using natd to load balance port 80 to multiple servers

Chuck Swiger cswiger at
Fri Nov 19 18:19:00 GMT 2004

Stephane Raimbault wrote:
> I finally got around to testing out FreeBSD 5.3 + pf to replace my 
> FreeBSD 4.9 + natd to forward port 80 to multiple backend servers.  I 
> see a huge performance diffrence. FreeBSD 5.3 + pf runs about about < 5% 
> where FreeBSD 4.9 + natd was doing the same thing for around 20% cpu.  
> I'm very happy with the performance diffrence.

OK, that's good.

> During my testing, I noticed that sometimes traffic going thru pf was 
> locking up if I was doing too many requests from the same IP concurrently.
[ ... ]
> when I look at the pfctl -s state and grep for the IP address of one of 
> these offices or firewall, I never see it go above 250 entries.  Is 
> there some sort of limitation or limit I'm reaching that I'm not aware 
> of.  Is this an anamoly or a bug?

I don't know enough about PF to give you advice on tuning it, but no, it is 
not surprising that you run into anamolies when you put a sufficiently large # 
of connections through NAT.  Re-writing every packet and keeping all of that 
dynamic state is somewhat expensive in terms of latency and resources, and 
these expenses grow in proportion to the amount of traffic present.

I will repeat my suggestion that you use a real IP on your webserver and 
switch from doing PF + NAT to doing PF or IPFW + bridging instead.


More information about the freebsd-net mailing list