Avoiding natd overhead
Julian Elischer
julian at elischer.org
Sun Oct 22 03:50:31 UTC 2006
Brett Glass wrote:
> I'm working with a FreeBSD-based router that's using IPFW for policy
> routing, traffic shaping, and transparent proxying and natd for network
> address translation. IPFW does these things pretty well (in fact, I
> don't know if another firewall, like pf, could even do some of these
> things I'm doing with IPFW), but natd is by far the most CPU-intensive
> process on the system and is causing it to crumple like a wet towel
> under heavy loads. How can I replace just the functionality of natd
> without moving to an entirely new firewall? Can I still select which
> packets are routed to the NAT engine, and when this occurs during the
> processing of the packet?
>
> --Brett Glass
one thing that you need to name sure of is that only the packets that
have potential of being on interest to natd are passed to natd.
i.e. be VERY specific in your natd rules..
ipfw add 1000 divert natd ip from any to any out recv {inner-ineterface}
xmit {outer-interface}.
ipfw add 1001 divert natd ip from any to {inner-interface-address} in
recv {outer-interface}.
don't waste natd's time with packets it doesn't care about.
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list