From owner-freebsd-net@FreeBSD.ORG Sat Oct 23 16:12:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A4A616A535 for ; Sat, 23 Oct 2004 16:12:22 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id F154043D1D for ; Sat, 23 Oct 2004 16:12:21 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-246-51.ny325.east.verizon.net [68.160.246.51]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id i9NGBqva064562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 23 Oct 2004 12:12:16 -0400 (EDT) Message-ID: <417A82BD.1090100@mac.com> Date: Sat, 23 Oct 2004 12:11:41 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephane Raimbault References: In-Reply-To: X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.5 tests=none autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pi.codefab.com cc: net@freebsd.org Subject: Re: using natd to load balance port 80 to multiple servers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 16:12:22 -0000 Stephane Raimbault wrote: > I'm currently using a freebsd box running natd to forward port 80 to > several (5) web servers on private IP's. OK. > I have discovered that natd doesn't handle many requests/second all that > well (seem to choke at about 200 req/second (educated guess)) Let's take that number as being right, although the first consideration when doing performance tuning is that you need to measure things accurately enough that you can see whether a change makes a meaningful difference. There are plenty of tools available in the ports tree, although you could start with "ab" from apache. Next, you ought to read "man tuning" and look into adjusting HZ, NMBCLUSTERS in your kernel config, using any hardware support for your NICs (-link0 option) or try using device polling. You should probably investigate the net.inet sysctls, particularly those controlling retransmit time intervals net.inet.tcp.rexmit_min and the keepalive and net.inet.ip.fw.dyn*lifetime tunables. > There are other packet filtering options on FreeBSD and I wonder if I > can use them to do what I'm trying to do with natd. It's true that natd runs in userspace, which creates more overhead, so using PF instead might be worth doing, sure. > Would someone be able to point me to documentation or help me have > either ipf/ipfw/pf forward port 80 traffic to private space IP's? Consider http://www.openbsd.org/faq/pf/index.html > Is there a better way of split port 80 traffic across multiple > webservers that has elduded me? Other then a comercial content switch > that is :) Oh, sure. The most obvious solution to the problem is to give all of the servers real IPs and use some other form of balancing (DNS round-robin, or splitting the content somehow [static vs dynamicly generated?]), and avoid dealing with NAT altogether. -- -Chuck