Avoiding natd overhead

Chris Bowman chrishome at austin.rr.com
Sat Oct 21 13:29:32 UTC 2006 

  I see this question come up now and then on the lists, so, I'll share 
what I've learned about natd and performance!  First, if your running 
natd on a processor which supports more functions than just a standard 
386,  ie a Pentium, Athlon, etc.  Then I've found compiling natd with 
make flags for that processor, and with O3 optimizations will make your 
jaw drop in comparison to the default installed version of natd.  You 
can find if you have the sources downloaded for FreeBSD the natd source 
in /usr/src/sbin/natd , just recompile natd itself, or when you re-build 
world for your system, make sure you have make flags set in make.conf so 
everything will rebuild with optimized flags, however I don't recomend 
O3 at all for a build world, will almost definately break something, for 
natd itself, it works fine. 

  That's about it! Very simple, but I think it's often overlooked, and 
of course there are a few  variables with NAT and performance, number of 
hosts, number of connections each host is using simulataneously 
(Torrents *cough).  You don't want to overload NATd itself, 65535 TCP, 
UDP ports, keep that in mind.  If your doing nat for a large number of 
hosts, break down your ip range into sections and run natd multiple 
times to help balance the load.   

Thanks!

Chris Bowman




Brett Glass wrote:

> I'm working with a FreeBSD-based router that's using IPFW for policy 
> routing, traffic shaping, and transparent proxying and natd for 
> network address translation. IPFW does these things pretty well (in 
> fact, I don't know if another firewall, like pf, could even do some of 
> these things I'm doing with IPFW), but natd is by far the most 
> CPU-intensive process on the system and is causing it to crumple like 
> a wet towel under heavy loads. How can I replace just the 
> functionality of natd without moving to an entirely new firewall? Can 
> I still select which packets are routed to the NAT engine, and when 
> this occurs during the processing of the packet?
>
> --Brett Glass
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list