Hi David,

I am not an expert by any means, but I run almost your exact same set up!

My hardware is a P3-300 w/512M and I have no issues at all. Basically
I get the same ping times from my nat box as I do from machines inside...
I'm also running 2.0_stable...

I'll ask the obvious: what rules are you using? I'd like to see your
ipf.conf and your ipnat.conf...

I'm kinda busy, but I would urge you to join both the mailing lists I've
cc'd this message to. ipf has a web archive too.

Best regards,
gene



On Tue, April 5, 2005 6:08 pm, David Howland said:
> I have an awful pesky problem with IPFilter (I think).  First, some
> background:
>
> I use NetBSD in my home as a kind of "household server".  We have mostly
> Windows based desktop and laptop clients, and the NetBSD machine hooks
> up to the cable modem and performs IPF/NAT/http/mail duties.  The
> machine is PIII 500MHz, 512MB, should be plenty for what it does.  It
> has two NICs, both 3Com 3C905B.  It doesn't run X, and besides the basic
> stuff like cron and inetd, all it runs is ssh, apache, smb, ntp,
> sendmail, dhcpd, dnsmasq.  The only time it ever hits the swap is when I
> recompile the OS.
>
> I have these pesky problems with the machine getting laggy or dropping
> packets.  The problem is difficult to fix.  I now believe that the
> problem is with ipfilter.  I'll explain:
>
> Internet access is not "smooth" like it is when using a cheap-o hardware
> router, one of those home Linksys wireless jobs.  Packet loss is a
> problem, and pings spike.  I have eliminated the following causes:
>
> cable modem: plugged directly into a PC, problem disappears
> cable: replaced
> NIC: moved to different slot, replaced with new card of different type
> OS version: problem persists after upgrade to latest 2.0_STABLE
>
> I performed a simple experiment to find the problem:
>
> The PC has two NICs, "outside" and "inside", it acts as a gateway
> between the outside world and our house, with NAT.  From one of the
> client PCs (192.168.0.2) I ping three locations.  The "inside" adapter
> (192.168.0.1), the "outside" adapter (65.x.x.x), and the cable modem
> (hardwired to 192.168.100.1).  All three pings go at the same time.  I
> set them to ping forever until I stop it.  In windows, the ping tool
> actually shows a "request timed out" message when a ping doesn't come
> back, so I can just sit back and watch the three windows for these
> timeouts.  There is no other traffic, except perhaps the occasional
> keep-alive packets from instant messenger.
>
> The pings to the "inside" and "outside" adapter never show anything but
> <1ms ping time and never drop packets.  The cable modem ping is less
> than desirable.  Whats worse is that I can cause packet loss to occur.
> I have a cron script run every 5 minutes for MRTG.  When this happens,
> it _always_ drops some packets (even when nice'd).  This is not the only
> time when packets are dropped, and I have a hunch that other times are
> due to other processes going on processor.
>
> It can't be the driver, the "inside" adapter never flinches.  It
> probably isn't option GATEWAY, because the "outside" adapter never
> flinches.  However, to go outside the box to the cable modem, it has to
> go through ipf/ipnat.
>
> So, it seems to me that there is perhaps some performance problem with
> IPFilter in the kernel?  I lack the know-how to perform any other tests
> to confirm this.  How is it that userland processes can be allowed to
> trip up the in-kernel packet forwarding?  All I have to do is start a
> big make (eg build.sh distribution) and response time goes to hell.  I
> am surprised to find that this kind of thing hasn't been reported by
> anyone else.
>
> I use a slimmed-down kernel.  Problem persists with GENERIC kernel (plus
> option GATEWAY).  Problem persists with and without ALTQ.
>
> Later this week, I am going to replace the entire machine with a
> different one in a last ditch effort to fix it.  If that works, I'll say
> so on the mailing list.
>
> So, sorry for the long email.  Any experts here on IPFilter or
> networking in general that have suggestions?  Thanks in advance for any
> help.  Please CC my email, I'm not subscribed to the list.
>
> Thanks,
> -d
>