If you're running ipfilter and ipnat on a fairly busy network, you may have to tune ipfilter to accomodate more than the default 30,000 NAT routings. These settings in your rc.conf should allow you to operate comfortably on a GigE network.
ipfilter_flags=”-D -T ipf_nattable_sz=34487, ipf_nattable_max=600011, fr_tcpidletimeout=7200, fr_tcphalfclosed=300, fr_statemax=21529, fr_statesize=30757 -E”
Keep in mind: Some of the tunings need to be prime numbers or you’ll get a lot of bad NATs (viewed using the command ipnat -s). Here’s a list of prime numbers up to 999,983.
After reboot, or after reloading ipfilter, you can check to make sure it's working by checking the list of ipfilter settings:
ipf -T list
Alternatively, if you didn’t want to tune ipfilter using rc.conf, you could remake ipfilter specifying the LARGE_NAT option:
/usr/src/sys/modules/ipfilter
make clean
make -DLARGE_NAT depend
make -DLARGE_NAT
make install
This increases a lot of the default settings, but might be overkill unless you know you really need it.
comments powered by Disqus