using natd to load balance port 80 to multiple servers

Stephane Raimbault segr at hotmail.com
Fri Nov 19 17:21:03 GMT 2004 

I finally got around to testing out FreeBSD 5.3 + pf to replace my FreeBSD 
4.9 + natd to forward port 80 to multiple backend servers.  I see a huge 
performance diffrence. FreeBSD 5.3 + pf runs about about < 5% where FreeBSD 
4.9 + natd was doing the same thing for around 20% cpu.  I'm very happy with 
the performance diffrence.

During my testing, I noticed that sometimes traffic going thru pf was 
locking up if I was doing too many requests from the same IP concurrently.

I was running ab from one machine with 50 concurrent and 50000 total 
requests.  It seemed to lock up after hitting 500 requests.  so I ran ab 
from 6 diffrent machines with < 500  requests and my tests revealed positive 
results.  I have put this solution into production, however this problem 
seems to plague me again, apparently people behind firewalls are running 
into this problem as multiple users from an office would try to connect to 
the site.

when I look at the pfctl -s state and grep for the IP address of one of 
these offices or firewall, I never see it go above 250 entries.  Is there 
some sort of limitation or limit I'm reaching that I'm not aware of.  Is 
this an anamoly or a bug?

Otherwise it seems like the system is running quite well and I am very 
pleased.

Thank you for your suggestion to pf,
Stephane.

>From: Chuck Swiger <cswiger at mac.com>
>To: Stephane Raimbault <segr at hotmail.com>
>CC: net at freebsd.org
>Subject: Re: using natd to load balance port 80 to multiple servers
>Date: Sat, 23 Oct 2004 12:11:41 -0400
>
>Stephane Raimbault wrote:
>>I'm currently using a freebsd box running natd to forward port 80 to 
>>several (5) web servers on private IP's.
>
>OK.
>
>>I have discovered that natd doesn't handle many requests/second all that 
>>well (seem to choke at about 200 req/second (educated guess))
>
>Let's take that number as being right, although the first consideration 
>when doing performance tuning is that you need to measure things accurately 
>enough that you can see whether a change makes a meaningful difference.
>
>There are plenty of tools available in the ports tree, although you could 
>start with "ab" from apache.
>
>Next, you ought to read "man tuning" and look into adjusting HZ, 
>NMBCLUSTERS in your kernel config, using any hardware support for your NICs 
>(-link0 option) or try using device polling.
>
>You should probably investigate the net.inet sysctls, particularly those 
>controlling retransmit time intervals net.inet.tcp.rexmit_min and the 
>keepalive and net.inet.ip.fw.dyn*lifetime tunables.
>
>>There are other packet filtering options on FreeBSD and I wonder if I can 
>>use them to do what I'm trying to do with natd.
>
>It's true that natd runs in userspace, which creates more overhead, so 
>using PF instead might be worth doing, sure.
>
>>Would someone be able to point me to documentation or help me have either 
>>ipf/ipfw/pf forward port 80 traffic to private space IP's?
>
>Consider http://www.openbsd.org/faq/pf/index.html
>
>>Is there a better way of split port 80 traffic across multiple webservers 
>>that has elduded me?  Other then a comercial content switch that is :)
>
>Oh, sure.
>
>The most obvious solution to the problem is to give all of the servers real 
>IPs and use some other form of balancing (DNS round-robin, or splitting the 
>content somehow [static vs dynamicly generated?]), and avoid dealing with 
>NAT altogether.
>
>--
>-Chuck

_________________________________________________________________
Designer Mail isn't just fun to send, it's fun to receive. Use special 
stationery, fonts and colors. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.

More information about the freebsd-net mailing list