I've been pulling my hair out over this for days! I have a VM, jails on a loopback interface and using IPFW to NAT the traffic. My findings show that it slows to a crawl. I've also tested with PF and it works like a charm. Network speeds within the jail are fine.
I've tested this on Vultr, Digitial Ocean and even within Hyper-V and got the exact same result. Slow network speed when using IPFW, but fine with PF.
I also found a thread from July 2016 describing the similar issue, but with no responses.
/etc/rc.conf:
/usr/local/etc/ipfw.rules:
And I've done something similar with PF:
/etc/rc.conf:
/etc/pf.conf:
Am I doing something wrong? Why do I get such a performance hit with IPFW while PF is perfectly fine?
I've tested this on Vultr, Digitial Ocean and even within Hyper-V and got the exact same result. Slow network speed when using IPFW, but fine with PF.
I also found a thread from July 2016 describing the similar issue, but with no responses.
/etc/rc.conf:
Code:
cloned_interfaces="lo1"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
/usr/local/etc/ipfw.rules:
Code:
#!/bin/sh
WAN_IF="hn0"
WAN_IP="a.b.c.d"
NAT_IP="127.0.1.0/24"
IPF="ipfw -q add"
NAT="ipfw -q nat"
/sbin/ipfw -q -f flush
$NAT 1000 config ip ${WAN_IP} \
redirect_port tcp 127.0.1.0:5432 5432
$IPF 2000 allow ip from ${NAT_IP} to ${NAT_IP}
$IPF 2001 nat 1000 ip from ${NAT_IP} to any via ${WAN_IF}
$IPF 2002 nat 1000 ip from any to ${WAN_IP}
$IPF 5000 allow all from any to any via ${WAN_IF}
And I've done something similar with PF:
/etc/rc.conf:
Code:
cloned_interfaces="lo1"
pf_enable="YES"
/etc/pf.conf:
Code:
ext_if="hn0"
ext_addr=$ext_if:0
int_if="lo1"
jail_net = "127.0.1.0/24"
nat on $ext_if from $jail_net to any -> $ext_addr port 1024:65535 static-port
rdr pass on $ext_if inet proto tcp to port 5432 -> 127.0.1.1
Am I doing something wrong? Why do I get such a performance hit with IPFW while PF is perfectly fine?