pf nat & ipfw kernel nat & ng_nat - what uses less computer
resources?
Nikol at y
cosmic17 at gmail.com
Fri Jun 4 10:35:09 UTC 2010
Hello.
We have a network. Now we are using pf NAT. But we are interested in some
question:
1. What type of NAT uses less computer resources?
a) pf NAT
b) ipfw kernel NAT
c) NG_NAT ?
2. BINAT or NAT - what is better? Which one of them is more faster and uses
less computer resources with one of firewall? In theory I think that BINAT
faster than NAT, because there is no necessary to track connections.
3. I know that the firewall PF does not support threads. I read that IPFW is
(in FreeBSD 8.0, for example). But in my test I haven`t seen threads when
used IPFW. Maybe there are some special options to compile kernel or
configure IPFW? For tests I compiled kernel with:
options SMP
# IPFW
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFIREWALL_NAT
options LIBALIAS
options HZ="2000"
4. I can`t find any information about BINAT in ipfw+ng_nat? Does anyone use
this technology? Or maybe you know interesting information about it?
I have a test computer (border nat):
- dmesg | less:
FreeBSD 8.0-STABLE-201004 #0: Mon Apr 5 15:59:06 UTC 2010
CPU: Intel(R) Pentium(R) 4 CPU 3.20GHz (3200.01-MHz K8-class CPU)
real memory = 536870912 (512 MB)
age0: mem 0xfeac0000-0xfeafffff irq 17 at device 0.0 on pci2
rl0: port 0xe800-0xe8ff mem 0xfebffc00-0xfebffcff irq 19 at device 0.0 on
pci4
Test scheme:
laptop(192.168.0.188)-->age0(192.168.0.1)-->rl0(10.1.2.142)-->internet
age0 - internal interface
rl0 - external interface
IP Pool for nat is 10.1.6.0/24.
I have completed 2 tests:
1. with utility "ping": ping -c 500 -f 192.168.1.112
2. with utility "iperf": iperf -c 192.168.1.112 -n 1M -i 1 -t 180
You can see the results of these tests below:
1. pf NAT:
There is one rule for NAT in /etc/pf.conf.ports:
nat pass on $ext_if from to any -> 10.1.6.0/24 source-hash test static-port
a). ping -c 500 -f 192.168.1.112:
PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data.
--- 192.168.1.112 ping statistics ---
500 packets transmitted, 398 received, 20% packet loss, time 1658ms
rtt min/avg/max/mdev = 0.239/0.339/5.425/0.262 ms, ipg/ewma 3.323/0.328 ms
b) On the server 192.168.1.112:
iperf -s 80
On the laptop:
iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180
There are results of “netstat”:
netstat -w1d -I age0:
input (age0) output
packets errs idrops bytes packets errs bytes
colls
5247 0 0 7332276 1600 0 83700 0
5286 0 0 7331330 1578 0 82296 0
5278 0 0 7339278 1589 0 83754 0
5312 0 0 7380344 1570 0 82728 0
5328 0 0 7337764 1567 0 83160 0
netstat -w1d -I rl0:
input (rl0) output
packets errs idrops bytes packets errs bytes
colls
1556 0 0 93508 5133 0 7275788 0
1547 0 0 92832 5169 0 7337174 0
1551 0 0 93072 5161 0 7321088 0
1539 0 0 92352 5199 0 7381268 0
1520 0 0 91212 5195 0 7367642 0
top –S:
last pid: 6320; load averages: 0.07, 0.02, 0.00 up 1+18:19:20 10:08:26
70 processes: 3 running, 55 sleeping, 12 waiting
CPU: 0.0% user, 0.0% nice, 1.2% system, 4.7% interrupt, 94.2% idle
Mem: 21M Active, 136M Inact, 89M Wired, 44K Cache, 59M Buf, 237M Free
Swap: 2048M Total, 2048M Free
2. pf BINAT:
There are about 1000 rules for BINAT in /etc/pf.conf.ports:
...
binat on $ext_if from 10.10.10.2 to any -> 10.1.6.13
binat on $ext_if from 10.10.10.3 to any -> 10.1.6.14
...
And the last one is for our laptop:
binat on $ext_if from 192.168.0.188 to any -> 10.1.6.188
a) ping -c 500 -f 192.168.1.112:
PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data.
--- 192.168.1.112 ping statistics ---
500 packets transmitted, 398 received, 20% packet loss, time 1688ms
rtt min/avg/max/mdev = 0.238/0.357/1.006/0.078 ms, ipg/ewma 3.383/0.330 ms
b) On the server 192.168.1.112:
iperf -s 80
On the laptop:
iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180
There are results of “netstat”:
netstat -w1d -I age0:
input (age0) output
packets errs idrops bytes packets errs bytes
colls
5294 0 0 7318272 1585 0 84996 0
0 0 0 7357824 0 0 83862
0
5314 0 0 7367854 1591 0 83268 0
5302 0 0 7290642 1591 0 83646 0
5270 0 0 7332276 1577 0 85914 0
netstat -w1d -I rl0:
input (rl0) output
packets errs idrops bytes packets errs bytes
colls
1586 0 0 95172 5172 0 7341148 0
1567 0 0 94038 5177 0 7344514 0
1537 0 0 92232 5198 0 7373698 0
1565 0 0 93912 5166 0 7328090 0
1561 0 0 93672 5139 0 7301596 0
top –S:
last pid: 8622; load averages: 0.16, 0.07, 0.01 up 2+13:22:43 05:11:49
61 processes: 3 running, 46 sleeping, 12 waiting
CPU: 0.0% user, 0.0% nice, 4.4% system, 5.1% interrupt, 90.5% idle
Mem: 14M Active, 127M Inact, 89M Wired, 59M Buf, 251M Free
Swap: 2048M Total, 2048M Free
3.IPFW KERNEL NAT:
a). ping -c 500 -f 192.168.1.5:
PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data.
--- 192.168.1.112 ping statistics ---
500 packets transmitted, 425 received, 15% packet loss, time 1598ms
rtt min/avg/max/mdev = 0.253/1.081/1.576/0.414 ms, ipg/ewma 3.203/0.895 ms
b) On the server 192.168.1.112:
iperf -s 80
On the laptop:
iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180
There are results of “netstat”:
netstat -w1d -I age0:
input (age0) output
packets errs idrops bytes packets errs bytes
colls
3966 0 0 5501336 1086 0 56646
0
4380 0 0 6140036 1100 0 58266
0
4315 0 0 5654698 1089 0 55424
0
3703 0 0 5291538 990 0 54182
0
3548 0 0 4910778 992 0 52292
0
3894 0 0 5399218 1140 0 60770
0
netstat -w1d -I rl0:
input (rl0) output
packets errs idrops bytes packets errs bytes
colls
1085 0 0 65112 4004 0 5680576 0
1053 0 0 63296 4432 0 6289586 0
972 0 0 58508 3668 0 5195190 0
944 0 0 56672 3550 0 5033916 0
1109 0 0 66981 3813 0 5408090 0
1099 0 0 65972 3952 0 5604760 0
top –S:
last pid: 2397; load averages: 0.06, 0.05, 0.04 up 0+00:09:13 14:25:50
66 processes: 3 running, 51 sleeping, 12 waiting
CPU: 0.0% user, 0.0% nice, 0.5% system, 3.5% interrupt, 96.1% idle
Mem: 14M Active, 9248K Inact, 55M Wired, 92K Cache, 11M Buf, 403M Free
Swap: 2048M Total, 2048M Free
4.IPFW KERNEL BINAT
a) ping -c 500 -f 192.168.1.112:
PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data.
--- 192.168.1.112 ping statistics ---
500 packets transmitted, 398 received, 20% packet loss, time 1968ms
rtt min/avg/max/mdev = 0.284/1.147/1.568/0.406 ms, ipg/ewma 3.944/1.055 ms
b) On the server 192.168.1.112:
iperf -s 80
On the laptop:
iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180
There are results of “netstat”:
netstat -w1d -I age0:
input (age0) output
packets errs idrops bytes packets errs bytes
colls
4138 0 0 4716350 1138 0 47682 0
3458 0 0 5812454 862 0 58374 0
4144 0 0 5768360 1143 0 59670 0
4164 0 0 5540888 1132 0 62640 0
3954 0 0 4803024 1195 0 50598 0
netstat -w1d -I rl0:
input (rl0) output
packets errs idrops bytes packets errs bytes
colls
1007 0 0 60492 3609 0 5118682 0
950 0 0 57012 3614 0 5126988 0
1146 0 0 68772 4034 0 5723108 0
1121 0 0 67272 4088 0 5801266 0
1048 0 0 62892 3488 0 4946638 0
top –S:
last pid: 4852; load averages: 0.07, 0.03, 0.00 up 0+16:06:15 05:53:04
63 processes: 4 running, 47 sleeping, 12 waiting
CPU: 0.0% user, 0.0% nice, 7.3% system, 6.7% interrupt, 86.0% idle
Mem: 15M Active, 142M Inact, 110M Wired, 100K Cache, 59M Buf, 214M Free
Swap: 2048M Total, 2048M Free
5.NG_NAT:
a) ping -c 500 -f 192.168.1.112:
PING 192.168.1.112 (192.168.1.112) 56(84) bytes of data.
--- 192.168.1.112 ping statistics ---
500 packets transmitted, 422 received, 15% packet loss, time 1624ms
rtt min/avg/max/mdev = 0.254/1.038/8.862/0.551 ms, ipg/ewma 3.255/0.961 ms
b) On the server 192.168.1.112:
iperf -s 80
On the laptop:
iperf -c 192.168.1.112 -p 80 -n 1M -i 1 -t 180
There are results of “netstat”:
netstat -w1d -I age0:
input (age0) output
packets errs idrops bytes packets errs bytes colls
4812 0 0 6634038 1268 0 66474 0
4765 0 0 6702092 1234 0 66150 0
4848 0 0 6616932 1263 0 66636 0
4764 0 0 6582868 1237 0 70686 0
4746 0 0 6494680 1403 0 76032 0
netstat -w1d -I rl0:
input (rl0) output
packets errs idrops bytes packets errs bytes
colls
1219 0 0 73170 4680 0 6634886 0
1225 0 0 73512 4720 0 6696960 0
1219 0 0 73170 4655 0 6603440 0
1380 0 0 82812 4630 0 6570166 0
1414 0 0 84864 4585 0 6504178 0
Crossposted to freebsd-net.
--
View this message in context: http://old.nabble.com/pf-nat---ipfw-kernel-nat---ng_nat---what-uses-less-computer-resources--tp28778099p28778099.html
Sent from the freebsd-performance mailing list archive at Nabble.com.
More information about the freebsd-performance
mailing list