Re: using natd to load balance port 80 to multiple servers
From: Chuck Swiger (cswiger_at_mac.com)
Date: 11/19/04
- Previous message: Stephane Raimbault: "Re: using natd to load balance port 80 to multiple servers"
- In reply to: Stephane Raimbault: "Re: using natd to load balance port 80 to multiple servers"
- Next in thread: Sangwoo Shim: "Re: using natd to load balance port 80 to multiple servers"
- Reply: Sangwoo Shim: "Re: using natd to load balance port 80 to multiple servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 19 Nov 2004 13:18:47 -0500 To: Stephane Raimbault <segr@hotmail.com>
Stephane Raimbault wrote:
> I finally got around to testing out FreeBSD 5.3 + pf to replace my
> FreeBSD 4.9 + natd to forward port 80 to multiple backend servers. I
> see a huge performance diffrence. FreeBSD 5.3 + pf runs about about < 5%
> where FreeBSD 4.9 + natd was doing the same thing for around 20% cpu.
> I'm very happy with the performance diffrence.
OK, that's good.
> During my testing, I noticed that sometimes traffic going thru pf was
> locking up if I was doing too many requests from the same IP concurrently.
[ ... ]
> when I look at the pfctl -s state and grep for the IP address of one of
> these offices or firewall, I never see it go above 250 entries. Is
> there some sort of limitation or limit I'm reaching that I'm not aware
> of. Is this an anamoly or a bug?
I don't know enough about PF to give you advice on tuning it, but no, it is
not surprising that you run into anamolies when you put a sufficiently large #
of connections through NAT. Re-writing every packet and keeping all of that
dynamic state is somewhat expensive in terms of latency and resources, and
these expenses grow in proportion to the amount of traffic present.
I will repeat my suggestion that you use a real IP on your webserver and
switch from doing PF + NAT to doing PF or IPFW + bridging instead.
-- -Chuck _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Stephane Raimbault: "Re: using natd to load balance port 80 to multiple servers"
- In reply to: Stephane Raimbault: "Re: using natd to load balance port 80 to multiple servers"
- Next in thread: Sangwoo Shim: "Re: using natd to load balance port 80 to multiple servers"
- Reply: Sangwoo Shim: "Re: using natd to load balance port 80 to multiple servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
