On Wed, 2006-Aug-16 09:59:22 +0700, Bachilo Dmitry wrote: >Oh, it's natd. Now I see, but I just don't get it. I know that natd is not >efficient but, as I've said, at home I have 9 or almost 10 MB/sec through the >natd, while at this particular server I see only 3,7 MB maximum. I've tried >now to turn all the natting off and tried to download a file and got like 9 >MB/sec, so it is natd who loads the system up. natd runs in userland so every packet has to be pushed out to userland, processed and pushed back into the kernel. The vast majority of the overhead is the userland/kernel transition so natd gives you a basically fixed pps rate. Your throughput will vary depending on the packet size. >Someone advised me to use pf or ipnat, but I never did that before and heard >that this nats have some limitations (like ipnat can't translate icmp packets >or something). Some time ago, I switched from natd to ipnat at work because the overhead was getting too much. (I've also switched hardware so I can't give you direct performance comparisons). I have found some problems with IPfilter in -stable when combining ipfilter/ipnat, stateful filtering and conditional NATing (ie a packet to B gets NAT'd to C only if it came from A). (The same combination works in IPfilter 3.x on Solaris.) Normal filtering and NATing works OK. -- Peter Jeremy
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:59 UTC