Best practice for virtualized pf based NAT router?
Kristof Provost
kp at FreeBSD.org
Tue Oct 4 10:19:59 UTC 2016
On 4 Oct 2016, at 11:39, Trond Endrestøl wrote:
> I'm in the process of configuring a virtualized pf based NAT router.
> The NAT router is supposed be a supplement to our pool of public IPv4
> addresses.
>
> FreeBSD is stable/11, r306639. XenServer 7.0.0, with all known
> updates, is the virtualization environment.
>
> I'm using xn0 as the external interface, and xn1 as the internal
> interface.
>
> The xn0 interface has a /30 IPv4 address and a /64 IPv6 address.
> The xn1 interface has a /20 IPv4 address (and a /64 IPv6 address for
> symmetry).
>
> I followed ch. 29.3.3.1 of the Handbook.
>
> In theory all is well, but with iftop(8) (net-mgmt/iftop) I only see a
> throughput of merely 1 Mbit/s, yes, that's one megabit per second.
>
There have been issues with pf and checksums in Xen before. I believe
that the
version you’re running has all of the relevant fixes, but it’s worth
trying to
disable TSO and other features on the network interfaces anyway.
ifconfig xn0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso6 -tso4 -lro (and the
same for xn1).
If that makes a difference I’d be very interested in both network
captures and
further debugging.
Regards,
Kristof
More information about the freebsd-questions
mailing list