Solved IPFW not sharing load

gleizer

New Member


Messages: 6

Hi everyone,
I´m running a FreeBSD 10.3 stable(virtualized) with IPFW2 and my network traffic are extremely slow.
I realized that just 2 cpu are doing all the load.
When I tested with a stress test all works fine.
Is there any parameter that I need to change?
thanks in advance
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,290
Messages: 4,099

Packet filters like IPFW, PF, and IPF are generally single-threaded, and making them multi-threaded is not an easy thing. Things have improved with IPFW and PF in recent versions of FreeBSD, where some tasks are done in a separate thread, but you generally won't get more than 2 CPUs doing anything in a packet filtering firewall. There's nothing you can do about that.

If you are using a *lot* of CPU, then you will need to go through your ruleset and optimise things. The fewer rules you use, the faster things will be, especially with IPFW (3000 rules will run a CPU at 100% all the time; 600 rules will run the same CPU at less than 25%). Use the in-kernel NAT (ipfw nat) instead of userland NAT daemon (ipfw divert). Enable single-pass filtering via sysctl (net.inet.ip.fw.one_pass or something along those lines). Use tables to combine similar rules. Use skipto to separate the ruleset into sections and limit the number of rules individual packets need to go through. Etc.
 
OP
G

gleizer

New Member


Messages: 6

Thank Freddie,
We've decided change to PFsense for "easier" optimisation.
Now CPU´s are less than 20 %.
 

gofer_touch

Well-Known Member

Reaction score: 134
Messages: 277

Very interesting discussion. Does anyone know of NetBSD's NPF is possibly being given consideration for porting in the future? It seems to have been written from the ground up to be an multi-thread aware packet filter.
 
Top