Hello,
Im using FreeBSD 8.0 + ipfw() + natd() as a gateway for small lan (few hundreds users). During normal operation CPU usage by natd() varies between few % CPU up to 20-30 % during peak hours. However from time to time something strange happens. natd() is constantly increasing CPU usage up to 80-90%, then FreeBSD starts to drop packets. This situation last for a few seconds, natd() CPU usage starts to drop to normal values, everything works again, and after some time this process repeats itself.
natd.conf:
ipfw():
I tried to investigate the issue and observed this (example calculations from netstat()):
-natd normal CPU usage - about 10k packets/s
-natd increased CPU usage - sudden increase to about 90k packets/sec
So it probably has something to do with packet numbers. Whats bothers me is that I managed to replicate this issue by doing nothing harmful - when I log to the server via
Im using FreeBSD 8.0 + ipfw() + natd() as a gateway for small lan (few hundreds users). During normal operation CPU usage by natd() varies between few % CPU up to 20-30 % during peak hours. However from time to time something strange happens. natd() is constantly increasing CPU usage up to 80-90%, then FreeBSD starts to drop packets. This situation last for a few seconds, natd() CPU usage starts to drop to normal values, everything works again, and after some time this process repeats itself.
natd.conf:
Code:
redirect_port tcp 172.17.242.255:4365-4366 4365-4366
redirect_port udp 172.17.242.255:4365-4366 4365-4366
redirect_port tcp 10.10.10.3:22 7728
redirect_port tcp 10.10.10.3:443 7729
unregistered_only
interface em0
ipfw():
Code:
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="em0" # public interface name of NIC
# facing the public Internet
iif="em2"
#
$cmd 001 deny all from 192.168.0.0/16 to any in via $pif
$cmd 002 deny all from 172.16.0.0/12 to any in via $pif
$cmd 003 deny all from 10.0.0.0/8 to any in via $pif
$cmd 004 deny all from 127.0.0.0/8 to any in via $pif
$cmd 005 deny all from 0.0.0.0/8 to any in via $pif
$cmd 006 deny all from 169.254.0.0/16 to any in via $pif
$cmd 007 deny all from 192.0.2.0/24 to any in via $pif
$cmd 008 deny all from 204.152.64.0/23 to any in via $pif
$cmd 009 deny all from 224.0.0.0/3 to any in via $pif
#Ident
$cmd 010 deny tcp from any to any 113 in via $pif
#Netbios
$cmd 020 deny all from any to any 137 in via $pif
$cmd 021 deny all from any to any 138 in via $pif
$cmd 022 deny all from any to any 139 in via $pif
$cmd 023 deny all from any to any 81 in via $pif
#NAT
$cmd 030 divert natd all from any to any via $pif
I tried to investigate the issue and observed this (example calculations from netstat()):
-natd normal CPU usage - about 10k packets/s
-natd increased CPU usage - sudden increase to about 90k packets/sec
So it probably has something to do with packet numbers. Whats bothers me is that I managed to replicate this issue by doing nothing harmful - when I log to the server via
ssh
from outside world, start mc, natd() starts consuming more and more CPU, same happens during even small file transfers via scp(). Just starting mc from outside network increases packets per second from lets say 12k up to 90k. So my question is this: maybe someone has some experience with similar problem and know where the problem may be ? Any suggestions would be really appreciated.