[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Michael Sierchio <kudzu at tenebras dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] several PPTP client via NAT simultaneously
 Date:  Tue, 1 Jul 2003 22:58:07 +0200 (CEST)
On Tue, 1 Jul 2003, Michael Sierchio wrote:

> IMO your comments re: natd are out of line.  It isn't slow, there's
> no detectable lag for my net4501 firewall between the packets

Is that with ipfw2? I don't remember any specific figures anymore, but I
know I did some throughput comparisons, and while ipfw itself was indeed a
bit faster than ipf, there was a huge difference with natd vs. ipnat.

What's more, I also like the way ipnat is configured (dynamically
modifiable rules, no need to kill natd and lose all open connections,
etc.) much better than with natd. Seems much easier, especially with
multiple subnets and stuff. I never really liked -punch_fw, either. Matter
of taste, though.

> belongs after.  If you are using stateful rules + natd, you
> need to have a rule which permits all packets from the firewall
> external addresses outbound on the external if, immediately after
> the divert rule.

But then it's not pure stateful filtering anymore, right? I mean, outbound
packets don't get the stateful check then? OK, it's not such a big problem
with outbound packets (and you probably get to filter them when they come
in on the LAN/whatever interface) than it would be with inbound, but I
still don't like such patchy solutions. (While I have to admit that I had
to make the rule generator create some "patchy" rules in m0n0wall too
because ipfilter lacks ipfw's 'me' keyword. I'd prefer having NAT with
ipnat and filtering with ipfw, but these unfortunately don't work together
in a sensible way. ;)

> My measurements say it isn't "slow" -- that's a cognitive
> illusion because you know it's a userland process.

OK. Maybe I'd also seen too much with ppp vs. MPD - MPD performed at least
8 times faster than ppp, but of course that doesn't necessarily apply to
natd. I still don't like the idea of having a userland process do NAT.

No offense to all natd lovers, but I don't see it fitting in m0n0wall with
the rule generator, traffic shaper, 1:1 NAT, IPsec (incoming ESP packets
pass through the filter 4 times until they're out on LAN - makes things
really interesting), PPTP VPN, ...

- Manuel