[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Michael Sierchio <kudzu at tenebras dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] several PPTP client via NAT simultaneously
 Date:  Wed, 2 Jul 2003 00:11:24 +0200 (CEST) 
On Tue, 1 Jul 2003, Michael Sierchio wrote:

> $fw add 02030 set 0 allow ip from $prv_net to $prv_net
>
> $fw add 02100 set 0 divert natd ip from any to any via $oif
> $fw add 02200 set 0 check-state
>
> $fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif

OK, but I meant to say that you now always have to pass all outgoing
packets because the check-state fails on them since it doesn't see the
same local<->remote IP combination as with the incoming packet that
created the state table entry. Kinda one-way stateful filtering. ;) OK,
granted, you still have it when the packets come in on the inside
interface.

On a side note - I couldn't resist re-benchmarking natd and ipnat; I was
starting to worry about my memory (lame excuse, I know). Here goes, all on
a Soekris net4501, FreeBSD 4.8 (actually m0n0BSD), nothing else running
except for the minimum (syslogd, cron, sshd); FAST_IPSEC compiled into the
kernel (empty SAD/SPD, but still eats a megabit or two - doesn't matter
here, though), both filters compiled with default to accept, only one
loaded at a time of course, no rules installed except for the divert rule
in ipfw, only 1 redirection (to test the other direction - turned out the
same, though), absolutely nothing in the environment changing except for
which filter/NAT was loaded, all measurements made with iperf:

throughput without any filters/NAT loaded (routing only): 39.4 Mbps
ipf + ipnat: 23.3 Mbps
ipfw + natd: 10.1 Mbps

Things may look different with lots of NAT table entries (I made sure to
flush the table/restart natd before testing). So... I think more than
factor 2 is still an awful lot slower, but then again, speed is not the
only thing that matters (but I think we can use all we can get on net45xxs
;)

> (I still think your XML configuration stuff has very wide
> applications outside this little space!)

Right - if only somebody else would take it and use it! ;) I can't start
1000 projects at a time, even if I wanted too - look at m0n0BSD; it can be
declared a still birth real soon... :(

Greets,

Manuel