Poor throughput with natd

James Long list at museum.rain.com
Tue Nov 24 00:06:13 UTC 2009

Please copy me on replies.

I am testing ipfw and natd on a gateway machine running FreeBSD
7.2-STABLE #0: Tue Oct 27 00:12:39 PDT 2009  with the generic
kernel.  ipfw.ko and ipdivert.ko are loaded as modules, since
they're not part of the GENERIC kernel.

The symptom is that scp uploads from the gateway machine have
very poor throughput, often showing "stalled" status in the scp
progress output.

Machines on the LAN do not suffer this problem, and can upload
their traffic via NAT with no observed degradation in throughput.
That's why I haven't noticed this problem until recently, when I
tried rsync-ing some files outbound from the gateway to a remote

I can work around the problem, but this problem has never cropped
up in the past.  Is there a problem in my configuration, or in
recent natd?

Thanks for your time!


All commands below were executed on the gateway machine that is
running natd with very basic options:

15:07:37 /root# findps natd
root    480  0.0  0.1  3388  1252  ??  Ss   12Nov09   4:32.81 natd -n fxp1

Here are the ipfw rules:

14:55:41 /root# ipfw show
00100   949306    56746770 allow ip from any to any via lo0
00200        0           0 deny ip from any to
00300        0           0 deny ip from to any
00400    77293     8699526 divert 8668 ip from any to any via fxp1
00500 35245946 28535731864 allow ip from any to any
65535        0           0 deny ip from any to any

Downloading, scp has no trouble:

14:55:59 /root# scp -p remote:public_html/video/tatra1.mpg .
tatra1.mpg                                                                           100%   85MB 559.4KB/s   02:36

But uploads stall.  This scp process was killed after about 60 seconds:

14:58:40 /root# scp -p tatra1.mpg remote:/tmp/
tatra1.mpg                                                                             0%  320KB   1.8KB/s - stalled -^CKilled by signal 2.

Deleting the DIVERT rule eliminates the stalling:

14:59:54 /root# ipfw delete 400
15:00:04 /root# scp -p tatra1.mpg remote:/tmp/
tatra1.mpg                                                                            27%   23MB 248.2KB/s   04:14 ETA^CKilled by signal 2.

But of course, it also eliminates NAT.

15:01:14 /root# ipfw add 400 divert 8668 ip from any to any via fxp1
00400 divert 8668 ip from any to any via fxp1

Adding this rule works around the natd throughput problem:

15:01:29 /root# ipfw add 350 allow all from me to any via fxp1
00350 allow ip from me to any via fxp1

15:02:03 /root# scp -p tatra1.mpg remote:/tmp/
tatra1.mpg                                                                           100%   85MB 266.9KB/s   05:27

More information about the freebsd-questions mailing list