Significant network latency when using ipfw and in-kernel NAT
Ian Smith
smithi at nimnet.asn.au
Thu Sep 13 12:42:05 UTC 2012
On Wed, 12 Sep 2012 23:09:27 -0500, Soren Dreijer wrote:
> Hi there,
>
> We're running freebsd 9.0-RELEASE on a box whose primary purpose is to
> act as a firewall and a gateway. Up until today, we've been using ipfw
> in conjunction with natd and the divert action in ipfw to forward
> packets between the freebsd box (i.e. the public Internet) and our
> private servers.
>
> Unfortunately, natd appears to be quite the CPU hog and we therefore
> decided to switch to the in-kernel NAT support in ipfw. The issue
> we're running in to is that the network latency appears to be
> skyrocketing when ipfw contains nat rules. Basically all TCP traffic
> originating from the box times out and pinging google.com on the box
> gives an average of ~10 SECONDS -- and that's even if I explicitly
> allow all ICMP traffic before the packets even get to the nat rules in
> ipfw.
>
> The really odd part, however, is that I can ping the freebsd box just
> fine externally. For instance, pinging the server from my home
> connection gives an average of 45 ms. I'm also able to communicate
> just fine with the internal servers through the freebsd box.
>
> Does anybody have any idea what's going on? I assume I must've
> misconfigured something big here...
Or maybe only something small .. but without seeing your basic ruleset
and network config - obscured as need be - we can only guess. Maybe an
'ifconfig', 'ipfw show' and 'ipfw nat show config' would illustrate?
cheers, Ian
More information about the freebsd-ipfw
mailing list