------------
Subject: Re: IPFW performance impact?
Date: Thu, 01 Apr 1999 18:36:22 GMT
From: jbg@masterplan.org (Jason George)
To: freebsd-isp@FreeBSD.ORG
>
>> Right now, i've got close to 2MB out, and 1MB in, with two fxp0 cards,
>> and a pretty heavy ruleset (40 rules, that most packets have to pass
>> through all of them).
>>
>> last pid: 26211; load averages: 0.00, 0.00, 0.00
>> 13 processes: 1 running, 12 sleeping
>> CPU states: 0.0% user, 0.0% nice, 0.0% system, 6.6% interrupt, 93.4% idle
>>
>>
>> This is on a P/200.
>
>How much traffic do you have going through at the time you posted this?
>This data would be more meaningful if, say, you we're doing an FTP or dump
>to a machine just on the other side, so you had lots of traffic. If it's
>idle, then it doesn't really matter how many rules or how much you've
>got--it'd be as idle on a 386-16.
>
Exactly. I have a 386-16 routing a 2Mbit SDSL line, a 386-25 routing
a 10Mbit cable modem and a 386-33 routing a 1.5M/640k RADSL line line.
Each has ~20 rules. I can easily sustain the maximum throughput on
the WAN connections with an acceptable CPU impact, even running
address translation.
Running NAT on the SDSL line, full WAN saturation occurs at the
expense of about 50% CPU utilization on the 386-16.
Being a glutton for punishment, I run sendmail, qpopper, INN and
samba. Nominal throughput on the cable modem system is about 640k,
and the 386-25 does a bang-up job.
For edge routers providing point-to-point connections, a low-end PC is
fine. Multiple (>2) interface systems with complex routing and
heavier traffic and firewall rule-matching patterns will really begin
to tax low-end hardware.
--Jason
j.b.george<at>ieee.org
jbg<at>masterplan.org
---------------------------------------------------
Len Conrad wrote:
>
> Bon jour Thierry,
>
> We'll look at natd, we just thought we could forward with ipfw alone.
>
> Our n-nth reading of "man ipfw" discovered that the "fwd ipaddr" syntax of
> ipfw requires a switch in kernal. So now our "fwd" syntax on ipfw rules is
> being accepted and appears to be working.
>
> afaics "on paper", the natd fowarding provides the same as the ipfw fwd
> function. Do you know of any differences? We'd like to keep natd out of
> this particular "border router" if possible. It will become a very busy
> machine if FreeBSD is stable as a router.
>
> Merci bcp,
> Len
>
> =========================================
>
> >have a look at the natd(8) man page :
--------------6ADAF43E4251E1C3DD157B38
Content-Type: text/x-vcard; charset=us-ascii;
name="thierry.herbelot.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Thierry Herbelot
Content-Disposition: attachment;
filename="thierry.herbelot.vcf"
begin:vcard
n:Herbelot;Thierry
tel;work:(+33) 1 46 52 47 23
x-mozilla-html:FALSE
url:http://perso.cybercable.fr/herbelot
org:CIT Nanterre
adr:;;;;;;
version:2.1
email;internet:thierry.herbelot@alcatel.fr
x-mozilla-cpt:;-22032
fn:Thierry Herbelot
end:vcard
--------------6ADAF43E4251E1C3DD157B38--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37526370.9B85B036>