NAT IPFW rules + bandwidth

[___FiNT___ 0]

Доброе время суток!

Нужна  помощь в утилизации natd.

 

rc.conf

#EXT I-FACE, REAL IP
ifconfig_em0="inet 97.123.145.165 netmask 255.255.255.255"
ifconfig_em0_alias0="inet 97.123.145.167 netmask 255.255.255.255"
ifconfig_em0_alias1="inet 97.123.145.167  netmask 255.255.255.252"

 

 

natd.conf

same_ports      yes
use_sockets     yes
  
redirect_address 192.168.1.2  97.123.145.167
redirect_address 192.168.1.3  97.123.145.168

 

firewall.conf

 

ipfw='/sbin/ipfw -q '

${ipfw} -f flush
${ipfw} table all flush
${ipfw} disable one_pass

${ipfw} pipe 10016 config bw 16Kbit/s mask dst-ip 0xffffffff.
${ipfw} pipe 10032 config bw 32Kbit/s mask dst-ip 0xffffffff.
${ipfw} pipe 10064 config bw 64Kbit/s mask dst-ip 0xffffffff.
${ipfw} pipe 10128 config bw 128Kbit/s mask dst-ip 0xffffffff.
${ipfw} pipe 10256 config bw 256Kbit/s mask dst-ip 0xffffffff.
${ipfw} pipe 10512 config bw 512Kbit/s mask dst-ip 0xffffffff
${ipfw} pipe 11024 config bw 1Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 12048 config bw 2Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 14096 config bw 4Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 18192 config bw 8Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 11000 config bw 10Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 11500 config bw 15Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 12000 config bw 20Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 12500 config bw 25Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 14000 config bw 40Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 16000 config bw 60Mbit/s mask dst-ip 0xffffffff
${ipfw} pipe 18000 config bw 80Mbit/s mask dst-ip 0xffffffff

# Upload
${ipfw} pipe 20016 config bw 16Kbit/s mask src-ip 0xffffffff
${ipfw} pipe 20032 config bw 32Kbit/s mask src-ip 0xffffffff
${ipfw} pipe 20064 config bw 64Kbit/s mask src-ip 0xffffffff
${ipfw} pipe 20128 config bw 128Kbit/s mask src-ip 0xffffffff
${ipfw} pipe 20256 config bw 256Kbit/s mask src-ip 0xffffffff
${ipfw} pipe 20512 config bw 512Kbit/s mask src-ip 0xffffffff
${ipfw} pipe 21024 config bw 1Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 22048 config bw 2Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 24096 config bw 4Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 28192 config bw 8Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 21000 config bw 10Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 21500 config bw 15Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 22000 config bw 20Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 22500 config bw 25Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 24000 config bw 40Mbit/s mask src-ip 0xffffffff
${ipfw} pipe 25000 config bw 50Mbit/s mask src-ip 0xffffffff


# external ip
${ipfw} table 70 add 97.123.145.167
${ipfw} table 70 add 97.123.145.168

# GateWays
${ipfw} table 75 add 192.168.1.1

# Local Users
${ipfw} table 80 add 192.168.1.0/22

/etc/scripts/update_aqualan_table.pl >> null
/etc/scripts/update_ukraine_table.pl >> null

${ipfw} add 100 check-state
${ipfw} add 200 allow ip from any to any via lo0
${ipfw} add 210 allow tcp from me to any keep-state via em0
${ipfw} add 210 allow udp from me to any keep-state via em0
${ipfw} add 220 deny ip from any to 127.0.0.0/8
${ipfw} add 230 deny ip from 127.0.0.0/8 to any


#----------  Managing trafic  LOCAL - ROUTER - SERVICE, VLAN ---------------------------------------------

# Allowind traffic from gateways to service zone of LAN (file servers, Switches)
${ipfw} add 500 allow ip from "table(75)"  to "table(90)" via  em1
${ipfw} add 510 allow ip from "table(90)"  to "table(75)" via  em1

# Allowind traffic from gateways to LOCAL USERS 
${ipfw} add 520 allow ip from "table(75)"  to "table(80)" via  em1
${ipfw} add 530 allow ip from "table(80)"  to "table(75)" via  em1

# Allowind traffic from Authorazed USERS to service zone of LAN
${ipfw} add 540 allow ip from "table(0)"  to "table(90)" via  em1
${ipfw} add 550 allow ip from "table(90)" to "table(0)"  via  em1

# Allowind traffic from Authorazed USERS to oher  V-LAN
${ipfw} add 560 allow ip from "table(0)"  to "table(80)" via  em1
${ipfw} add 570 allow ip from "table(80)"  to "table(0)" via  em1

#----------  Managing trafic  LOCAL - ROUTER - SERVICE, VLAN ---------------------------------------------


#------------- Nating incomin packages form I-Net iface --------------------------------------------------

${ipfw} add 900  divert natd ip from any to any in recv em0


#----------- Managing trafic  LOCAL -  ROUTER -  UA-IX ---------------------------------------------------
${ipfw} add 1000 allow ip from "table(100)" to "table(1)" 			# разрешаем входящие пакеты от сетей UA-IX из таблицы 100 на авторизированных юзеров из таблицы 1
${ipfw} add 1010 divert natd ip from "table(1)" to "table(100)"  out xmit em0	# отправляем на NAT пакеты от авторизированых юзеров из таблицы 1 на сети UA-IX из таблицы 100 через внешний интерфейс
${ipfw} add 1020 allow ip from "table(1)"  to "table(100)" # out xmit em0	# разрешаем входящие пакеты от авторизированых юзеров из таблицы 1 на  сетиUA-IX из таблицы 100
${ipfw} add 1030 allow ip from "table(100)" to any  out via em0			# разрешаем принимать на сервер пакеты, адресованые от сетей  UA-IX через внешний интерфейс
${ipfw} add 1200 deny log ip from "table(100)" to  "table(80)"  in recv  em0	# запрешщаем входящие  пакеты от сетей UA-IX из таблицы 100 на всех локальных юзеров таблица 80 через внешний интерфейс
${ipfw} add 1210 deny log ip from  "table(80)" to "table(100)"  out xmit em0	# запрещаем  исходящие пакеты от локальных юзеров таблица 80 на  сетиUA-IX из таблицы 100 через внешний интерфейс
#----------- Managing trafic  LOCAL -  ROUTER -  UA-IX ---------------------------------------------------

#----------- Managing trafic  LOCAL -  ROUTER (SHAPING)  -  WORLD ----------------------------------------
# резрешения на прохождение через сервер исходящих пакетов от пользователей авторизированых для доступа к WORLD 
${ipfw} add 2008 allow all from "table(8)" to any in recv em1
${ipfw} add 2009 allow all from "table(9)" to any in recv em1
${ipfw} add 2010 allow all from "table(10)" to any in recv em1
${ipfw} add 2011 allow all from "table(11)" to any in recv em1
${ipfw} add 2012 allow all from "table(12)" to any in recv em1
${ipfw} add 2013 allow all from "table(13)" to any in recv em1
${ipfw} add 2014 allow all from "table(14)" to any in recv em1
${ipfw} add 2015 allow all from "table(15)" to any in recv em1
${ipfw} add 2016 allow all from "table(16)" to any in recv em1
${ipfw} add 2017 allow all from "table(17)" to any in recv em1
${ipfw} add 2018 allow all from "table(18)" to any in recv em1
${ipfw} add 2019 allow all from "table(19)" to any in recv em1
${ipfw} add 2020 allow all from "table(20)" to any in recv em1
${ipfw} add 2021 allow all from "table(21)" to any in recv em1
${ipfw} add 2022 allow all from "table(22)" to any in recv em1
${ipfw} add 2023 allow all from "table(23)" to any in recv em1
${ipfw} add 2024 allow all from "table(24)" to any in recv em1

${ipfw} add 2030 allow all from "table(60)" to any in recv em1 

# резрешения на прохождение через сервер входящих пакетов от  пакетов от WORLD к авотризированым пользователям 
${ipfw} add 2108 allow all from any to "table(38)" out xmit em1
${ipfw} add 2109 allow all from any to "table(39)" out xmit em1
${ipfw} add 2110 allow all from any to "table(40)" out xmit em1
${ipfw} add 2111 allow all from any to "table(41)" out xmit em1
${ipfw} add 2112 allow all from any to "table(42)" out xmit em1
${ipfw} add 2113 allow all from any to "table(43)" out xmit em1
${ipfw} add 2114 allow all from any to "table(44)" out xmit em1
${ipfw} add 2115 allow all from any to "table(45)" out xmit em1
${ipfw} add 2116 allow all from any to "table(46)" out xmit em1
${ipfw} add 2117 allow all from any to "table(47)" out xmit em1
${ipfw} add 2118 allow all from any to "table(48)" out xmit em1
${ipfw} add 2119 allow all from any to "table(49)" out xmit em1
${ipfw} add 2120 allow all from any to "table(50)" out xmit em1
${ipfw} add 2121 allow all from any to "table(51)" out xmit em1
${ipfw} add 2122 allow all from any to "table(52)" out xmit em1
${ipfw} add 2123 allow all from any to "table(53)" out xmit em1
${ipfw} add 2130 allow all from any to "table(60)" out xmit em1

# нарезка скорости мир вход
${ipfw} add 2308 pipe 10016 all from any to "table(8)" in recv em0
${ipfw} add 2309 pipe 10032 all from any to "table(9)" in recv em0
${ipfw} add 2310 pipe 10064 all from any to "table(10)" in recv em0
${ipfw} add 2311 pipe 10128 all from any to "table(11)" in recv em0
${ipfw} add 2312 pipe 10256 all from any to "table(12)" in recv em0
${ipfw} add 2313 pipe 10512 all from any to "table(13)" in recv em0
${ipfw} add 2314 pipe 11024 all from any to "table(14)" in recv em0
${ipfw} add 2315 pipe 12048 all from any to "table(15)" in recv em0
${ipfw} add 2316 pipe 14096 all from any to "table(16)" in recv em0
${ipfw} add 2317 pipe 18192 all from any to "table(17)" in recv em0
${ipfw} add 2318 pipe 11000 all from any to "table(18)" in recv em0
${ipfw} add 2319 pipe 11500 all from any to "table(19)" in recv em0
${ipfw} add 2320 pipe 12000 all from any to "table(20)" in recv em0
${ipfw} add 2320 pipe 12500 all from any to "table(21)" in recv em0
${ipfw} add 2320 pipe 14000 all from any to "table(22)" in recv em0
${ipfw} add 2320 pipe 16000 all from any to "table(23)" in recv em0
${ipfw} add 2320 pipe 18000 all from any to "table(24)" in recv em0



# нарезка скорости мир исход
${ipfw} add 2408 pipe 20016 all from "table(38)" to any out xmit em0
${ipfw} add 2409 pipe 20032 all from "table(39)" to any out xmit em0
${ipfw} add 2410 pipe 20064 all from "table(40)" to any out xmit em0
${ipfw} add 2411 pipe 20128 all from "table(41)" to any out xmit em0
${ipfw} add 2412 pipe 20256 all from "table(42)" to any out xmit em0
${ipfw} add 2413 pipe 20512 all from "table(43)" to any out xmit em0
${ipfw} add 2414 pipe 21024 all from "table(44)" to any out xmit em0
${ipfw} add 2415 pipe 22048 all from "table(45)" to any out xmit em0
${ipfw} add 2416 pipe 24096 all from "table(46)" to any out xmit em0
${ipfw} add 2417 pipe 28192 all from "table(47)" to any out xmit em0
${ipfw} add 2418 pipe 21000 all from "table(48)" to any out xmit em0
${ipfw} add 2419 pipe 21500 all from "table(49)" to any out xmit em0
${ipfw} add 2420 pipe 22000 all from "table(50)" to any out xmit em0
${ipfw} add 2420 pipe 22500 all from "table(51)" to any out xmit em0
${ipfw} add 2420 pipe 24000 all from "table(52)" to any out xmit em0
${ipfw} add 2420 pipe 25000 all from "table(53)" to any out xmit em0

# нарезка скорости мир исход
${ipfw} add 2500 divert natd ip from "table(80)" to any out xmit em0
${ipfw} add 2600 allow ip from "table(70)" to any out  via em0		# разрешаем покидать сервер пакетам, адресованым на  внешние сети через внешний интерфейс

${ipfw} add 2610 allow ip from any to "table(80)"  in via em0			# разрешаем принимать на сервер пакеты, адресованые на внутрение сети из мира через  
#----------- Managing trafic  LOCAL -  ROUTER (SHAPING)  -  WORLD ----------------------------------------


#-----------Устанавливаем разрешения для локальных пользователей, на IP адресах сервера------------------
# Opening traf thrue service ports (SSH,WWW,Inetacces,WEBMIN,StgAdmin) on local i-face

${ipfw} add 2999  allow ip  from 97.123.145.165/32 to "table(80)","table(90)"  via  em1

#  DNS
${ipfw} add 3000  allow  tcp from "table(80)" to 97.123.145.165,192.168.1.2 53
${ipfw} add 3000  allow  udp from "table(80)" to 97.123.145.165,192.168.1.2 53

${ipfw} add 3010  allow icmp from "table(80)","table(90)" to 97.123.145.165/32   via em1
${ipfw} add 3100  allow ip from "table(80)","table(90)" to 97.123.145.165/32  dst-port 22  via em1
${ipfw} add 3110  allow ip from "table(80)","table(90)" to 97.123.145.165/32  dst-port 80  via em1
${ipfw} add 3120  allow ip from "table(80)" to "table(75)"  dst-port 5555  via em1
${ipfw} add 3130  allow ip from "table(80)","table(90)" to 97.123.145.165/32  dst-port 51530  via em1
${ipfw} add 3140  allow ip from "table(80)","table(90)" to 97.123.145.165/32  dst-port 51535  via em1
${ipfw} add 3140  allow ip from "table(80)","table(90)" to 97.123.145.165/32  dst-port 8000  via em1


${ipfw} add 3600  allow udp from "table(80)" 137 to "table(80)"  137 via em1
${ipfw} add 3600  allow udp from "table(80)" 138 to "table(80)"  138 via em1
${ipfw} add 3600  allow udp from "table(80)" 631 to "table(80)"  631 via em1


#----------- Устанавливаем разрешения для локальных пользователей, на IP адресах сервера------------------


#--------- Устанавливаем разрешения для внешних  пользователей, на внешние IP адресах сервера  -------------

${ipfw} add 4000  allow icmp from any to "table(70)" in via em0 icmptype 0,3,8,12 

${ipfw} add 4010  allow  tcp from any to 97.123.145.165 53
${ipfw} add 4010  allow  udp from any to 97.123.145.165 53

${ipfw} add 4100  allow tcp from any to 97.123.145.165 22 in via em0

#--------- Устанавливаем разрешения для внешних  пользователей, на внешние IP адресах сервера  -------------



# Set policy DENY ALL
${ipfw} add 65000 deny log  ip from any to any

 

 

OnConnect

#!/usr/local/bin/bash

fwcmd="/sbin/ipfw"
LOGIN=$1
IP=$2
CASH=$3
ID=$4
DIRS=$5
AQUA=${DIRS:0:1};
UAIX=${DIRS:1:1};
WORLD=${DIRS:2:1};


DSPEED=`/etc/stargazer/GetDSpeed.php $LOGIN`
USPEED=`/etc/stargazer/GetUSpeed.php $LOGIN`
cur_date=`date \+\%Y.\%m.\%d`
cur_time=`date \+\%H:\%M:\%S`


if [ $AQUA = 1 ]
then
${fwcmd} table 0 add ${IP}
fi

if [ $UAIX = 1 ]
then
${fwcmd} table 1 add ${IP}
fi

if [ $WORLD = 1 ]
then


case ${DSPEED} in
 16|16K|16k)				${fwcmd} table 8 add ${IP} ;;
 32|32K|32k)				${fwcmd} table 9 add ${IP} ;;
 64|64K|64k)				${fwcmd} table 10 add ${IP} ;;
 128|128K|128k)				${fwcmd} table 11 add ${IP} ;;
 256|256K|256k)				${fwcmd} table 12 add ${IP} ;;
 512|512K|512k)				${fwcmd} table 13 add ${IP} ;;
 1024|1024K|1024k|1M|1m|1)		${fwcmd} table 14 add ${IP} ;;
 2048|2048K|2048k|2M|2m|2)		${fwcmd} table 15 add ${IP} ;;
 4096|4096K|4096k|4M|4m|4)		${fwcmd} table 16 add ${IP} ;;
 8192|8192K|8192k|8M|8m|8)		${fwcmd} table 17 add ${IP} ;;
 10000|10000K|10000k|10M|10m|10)	${fwcmd} table 18 add ${IP} ;;
 15000|15000K|15000k|15M|15m|15)	${fwcmd} table 19 add ${IP} ;;
 20000|20000K|20000k|20M|20m|20)	${fwcmd} table 20 add ${IP} ;;
 25000|25000K|25000k|25M|25m|25)	${fwcmd} table 21 add ${IP} ;;
 40000|40000K|40000k|40M|40m|40)	${fwcmd} table 22 add ${IP} ;;
 60000|60000K|60000k|60M|60m|60)	${fwcmd} table 23 add ${IP} ;;
 80000|80000K|80000k|80M|80m|80)	${fwcmd} table 24 add ${IP} ;;
 unlim|UNLIM|unlimited|UNLIMITED)	${fwcmd} table 60 add ${IP} ;;
 *)					${fwcmd} table 8 add ${IP} ;;
esac


case ${USPEED} in
 16|16K|16k)				${fwcmd} table 38 add ${IP} ;;
 32|32K|32k)				${fwcmd} table 39 add ${IP} ;;
 64|64K|64k)				${fwcmd} table 40 add ${IP} ;;
 128|128K|128k)				${fwcmd} table 41 add ${IP} ;;
 256|256K|256k)				${fwcmd} table 42 add ${IP} ;;
 512|512K|512k)				${fwcmd} table 43 add ${IP} ;;
 1024|1024K|1024k|1M|1m|1)		${fwcmd} table 44 add ${IP} ;;
 2048|2048K|2048k|2M|2m|2)		${fwcmd} table 45 add ${IP} ;;
 4096|4096K|4096k|4M|4m|4)		${fwcmd} table 46 add ${IP} ;;
 8192|8192K|8192k|8M|8m|8)		${fwcmd} table 47 add ${IP} ;;
 10000|10000K|10000k|10M|10m|10)	${fwcmd} table 48 add ${IP} ;;
 15000|15000K|15000k|15M|15m|15)	${fwcmd} table 49 add ${IP} ;;
 20000|20000K|20000k|20M|20m|20)	${fwcmd} table 50 add ${IP} ;;
 25000|25000K|25000k|25M|25m|25)	${fwcmd} table 51 add ${IP} ;;
 40000|40000K|40000k|40M|40m|40)	${fwcmd} table 52 add ${IP} ;;
 50000|50000K|50000k|50M|50m|50)	${fwcmd} table 53 add ${IP} ;;
 unlim|UNLIM|unlimited|UNLIMITED)	${fwcmd} table 60 add ${IP} ;;
 *)					${fwcmd} table 38 add ${IP} ;;
esac

fi

echo "C `date +%Y.%m.%d-%H.%M.%S`       $ID     $LOGIN  $IP  ${DSPEED}/${USPEED} LAN=$LAN UAIX=$UAIX WORLD=$WORLD" $CASH  >> /var/stargazer/users/allconnect.log
echo "<=;$cur_date;$cur_time;$ID;$LOGIN;$IP;${DSPEED}/${USPEED}; LAN=$LAN UAIX=$UAIX WORLD=$WORLD; $CASH" >> /var/log/stats/connect.log

OnDisconnect

fwcmd="/sbin/ipfw"
LOGIN=$1
IP=$2
CASH=$3
ID=$4
cur_date=`date \+\%Y.\%m.\%d`
cur_time=`date \+\%H:\%M:\%S`

${fwcmd} table 0 delete ${IP};
${fwcmd} table 1 delete ${IP};


i=8;
while ( [ $i -lt 24 ]; );
do
${fwcmd} table ${i} delete ${IP};
i=$(expr $i \+ 1);
done


i=38;
while ( [ $i -lt 53 ]; );
do
${fwcmd} table ${i} delete ${IP};
i=$(expr $i \+ 1);
done

${fwcmd} table 60 delete ${IP};

#echo "D `date +%Y.%m.%d-%H.%M.%S`       $ID     $IP     $CASH" >> /var/stargazer/users/$LOGIN/connect.log
echo "D `date +%Y.%m.%d-%H.%M.%S`       $ID     $LOGIN  $IP     $CASH" >> /var/stargazer/users/allconnect.log
echo "=>;$cur_date;$cur_time;$ID;$LOGIN;$IP;$CASH" >> /var/log/stats/connect.log

 

какие правила нужны для ната ext ip to int ip  в ipfw

пробывал , не пронатил...

#!/bin/sh
# firewall command
FwCMD="/sbin/ipfw -q"

${FwCMD} -f flush

# Networks define
${FwCMD} table 2 add 192.168.1.0/22
${FwCMD} table 9 add 10.4.161.1

${fwcmd} add 10 allow icmp from any to any

${fwcmd} add 308 allow udp from any to 192.168.1.1 5555 via em0
${fwcmd} add 309 allow udp from 192.168.1.1 to any via em0

#NAT
${FwCMD} nat 1 config log if em1 reset same_ports
${FwCMD} add 6000 nat 1 ip from table\(2\) to not table\(9\) via em1
${FwCMD} add 6001 nat 1 ip from any to 10.4.161.1 via em1

#NAT EXT to INT
#${FwCMD} nat 2 config ip 10.4.161.54 same_ports redirect_addr 192.168.1.10 10.4.161.54

#${FwCMD} add 10130 skipto 10190 ip from 192.168.1.10 to any out xmit em1
#${FwCMD} add 10140 skipto 10210 ip from any to 10.4.161.54 in recv em1

#${FwCMD} add 10170 queue 2 ip from any to any in recv em1

#${FwCMD} add 10200 nat 2 ip from 192.168.1.10 to any out xmit em1
#${FwCMD} add 10210 nat 2 ip from any to 10.4.161.54 in recv em1
#${FwCMD} add 10220 queue 2 ip from any to any in recv em1


#blacklist

#hack
#${FwCMD} add 12002 allow ip from any to table\(4\) via em0 out
#${FwCMD} add 12003 allow ip from table\(3\) to any via em0 in

#Shaper - table 4 download speed, table 3 - upload speed
${FwCMD} add 12001 pipe tablearg ip from any to table\(4\) via em0 out
${FwCMD} add 12000 pipe tablearg ip from table\(3\) to any via em0 in

${FwCMD} add 65530 allow all from table\(2\) to 192.168.1.1 via em0
${FwCMD} add 65531 allow all  from 192.168.1.1 to table\(2\) via em0

# default block policy
${FwCMD} add 65533 deny all from table\(2\) to any via em0
${FwCMD} add 65534 deny all from any to table\(2\) via em0
${FwCMD} add 65535 allow all from any to any

Відредаговано 2013-02-17 14:33:48 ___FiNT___

[madf 279]

В утилизации? Выбросьте его на помойку, вот и вся утилизация.

[nightfly 1 236]

firewall.conf

 

OnConnect

 

OnDisconnect

 

Для начала "утилизировали" бы этот адЪ и израиль.

[___FiNT___ 0]

В утилизации? Выбросьте его на помойку, вот и вся утилизация.

 

 

 

firewall.conf

 

>OnConnect

 

OnDisconnect

 

Для начала "утилизировали" бы этот адЪ и израиль.

 

Да но какими правилами тогда пронатить ?

[Melanxolik 63]

Простыня конечно... и оно работает? небось i7 для этого держите.

[___FiNT___ 0]

Простыня конечно... и оно работает? небось i7 для этого держите.

да

при нате 0.5 Gb грузит на ~75% все ядра, а на входе 1Gb, поэтому natd не вариант..

Відредаговано 2013-02-18 00:29:14 ___FiNT___

[___FiNT___ 0]

Через что лучше организовать такой nat ? Ipnat или через ipfw?

[vovchok1 0]

А может попробовать PF NAT?

pf.conf

set limit states 128000

set optimization aggressive
nat pass on em0 from 10.0.0.0/8 to any -> em0
nat pass on em0 from 192.168.0.0/16 to any -> em0

 

Кажись меньше всего грузит  систему.

А реальные IP бинатом прокинуть в сеть

[Melanxolik 63]

о да, походу товариш не в курсе про проблемы pf или их уже решили для многоядерных)

[nightfly 1 236]

Неа, авторам pf еще никто не сказал, что существует smp :-)

[___FiNT___ 0]

Натить надо правилами ipfw 

[KaYot 3 702]

Натить надо linux'ом, это самая правильная версия BSD)

[loki 86]

Неа, авторам pf еще никто не сказал, что существует smp :-)

 

Уже точат  SMP-friendly pf.