Skip site navigation (1)Skip section navigation (2)
Date:      6 May 2003 07:20:44 +0300
From:      veedee@c7.campus.utcluj.ro
To:        "Eric Anderson" <anderson@centtech.com>
Cc:        Clement Laforet <sheep.killer@cultdeadsheep.org>
Subject:   Re: NAT performance tweaks
Message-ID:  <20030506042044.GA84589@c7.campus.utcluj.ro>
In-Reply-To: <3EB6A0BF.1040803@centtech.com>
References:  <3EB67822.3070802@centtech.com> <20030505182756.093fb1c3.sheep.killer@cultdeadsheep.org> <3EB6A0BF.1040803@centtech.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 05, 2003 at 12:34:55PM -0500, Eric Anderson wrote:
> Clement Laforet wrote:
> >On Mon, 05 May 2003 09:41:38 -0500
> >Eric Anderson <anderson@centtech.com> wrote:
> >
> >>Does anyone have any tweaks they apply to NAT firewalls that pass a
> >>lot of connections through them?  Here's the ony tweak I have in place
> >>already, but I'm not sure they're needed yet (or if there are any
> >>tweaks needed at all):
> >
> >which NAT solution do you use ?
> 
> IPNAT and ipfilter..
> 
> >>sysctl kern.ipc.somaxconn=8192
> >
> >
> >NAT'ing (except for natd which uses IPDIVERT (but not more than 3))
> >doesn't use socket to translate packets.
> >Generally, packets are tagged by firewall control software and
> >translated within the IP stack (at leat in kernel land).
> 
> Oh yea, that's right.. So can you think of any kernel or other tweaks to 
> be done, to ensure optimal usage of the machine in this environment? 
> What about mail coming in/out of the machine? I do a fair amount of mail 
> through it (out through NAT, in through Sendmail) also..

If you have a large network behind your NAT server, defining LARGE_NAT in
src/contrib/ipfilter/ip_nat.h and src/sys/contrib/ipfilter/netinet/ip_nat.h
might help. Don't forget to recompile the kernel and ipfilter.

Strange enough, I used to have huge pings (up to 80ms in a totally switched
gigabit network) after a few hours of utilization before fiddling with
LARGE_NAT.

> Eric
> 
> 
> --
> ------------------------------------------------------------------
> Eric Anderson	   Systems Administrator      Centaur Technology
> Attitudes are contagious, is yours worth catching?
> ------------------------------------------------------------------

-- 
| Radu Bogdan Rusu | Network Administrator @ campus.utcluj.ro |
| cvsup3.ro/www4.ro.freebsd.org maintainer |->5b736c616d215d<-|
| Faculty of Automation & Computer Science @ UTCluj , Romania |
|-------------------------------------------------------------|



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030506042044.GA84589>