ipfw kernel NAT performance much worse in 11-Stable than 10-Stable
Andrey V. Elsukov
bu7cher at yandex.ru
Thu Aug 31 10:06:06 UTC 2017
On 29.08.2017 12:33, Graham Menhennitt wrote:
> However, the performance on the 11-Stable box is much worse. For file
> transfers I get about 1/10th the speed. Incoming TLS connections often
> fail to establish. Looking (from outside the box) at the interface in
> Wireshark shows lots of packets being retransmitted.
>
> This appears to be due to the NAT rule. If I remove that, the
> performance jumps up to be approximately the same as the 10-Stable box.
> The rules are pretty simple:
> nat 1 config if igb1 deny_in same_ports redirect_port udp
> XXX.XXX.XXX.XXX:YYYY YYYY
> nat 1 ip4 from any to any via igb1
>
> I can provide the full set of rules if needed, but I think only those
> two lines are relevant.
>
> Does anybody please have any ideas on this, please?
Can you show the output of `ifconfig igb1 | grep flags` on stable/10 and
stable/11?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20170831/ae0b74cd/attachment.sig>
More information about the freebsd-ipfw
mailing list