Solved IPFW not sharing load

Hi everyone,
I´m running a FreeBSD 10.3 stable(virtualized) with IPFW2 and my network traffic are extremely slow.
I realized that just 2 cpu are doing all the load.
When I tested with a stress test all works fine.
Is there any parameter that I need to change?
thanks in advance
 
Packet filters like IPFW, PF, and IPF are generally single-threaded, and making them multi-threaded is not an easy thing. Things have improved with IPFW and PF in recent versions of FreeBSD, where some tasks are done in a separate thread, but you generally won't get more than 2 CPUs doing anything in a packet filtering firewall. There's nothing you can do about that.

If you are using a *lot* of CPU, then you will need to go through your ruleset and optimise things. The fewer rules you use, the faster things will be, especially with IPFW (3000 rules will run a CPU at 100% all the time; 600 rules will run the same CPU at less than 25%). Use the in-kernel NAT (ipfw nat) instead of userland NAT daemon (ipfw divert). Enable single-pass filtering via sysctl (net.inet.ip.fw.one_pass or something along those lines). Use tables to combine similar rules. Use skipto to separate the ruleset into sections and limit the number of rules individual packets need to go through. Etc.
 
Thank Freddie,
We've decided change to PFsense for "easier" optimisation.
Now CPU´s are less than 20 %.
 
Very interesting discussion. Does anyone know of NetBSD's NPF is possibly being given consideration for porting in the future? It seems to have been written from the ground up to be an multi-thread aware packet filter.
 
Back
Top