Large NAT: ipf/ipnat, pf - opinions?

Max Laier max at love2party.net
Mon Nov 22 20:17:08 GMT 2004 

On Monday 22 November 2004 19:29, Pawel Malachowski wrote:
>  I'm interested in opinions/comparisons how ipnat and pf perform
> on FreeBSD 5.x in real working large NAT setups (about 50Mbit/s, few
> thousands of workstations, 300k of mappings or more). Problems noticed,
> memory and CPU consumption, mbufs utilization etc.

While the state information in pf is slightly larger than that of ipfilter 
(and thus the memory consumption). pf offers many functionalities that make 
it the "easier-to-manage" tool. There are also a couple of optimizations in 
pf that should make it perform better, but only measuring your specific 
application can tell you which is the better for you. I'd guess that pf can 
lift the load described above with an average workstation (good NICs and 
plenty of RAM provided). Note, however, that for CPU consumption packets per 
second is the important factor. For pf - with it's stateful inspection - 
connection initialization has some meaning as well (once established, passing 
more traffic through a connection is cheap).

Depending on your application, you might find pf's TABLES which greatly 
improve management of large IP-sets. There are also many options to fine-tune 
the number of concurrent states that a (NAT)rule can create. This helps to 
keep down memory consumption during DDoS-Attacks. The additional "adaptive 
timeouts" can also help to manage load peaks.

That is comparing pf 3.5 (what is in RELENG_5) with ipfilter 3.x (also in 
RELENG_5). ipfilter 4.x has gained some, but isn't included in FreeBSD.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20041122/18a128a0/attachment.bin

More information about the freebsd-net mailing list