natd + ipfw - very slow internet for LAN users

Kenneth Culver culverk at sweetdreamsracing.biz
Fri Mar 12 08:50:42 PST 2004 

Quoting Prodigy <prodigy at punktas.lt>:

Not very helpful, but have you ever tried using ipfilter? I've found that
configuring it is much easier, and it is somewhat faster on slow 
machines since
it runs entirely in the kernel (avoids a lot of transferring data to and from
userland like ipfw + natd).

Ken

> Thanks for your sets, but anyway internet is very slow :(
>
> # ipfw show
> 00100  617  59829 divert 8668 ip from any to any via ed1
> 00200  617  59829 allow ip from 213.190.42.48 to any keep-state via ed1
> 00300 1213 101401 allow ip from 192.168.0.0/24 to any keep-state via ed0
> 65535  409  26377 allow ip from any to any
>
> # cat /usr/local/etc/ipfw.conf
> fw="/sbin/ipfw -q"
> oif="ed1"
> iif="ed0"
>
> ${fw} add divert natd all from any to any via ${oif}
> ${fw} add allow all from 213.190.42.48 to any keep-state via ${oif}
> ${fw} add allow all from 192.168.0.1/24 to any keep-state via ${iif}
>
> Btw, i have a static internet ip address, not the dynamic. I have read the
> man ipfw BUGS section, but still I can't understand, how can i solve my
> problem.
>
> ----- Original Message -----
> From: "jon" <jonathan88 at email.com>
> To: "Prodigy" <prodigy at punktas.lt>
> Sent: Thursday, March 11, 2004 2:43 PM
> Subject: Re: natd + ipfw - very slow internet for LAN users
>
>
>> my set looks like this
>>
>> fw="/sbin/ipfw -q"
>> oif="xl1"
>> iif="xl0"
>>
>> ${fw} add divert natd all from any to any via ${oif}
>> ${fw} add allow all from ${oip} to any keep-state via ${oif}
>> ${fw} add allow all from 192.168.1.1/24  to any keep-state via ${iif}
>>
>> good luck
>>
>> * Prodigy <prodigy at punktas.lt> [2004-03-10 17:17:52 +0200]:
>>
>> > Hi,
>> >
>> > i'm sharing internet to my local area network (LAN) users with my
> router.  Everything would be fine, but internet is very slow. I tried to
> ping my ISP. Ping reply is ~50ms. It means, that internet for LAN users
> should be good enough, but it isn't. Ping reply in IRC is ~15 seconds. Then
> I try to open some internet pages, there is very big lag. Something is wrong
> with nating i think, can u tell me what? FreeBSD4.9-STABLE ipfw + natd
>> >
>> >
>> > Kernel configuration:
>> >
>> > # ... Some other stuff goes here
>> > options         IPFIREWALL
>> > options         IPFIREWALL_FORWARD
>> > options         IPFIREWALL_VERBOSE
>> > options         IPFIREWALL_VERBOSE_LIMIT=10
>> > options         IPFIREWALL_DEFAULT_TO_ACCEPT # Firewall is accepting all
> packets by default
>> > options         IPDIVERT
>> > # ... Some other stuff goes here
>> >
>> >
>> > rc.conf:
>> >
>> > defaultrouter="213.190.42.1" # ISP gateway
>> > hostname="panemune.net"
>> > ifconfig_ed0="inet 192.168.0.1 netmask 255.255.255.0" # Network (LAN)
> interface
>> > ifconfig_ed1="inet 213.190.42.48 netmask 255.255.255.0" # Internet
> (outside) interface
>> > # ... here goes some other stuff, like sshd_enable="YES", etc
>> > gateway_enable="YES"
>> > firewall_enable="YES"
>> > firewall_script="/usr/local/etc/rc.firewall"
>> > firewall_quiet="YES"
>> > firewall_logging="YES"
>> > natd_enable="YES"
>> > natd_interface="ed1"
>> > natd_flags="-f /usr/local/etc/natd.conf"
>> >
>> >
>> > # cat /usr/local/etc/natd.conf
>> > same_ports yes
>> > use_sockets yes
>> > unregistered_only yes
>> >
>> > # cat /usr/local/etc/rc.firewall
>> > ipfw add 100 divert natd all from any to any via ed1
>> >
>> > # ipfw show
>> > 00100  469 26801 divert 8668 ip from any to any via ed1
>> > 65535 1072 60182 allow ip from any to any
>> >
>> > # cat /etc/services | grep natd
>> > natd            8668/divert # Network Address Translation
>> >
>> >
>> >
>> > Btw, when I used ipf + ipnat, internet for LAN users was good enough,
> but now it's horrible with natd + ipfw.
>> > _______________________________________________
>> > freebsd-questions at freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>>
>> -- Jon
>> This is BSD country. If you listen carefully, you can hear Windows
> reboot...
>>
>> For GnuPG/PGP key send message to jonathan88 at email.com with
>> subject "key request pgp" or "key request gnupg".
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list