IPFW natd high CPU usage, how to fix?

G

Gesichterlos

Hi. I'm very new to FreeBSD, use version 10.1 now. I installed OpenVPN with this tutorial on my server:

https://www.digitalocean.com/commun...t-to-a-private-openvpn-server-on-freebsd-10-1

After that I installed Apache, MySQL, PHP and Wordpress with these tutorials:

https://www.digitalocean.com/commun...ache-mysql-and-php-famp-stack-on-freebsd-10-1

https://www.digitalocean.com/commun...install-wordpress-with-apache-on-freebsd-10-1

But then my server was very slowly. So I checked with top -H and found that natd is using a lot CPU power, about 70% even in idle mode. I deactivated natd in the rc.conf and the server is running fast again. But now I can't use the server as OpenVPN Gateway. I can connect but no website will load. How can I fix this?
 
Revise your ipfw(8) configuration, and put all rules dealing with local traffic before any NAT rule.

Anyway, natd is ancient technology, why don't you use the modern in-kernel nat? See ipfw(8) -- NETWORK ADDRESS TRANSLATION (NAT).

Here comes a link to a working example of ipfw/nat for a L2TP/IPsec dial-in VPN server. It should be quite easy to adapt this to OpenVPN -- this is a quite long article, and the Firewall is discussed in the middle of it:

http://blog.obsigna.net/?p=520
see also: http://blog.obsigna.net/?p=500
 
This is my firewall configuration now, just out of the box after following the above listed three tutorials:

Code: 
# ipfw list
00050 divert 8668 ip4 from any to any via em0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any

Can you tell me which rules I should move to which location, please? I will try to adapt your example to my server later. I'm really a beginner.
 
FWIW I just restart the natd service when it starts to use a lot of cpu. On my home firewall, this means a restart of natd every few months. YMMV
 
You must log in or register to reply here.
Back
Top