Solved NAT - Low speed outside of local subnet

[CallumA]

I've been having a problem with NAT on FreeBSD and it's driving me up the wall so I decided to post on the forum!

I've been using ipnat to use my FreeBSD box (xxx.xxx.xxx.133) as a router for OpenVPN and it works albeit REALLY slowly (I'm getting <50KB/s downloading a file over HTTP on the VPN).

My initial thoughts were that it's OpenVPN's fault but I noticed when using tun0 IP (10.8.0.1) of the server on the VPN (and therefore no-NAT) the speed is just a normal VPN speed. I then went on to test another server on the same public subnet as the VPN server by accident (xxx.xxx.xxx.159) and that worked just as well, at a good speed too!

The problem only comes when accessing sites on a different subnet (for example
74.125.230.248) through the router on the network (xxx.xxx.xxx.129), I then get awful speeds.

I'm not sure what the problem is. In addition to ipnat I've tried natd with IPFW with the same result, perhaps even worse but that might just be me. Also, the VPN server's connection is not the problem (accessing the same things directly on the server is fine).

Any ideas what could be causing my problem?

Thanks!

/etc/rc.conf

gateway_enable="YES"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"

/etc/ipnat.rules

map vtnet0 10.8.0.0/16 -> xxx.xxx.xxx.133/32 portmap tcp/udp 1025:65000
map vtnet0 10.8.0.0/16 -> xxx.xxx.xxx.133/32

 

[junovitch@]

That does sound strange. Does a client that is on the local LAN and not using the VPN subnet exhibit the same performance issues? One thing I can think of would be to try a different driver. I notice you are using the vtnet driver. Perhaps try running the tests again after setting your virtualization solution to use another NIC type, perhaps one that will present an em Intel driver. Maybe there is an interaction between NAT and the driver.

 

[CallumA]

That does sound strange. Does a client that is on the local LAN and not using the VPN subnet exhibit the same performance issues? One thing I can think of would be to try a different driver. I notice you are using the vtnet driver. Perhaps try running the tests again after setting your virtualization solution to use another NIC type, perhaps one that will present an em Intel driver. Maybe there is an interaction between NAT and the driver.

You're right! Can't believe I spent so long scratching my head on this and that's all it was!
Thank you so much!!

I guess this is a bug then... I'll have to submit it to Bugzilla.

 

[junovitch@]

Awesome. I'm glad I could help. I can't remember where I picked that up from... Maybe some chatter on the mailing list about VirtIO performance and seeing the NIC just stuck out for me. Minor variations in performance I can understand but what you described is several orders of magnitude difference. If you make a bug, post up the details for anybody who happens to search and come across it on the forums.

 

[CallumA]

Just realised I'd forgotten to update this thread! In case anybody else is looking I found (months) later a bug on Bugzilla that turned out to detail the problem (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059)

The workaround is to disable hardware checksumming. In rc.conf in the ifconfig for the vtnet interface add "-rxcsum -txcsum -rxcsum6 -txcsum6" to the end.

 

[kpa]

Hardware offloading with virtualized hardware never makes any sense because the "hardware" is just another piece of software running on the host CPU.

 

[satriani]

Does this bug 165059 still exist today in FreeBSD 14.0?
I have not found anything about this.

 

[freezmi]

Does this bug 165059 still exist today in FreeBSD 14.0?
I have not found anything about this.

yes, I still had this problem in FreeBSD 14.1 using the vtnet driver on a Linode/Akamai instance.
disabling the hardware checksum fixed the very slow NAT traffic. thanks for everyone who pointed this out.

I was wondering, since vtnet is a virtual device by definition those hardware offloading flags should be disabled by default, surely?