Re: Large NAT: ipf/ipnat, pf - opinions?
From: Stephane Raimbault (segr_at_hotmail.com)
Date: 11/24/04
- Previous message: James: "Re: resolving routes externally"
- Maybe in reply to: Pawel Malachowski: "Large NAT: ipf/ipnat, pf - opinions?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: max@love2party.net Date: Tue, 23 Nov 2004 18:57:32 -0700
You mention diffrent ways to fine-tune pf. I'm particularly interested in
the number of states. I have a situation where I'm running pf around 8000
states and the box seems to perform quite beautifully, I have increased the
max states to 100K to cover large peaks which can occur, however I haven't
yet observed anything about 10K.
One problem I do find, is if one IP has 200 ~ 500 states, the user reports
timeouts thru the nat.
In my particular situation, I'm forwarding port 80 to a webserver in the nat
environment and the clients are internet users. I don't seem to have this
problem when running natd on FreeBSD 4.9, however the load of the nat box is
quite a bit higher (~ 10 times) then running pf on FreeBSD 5.3.
Any suggestions?
Here are my pf rules
# Set pf limits
set limit states 100000
# NAT the internal network
nat on $ext_vip from $web_servers port 80 to any -> ($ext_vip)
nat on $ext_vip from $ssl_servers port 443 to any -> ($ext_vip)
nat on $ext_if from $int_net to any -> ($ext_if)
# Forward ports from external to internal
rdr on $ext_if proto tcp from any to any port 80 -> $web_servers round-robin
rdr on $ext_if proto tcp from any to any port 443 -> $ssl_servers
round-robin
# forward ports from internal to internal
rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> $web_servers
round-robin
rdr on $int_if proto tcp from $int_net to $ext_if port 443 -> $ssl_servers
round-robin
no nat on $int_if proto tcp from $int_if to $int_net
nat on $int_if proto tcp from $int_net to $web_servers port 80 -> $int_if
nat on $int_if proto tcp from $int_net to $ssl_servers port 443 -> $int_if
Thanks,
Stephane.
--nextPart3120092.GfOCXkcoAV
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Monday 22 November 2004 19:29, Pawel Malachowski wrote:
>> I'm interested in opinions/comparisons how ipnat and pf perform
>>on FreeBSD 5.x in real working large NAT setups (about 50Mbit/s, few
>>thousands of workstations, 300k of mappings or more). Problems noticed,
>>memory and CPU consumption, mbufs utilization etc.
While the state information in pf is slightly larger than that of ipfilter=
=20
(and thus the memory consumption). pf offers many functionalities that make=
=20
it the "easier-to-manage" tool. There are also a couple of optimizations in=
=20
pf that should make it perform better, but only measuring your specific=20
application can tell you which is the better for you. I'd guess that pf can=
=20
lift the load described above with an average workstation (good NICs and=20
plenty of RAM provided). Note, however, that for CPU consumption packets pe=
r=20
second is the important factor. For pf - with it's stateful inspection -=20
connection initialization has some meaning as well (once established, passi=
ng=20
more traffic through a connection is cheap).
Depending on your application, you might find pf's TABLES which greatly=20
improve management of large IP-sets. There are also many options to fine-tu=
ne=20
the number of concurrent states that a (NAT)rule can create. This helps to=
=20
keep down memory consumption during DDoS-Attacks. The additional "adaptive=
=20
timeouts" can also help to manage load peaks.
That is comparing pf 3.5 (what is in RELENG_5) with ipfilter 3.x (also in=20
RELENG_5). ipfilter 4.x has gained some, but isn't included in FreeBSD.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart3120092.GfOCXkcoAV
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBBoklfXyyEoT62BG0RAm44AJ97LltR9sDHGbE0MN8pkwMdt0722gCfbtiT
A+s77MpaW1zInUydcy5qTok=
=n0GP
-----END PGP SIGNATURE-----
--nextPart3120092.GfOCXkcoAV--
_________________________________________________________________
Designer Mail isn't just fun to send, it's fun to receive. Use special
stationery, fonts and colors.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSNŽ Premium right now and get the
first two months FREE*.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: James: "Re: resolving routes externally"
- Maybe in reply to: Pawel Malachowski: "Large NAT: ipf/ipnat, pf - opinions?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
