Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Sep 2012 23:09:27 -0500
From:      Soren Dreijer <>
Subject:   Significant network latency when using ipfw and in-kernel NAT
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi there,

We're running freebsd 9.0-RELEASE on a box whose primary purpose is to
act as a firewall and a gateway. Up until today, we've been using ipfw
in conjunction with natd and the divert action in ipfw to forward
packets between the freebsd box (i.e. the public Internet) and our
private servers.

Unfortunately, natd appears to be quite the CPU hog and we therefore
decided to switch to the in-kernel NAT support in ipfw. The issue
we're running in to is that the network latency appears to be
skyrocketing when ipfw contains nat rules. Basically all TCP traffic
originating from the box times out and pinging on the box
gives an average of ~10 SECONDS -- and that's even if I explicitly
allow all ICMP traffic before the packets even get to the nat rules in

The really odd part, however, is that I can ping the freebsd box just
fine externally. For instance, pinging the server from my home
connection gives an average of 45 ms. I'm also able to communicate
just fine with the internal servers through the freebsd box.

Does anybody have any idea what's going on? I assume I must've
misconfigured something big here...

Soren Dreijer

Want to link to this message? Use this URL: <>