ipfw kernel NAT performance much worse in 11-Stable than 10-Stable

Graham Menhennitt graham at menhennitt.com.au
Tue Aug 29 09:33:31 UTC 2017


I have two machines of similar CPU power that I use as routers. One is 
running 11-Stable as of a week ago and the other is 10-Stable from 
around the same time. They both run roughly the same IPFW rules (the 
syntax has changed slightly to run on the newer version). I've been 
using the 10-Stable box for a number of years without problems.

However, the performance on the 11-Stable box is much worse. For file 
transfers I get about 1/10th the speed. Incoming TLS connections often 
fail to establish. Looking (from outside the box) at the interface in 
Wireshark shows lots of packets being retransmitted.

This appears to be due to the NAT rule. If I remove that, the 
performance jumps up to be approximately the same as the 10-Stable box. 
The rules are pretty simple:
   nat 1 config if igb1 deny_in same_ports redirect_port udp 
XXX.XXX.XXX.XXX:YYYY YYYY
   nat 1 ip4 from any to any via igb1

I can provide the full set of rules if needed, but I think only those 
two lines are relevant.

Does anybody please have any ideas on this, please?

Thanks for any help,

     Graham



More information about the freebsd-ipfw mailing list