Avoiding natd overhead

I'm working with a FreeBSD-based router that's using IPFW for policy routing, traffic shaping, and transparent proxying and natd for network address translation. IPFW does these things pretty well (in fact, I don't know if another firewall, like pf, could even do some of these things I'm doing with IPFW), but natd is by far the most CPU-intensive process on the system and is causing it to crumple like a wet towel under heavy loads. How can I replace just the functionality of natd without moving to an entirely new firewall? Can I still select which packets are routed to the NAT engine, and when this occurs during the processing of the packet?

--Brett Glass

freebsd-net@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: ipfw/nated stateful rules example
    ... I found it OK for stateful rules, as long as you don't use natd! ... packets went out including the natd in the middle. ... > ipfw add allow udp from any ntp to any in recv $ext_if ... > ipfw add allow udp from any to any ntp out xmit $ext_if ...
  • Re: [fw-wiz] IPTables QUEUE target equivalency in other firewalls
    ... ipfw certainly does, called divert. ... and usable by others instead or in addition to natd. ... > Netfilter/IPTables supports a target of QUEUE which delivers packets to ... > allow/drop packets in realtime. ...
  • Re: nat and ipfw
    ... packets to be translated. ... the packets to natd is one thing, ... > dsl and the other for an internal subnet. ... > ipfw configured and running. ...
  • Re: multiple natd + ipfw, with 2 internal ips
    ... I have a little problem with my natd or ipfw configuration. ... Well you could if you set your internal interface to be in promiscuous mode and set proxy arp for that address ... is the next hop router, it uses ARP to find the MAC address of this router. ...
  • Re: IPFW questions
    ... natd is a daemon userland process which performs way poorly than a kernel ... use ipfw for rest of packet filtering. ... > bdg_forward packets. ...