Poor upload speed with NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a linux box acting as a router/gateway between the internet, a
public network and a private LAN. We are using iptables to SNAT our
LAN. The setup for this is quite simple:

IPTABLES=`which iptables`
LAN=eth0
WAN=eth1
PUB=eth2
LAN_BLOCK=192.168.16.0/24
NAT_SOURCE=1.2.3.4

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WAN -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $PUB -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $PUB -o $LAN -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $WAN -s $LAN_BLOCK -j SNAT
--to-source $NAT_SOURCE

With these rules, I get great download performance, regardless of
protocol (sftp, ftp, http, etc).

Uploads, however, are a different story. I believe that the source of
this issue is the NATing because, if I upload to the same server from
a box that isn't being NATed (e.g. in the public block), upload speeds
are an order of magnitude greater when not being NATed, regardless of
protocol. For example, if I upload a file from one of our public
servers to a remote location, it will upload at about 500Kb/s. The
same upload to the same location with within the LAN won't see more
than 60Kb/s.

I'm not doing any kind of fancy traffic control or anything like that.
I would expect to see some slowdown because of the NAT (for example,
downloads are 600Kb/s vs 500Kb/s through the NAT), but this kind of
slowdown seems a bit ridiculous.

I'm running a custom 2.6.30.3 kernel.  I've also installed
conntrack-tools thinking that my connection table might be getting
full.  However, according to conntrack -S:

entries                 455
searched                84375
found                   10970723
new                     242106
invalid                 15039
ignore                  53722
delete                  241522
delete_list             225919
insert                  226270
insert_failed           0
drop                    0
early_drop              0
icmp_error              5741
expect_new              28
expect_create           43
expect_delete           34

So I am well below the table max:

# sysctl net.netfilter.nf_conntrack_max
net.netfilter.nf_conntrack_max = 65536

Is this kind of performance drop to be expected w/ netfilter and
iptables?  Any suggestions on things I can do to increase performance?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux