freebsd5.2做防火墙速度很慢

werix

Ok, good to find out yourself. but I wonder why it works...

最初由 csstrike 发表
I have fixed the problem!
my file /etc/firewall.conf was actually:

add divert natd from 192.168.0.0/24  to any via ed0
add divert natd from any to 192.168.0.0/24  via ed0
add allow all from any to any

the first and second lines have  something  wrong!

csstrike

using the rules:

add divert natd from any to any via ed0
add allow all from any to any

foure machines (I did not test many) can connet to internet now.
but still, the machine shows the messages like:
kernel : arp : 192.168.0.12 is on ed1 but got reply from 52:55:ab:39:9e:18 on ed0
kernel : arp : 192.168.0.59 is on ed1 but got reply from 00:52:50:84:45:d1 on ed0
......

What's the reason?

this time I added
maxusers  200
options MROUTING
options MAXMEM=(480*1024)
to the kernel config file: GENERIC
Could this help speeding up the machine?

csstrike

the speeds those machines connecting to web are quite fast

werix

to disable it:

sysctl net.link.ether.inet.log_arp_wrong_iface=0

the reason? I don't know either .

最初由 csstrike 发表
using the rules:

foure machines (I did not test many) can connet to internet now.
but still, the machine shows the messages like:
kernel : arp : 192.168.0.12 is on ed1 but got reply from 52:55:ab:39:9e:18 on ed0
kernel : arp : 192.168.0.59 is on ed1 but got reply from 00:52:50:84:45:d1 on ed0
......

What's the reason?

this time I added
maxusers  200
options MROUTING
options MAXMEM=(480*1024)
to the kernel config file: GENERIC
Could this help speeding up the machine?

csstrike

还是不行。昨天用4,5台内网的机器测试，速度很快。今天30多台机器同时上网时，速度就很明显的慢得要命。
作路由的主机主板上有两个Pentium 3 (686 class) 775Mhz 的CPU。
优化内核，按如下步骤改GENERIC：
1.按Freebird的建议设maxusers为80,
2.同时起用smp对称多处理器，
3.选686 class的cpu，
4.设MAXMEM为(490*1024)  (主机内存512,实际可用内存449)
5.起用MROUTING
结果内网的机器上网速度还是很慢。无法跟用debian作主机的路由器比。
什么原因？freeBSD适合作服务器的传闻我听得很多了，
结果拿来一用就让人大失所望。

csstrike

http://www.samag.com/documents/s=1148/sam0107a/0107a.htm
Kernel Tweaks for High Performance

In their default configurations, the UNIX-style operating systems we tested do not support the large numbers of simultaneous TCP/IP connections that multi-threaded and asynchronous applications require. This limitation drastically restricts applications performance, and can incorrectly dissuade a systems administrator from using these kinds of high-performance architectures. Fortunately, these limitations are easily overcome with a few kernel tweaks. On UNIX, each TCP/IP connection uses a file descriptor, so you must increase the total number of descriptors available to the operating system, and also increase the maximum number of descriptors each process is allowed to use. All UNIX-style operating systems have a ulimit shell command (sh and bash), which can allow more open file descriptors to commands started in that shell once the appropriate kernel tweak has been made. We suggest ulimit -n 8192. Here are our recommended kernel tweaks:

On Linux: echo 65536 > /proc/sys/fs/file-max changes the number of system-wide file descriptors.

On FreeBSD: Append to /etc/sysctl (or you can use sysctl -w to add these):

kern.maxfiles=65536

kern.maxfilesperproc=32768

On Solaris: Add the following to /etc/system and reboot:

set rlim_fd_max=0x8000

set rlim_fd_cur=0x8000

“ulimit -n 8192”这一项是什么意思？

rainren

ulimit 是权限设置命令， 是每个用户能使用的权限！
-n 是打开文件的数目！

大熊宝宝

IPFW 會造成多大的網路延遲
http://freebsd.sinica.edu.tw/zh-big5-FAQ/networking.html#Q9.18.
look一下

csstrike

我的网关机内存512,实际可用449M
参照王波的freebsd使用大全，进行进一步的优化：
在/etc/make.conf中加
CPUTYPE=686
CFLAGS=-O3
COPTFLAGS=-O3
在内核GENERIC文件设
maxusers  400
options  MAXDSIZ=(440*1024*1024)
options  DFLDSIZ=(440*1024*1024)
options  NMBCLUSTERS=20000
options  VM_KMEM_SIZE=440000000
options  VM_KMEM_SIZE_SCALE="(2)"
书上说作路由器，VM_KMEM_SIZE要大些。
结果试了一下，效果好象改善了许多。当时上网的人散了一半，无法肯定是否有效。VM_KMEM_SIZE，  VM_KMEM_SIZE_SCALE对于路由器设成多少比较好？

大熊宝宝

书上还说做路由关掉swap呢 因为natd是守护程序 没有运行在内核中 通过drivert socker来通讯 所以效率当然很低了 不如用ipfilter:%