Best practice for virtualized pf based NAT router?

Kristof Provost kp at
Tue Oct 4 10:19:59 UTC 2016

On 4 Oct 2016, at 11:39, Trond Endrestøl wrote:
> I'm in the process of configuring a virtualized pf based NAT router.
> The NAT router is supposed be a supplement to our pool of public IPv4
> addresses.
> FreeBSD is stable/11, r306639. XenServer 7.0.0, with all known
> updates, is the virtualization environment.
> I'm using xn0 as the external interface, and xn1 as the internal
> interface.
> The xn0 interface has a /30 IPv4 address and a /64 IPv6 address.
> The xn1 interface has a /20 IPv4 address (and a /64 IPv6 address for 
> symmetry).
> I followed ch. of the Handbook.
> In theory all is well, but with iftop(8) (net-mgmt/iftop) I only see a
> throughput of merely 1 Mbit/s, yes, that's one megabit per second.
There have been issues with pf and checksums in Xen before. I believe 
that the
version you’re running has all of the relevant fixes, but it’s worth 
trying to
disable TSO and other features on the network interfaces anyway.

ifconfig xn0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso6 -tso4 -lro (and the 
same for xn1).

If that makes a difference I’d be very interested in both network 
captures and
further debugging.


More information about the freebsd-questions mailing list