Large scale NAT
Todor Dragnev
todor.dragnev at gmail.com
Fri May 11 12:11:24 UTC 2007
Hello list,
I have about 4000 users behind NAT. I use ipnat(ipf) on single freebsd box(
v6.2) to translate RFC1918 ip addresses to real one.
In ipnat.conf I have:
---
map vlan0 10.X.0.0/16 -> a.b.c.X/32 proxy port ftp ftp/tcp
map vlan0 10.X.0.0/16 -> a.b.c.X/32 portmap tcp/udp auto
map vlan0 10.X.0.0/16 -> a.b.c.X/32
---
Where X is in range from 0 to 40.
$ "ipnat -s"
mapped in 1192241264 out 1082773308
added 58509192 expired 0
no memory 65394 bad nat 9642
inuse 212292
rules 1160
wilds 2
$ netstat -w 1
input (Total) output
packets errs bytes packets errs bytes colls
75681 0 47043801 73193 0 38853537 0
74908 0 46345012 72391 0 37946719 0
CPU: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz (1864.81-MHz 686-class
CPU)
network cards
em0: <Intel(R) PRO/1000 Network Connection Version - 6.2.9>
sk0: <3Com Gigabit NIC (3C2000) rev. (0x1) - Marvell Semiconductor, Inc.
Yukon>
All works fine, but my CPU usage is very high and router starts to drop
packets and sometimes freeze.
I fix freezes problem with POLLING but CPU usage is still very high.
Throughput on one interface is about 200Mbit/s, but next month I will need
more speed to pass through this box and I looking for better solution
What is the throughput limit what I can expect from FreeBSD in this
situation?
Are someone in the list have experience with large NAT tables?
It is time to switch to Cisco or something similar - any suggestions ?
Thanks,
Todor Dragnev
--
There are no answers, only cross references
More information about the freebsd-questions
mailing list