high cpu usage on natd / dhcpd

Matthew Luckie mjl at luckie.org.nz
Thu Jan 26 04:16:27 UTC 2012 

Hi

I have a small system running FreeBSD 8.2 that does NAT using ipfw and 
natd to systems attached to two interfaces: em0 and wlan0.  I have a 
dhcpd daemon issuing leases on those interfaces.  The system has an em1 
interface plugged into a cable modem where it obtains a DHCP lease from 
an ISP.

For some reason, when traffic from the Internet terminates on the system 
itself (I scp a file from the computer) the natd and dhcpd processes 
consume significant CPU, and the throughput is less than I expect. 
Traffic that passes through to a computer behind the NAT flows without 
causing the natd or dhcpd processes to measurably consume CPU.

 From top:

CPU: 10.9% user,  0.0% nice, 56.0% system, 21.1% interrupt, 12.0% idle
Mem: 225M Active, 92M Inact, 162M Wired, 556K Cache, 112M Buf, 1506M Free
   PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
  1222 root          1 104    0  3572K  1448K RUN      1:29 39.36% natd
  1676 root          1  62    0  5340K  3544K select   0:59 24.56% dhcpd

What is going on?  My ipfw ruleset is below, and is based on the example 
in the FreeBSD handbook.

00001 allow ip from any to any via lo0
00002 allow ip from any to any via em0
00003 allow ip from any to any via wlan0
00101 divert 8668 ip from any to any in via em1
00102 check-state
00110 skipto 500 tcp from any to any out via em1 setup keep-state
00111 skipto 500 udp from any to any out via em1 keep-state
00112 skipto 500 icmp from any to any out via em1 keep-state
00201 allow udp from any to any dst-port 68 in keep-state
00202 allow tcp from any to me dst-port 80 in via em1 setup keep-state
00210 allow tcp from 130.217.250.13 to me in via em1 setup keep-state
00211 allow tcp from 199.109.33.1 to me in via em1 setup keep-state
00212 allow tcp from 192.172.226.78 to me in via em1 setup keep-state
00213 allow tcp from 192.172.226.95 to me in via em1 setup keep-state
00230 allow tcp from any to me dst-port 6984 in via em1 setup keep-state
00231 allow udp from any to me dst-port 6984 in via em1
00240 allow icmp from any to me in via em1
00300 unreach filter-prohib log ip from any to any
00500 divert 8668 ip from any to any out via em1
00501 allow ip from any to any
65535 allow ip from any to any

More information about the freebsd-net mailing list