From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 13 04:09:33 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D3C1C106566C for ; Thu, 13 Sep 2012 04:09:33 +0000 (UTC) (envelope-from dreijer@echobit.net) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 927318FC14 for ; Thu, 13 Sep 2012 04:09:33 +0000 (UTC) Received: by obbun3 with SMTP id un3so4782002obb.13 for ; Wed, 12 Sep 2012 21:09:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type:x-gm-message-state; bh=jlrz8ml7bczViqthEWfGYe+jxPFupsLRgguLVYmvwwg=; b=Ll4ZXYS0n8b0P0EwlHkhwLVK91L22iiMnt7pSmCpSgEx4RG5MiX9W0vIEulosP/HPu krC1AE/FuR29YkspSiGal40WF0NWnRZmxzDssc/gBMUj0wLHYDAU+toARoLKTETdYYCF hwRPjM+HP9yc5wIaijU9tjQdw+fsn1R2yg/1H2VBjPT3UF39nN9HhPePWF4saU33WdFe Jjg8Pq8OGrA7586/TQ1OpzlTRsiGus1EJnrkY/61MkwuuRENAQt6yduxLrfqPi/RhApf q0/egHPqGIARTk4I8bsx7DQ4Dvi+cTlWkUrtR6g/4cGf0y3QIo+/7ilbayPy3Py0phEh mYRA== MIME-Version: 1.0 Received: by 10.182.37.41 with SMTP id v9mr545888obj.23.1347509367155; Wed, 12 Sep 2012 21:09:27 -0700 (PDT) Sender: dreijer@echobit.net Received: by 10.76.99.75 with HTTP; Wed, 12 Sep 2012 21:09:27 -0700 (PDT) Date: Wed, 12 Sep 2012 23:09:27 -0500 X-Google-Sender-Auth: oFbgGqyHBkbebm0OEYhIN2ExhS0 Message-ID: From: Soren Dreijer To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQlFpRIDOmpYy/ss7XLjnqy4ZWUhNIBJyjQlMuHRz/tVzT2cNAzz4/ky4r3TxQSOjLeMr/w8 Subject: Significant network latency when using ipfw and in-kernel NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 04:09:33 -0000 Hi there, We're running freebsd 9.0-RELEASE on a box whose primary purpose is to act as a firewall and a gateway. Up until today, we've been using ipfw in conjunction with natd and the divert action in ipfw to forward packets between the freebsd box (i.e. the public Internet) and our private servers. Unfortunately, natd appears to be quite the CPU hog and we therefore decided to switch to the in-kernel NAT support in ipfw. The issue we're running in to is that the network latency appears to be skyrocketing when ipfw contains nat rules. Basically all TCP traffic originating from the box times out and pinging google.com on the box gives an average of ~10 SECONDS -- and that's even if I explicitly allow all ICMP traffic before the packets even get to the nat rules in ipfw. The really odd part, however, is that I can ping the freebsd box just fine externally. For instance, pinging the server from my home connection gives an average of 45 ms. I'm also able to communicate just fine with the internal servers through the freebsd box. Does anybody have any idea what's going on? I assume I must've misconfigured something big here... Thanks, Soren Dreijer