Date: Tue, 11 Oct 2016 08:34:53 +0000 From: Kamil Choudhury <Kamil.Choudhury@anserinae.net> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Slow NAT on 10.3-RELEASE Message-ID: <F9A7386EC2A26E4293AF13FABCCB32B3032E2813BF@janus.anserinae.net>
next in thread | raw e-mail | index | archive | help
Hey freebsd-pf:=20
I'm on FreeBSD 10.3-RELEASE, and attempting to route all traffic from jail1=
to the=20
internet out of router.vtnet0 using PF. It *works*, but not well: boundary'=
s=20
NAT tops out at a blistering 20KBps on a 100Mbps internet connection.=20
Here's the topology I'm working with:=20
client1.tap0 <--1--> tap1.intermediate1.tap0 <--2--> tap0.boundary.vtnet0=
-> internet
.vtnet0-->internet .vtnet0--> internet
.vlan0
|
+--> jail1 (10.0.0.33)
There are layers of PF firewalls; stripped of all nonsense here are their p=
f.confs:
[client1]
if_ext =3D "vtnet0"
set skip on lo0
scrub in
nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0)
pass in all
pass out all
pass in quick on tap0 reply-to (tap0 192.168.53.1) proto tcp from any to an=
y keep state (floating)
pass out quick on $if_ext route-to (tap0 192.168.53.1) from 10.0.0.0/24 to =
any keep state (floating)
[intermediate]
if_ext =3D "vtnet0"
set skip on lo0
scrub in
pass in all
pass out all
pass in quick on tap1 reply-to (tap1 192.168.2.1) proto tcp from any to any=
keep state (floating)
pass out quick on $if_ext route-to (tap1 192.168.2.1) from 10.0.0.0/24 to a=
ny keep state (floating)
[boundary]
if_ext =3D "vtnet0"
set skip on lo0
scrub in
rdr on $if_ext proto tcp from any to $if_ext port 25 -> 10.0.0.33
nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0)
pass in all
pass out all
Diagnostics:=20
iperf from jail1 to boundary.tap0 is about 50-60Mbps, so I am ruling out=20
configuration issues on Links 1 and 2.=20
All hosts can ping everyone, and ping packets to the internet from jail1 go=
=20
out the door to the internet from boundary1. It looks, therefore, like rout=
ing
is set up correctly as well on all the hosts.=20
All of these hosts are virtualized on Vultr (haven't tried on DO or EC2).=20
Links 1 and 2 are OpenVPN connections, FWIW.
I've seen some mention of checksum issues on NAT limiting performance, but =
that=20
seems to have been fixed as of 10.2 in an errata. Have I stumbled upon an a=
ctual=20
problem, or have I misconfigured something?=20
Thanks in advance,=20
Kamil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F9A7386EC2A26E4293AF13FABCCB32B3032E2813BF>