解决“FreeBSDNAT较Win2ksNAT慢”难题的备忘录
发表于:2007-07-04来源:作者:点击数:
标签:
1. 前言: 本来就是作个网吧使用的FreeBSD网关机,仅提供NAT 服务。指望依赖BSD超稳定性,提供稳定的 网络 服务。 可是一开始就犯了大错,选了个8139网卡,没成想,出了个大问题:网速慢!在痛苦好几日,在freebsdchina上与众高手讨论研究后,总算圆满解决!
1. 前言: 本来就是作个网吧使用的FreeBSD网关机,仅提供NAT 服务。指望依赖BSD超稳定性,提供稳定的
网络服务。
可是一开始就犯了大错,选了个8139网卡,没成想,出了个大问题:网速慢!在痛苦好几日,在freebsdchina上与众高手讨论研究后,总算圆满解决!
我感谢freebsdchina的伙伴们尤其是:delphij 等人的热情援助,还有china
unix的 zyme quakelee wolfop等人的帮助,使我确定了网卡是关键。
再次感谢大家支持!
教训:FreeBSD对Intel 3com等高端网卡支持好,最好不要用8139 530等网卡!否则作一些特别依赖网卡的服务,会麻烦不断。。
注:我的环境
NAT
服务器: P4 1.6G 512MRAM 8139x2
文件服务器: CII 1000A 512MRAM 网卡intel eepro100+ x1 Win2ks+SP4
客户机120台 Win98se 256MRAM C4p4 2.4G 8139 一般都有80人以上上座。
2. 与Win2ks 和 RH9Linux作的对比试验及结果: 都按照日期排序:
试验条件:陕西本省 ISP 的www.269.net 软件
下载, Win2kSP4CHN 大小128MB
注:2月27~3月3日 时,是默认的FreeBSD4.8+ipf+ipNAT 网速,任何时候,不超过1024MB/s,徘徊在800~900KB/s
基本上,最后用FreeBSD + ipf + ipnat 就是早上最快8.9MB/s;
网络繁忙时 有1MB/s左右;一般时段 有2Mb~5MB/s的速度。
用Win2ks + NAT 最多只有4.5MB/s.再高就没有了。Linux和FreeBSD 速度,是一个档次,但是FB的系统
安全比Linux好处理,FB本身的安全机制已经非常出色了。
系统稳定性上,自然不用多说,FB绝对的老大!Linux用着总觉的系统要散架似的。。系统不紧凑,觉得很松散的样子。
3. 修正后的最终版内核配置,和rc.conf ipf.rules ipnat.rules sysctl.conf文件 #为了方便,这里假设外网卡rl0的参数是ip:333.333.333.333 netmask:255.255.255.0 geteway:333.333.333.1#
3.1 最终版内核配置文件
#我的内核,是为作NAT网关配置,充分优化、精简的,不支持鼠标、光驱、软驱、scsi设备、dos分区、没有tun设备不可用ppp、pppoe、不可用X。#
#详细关于内核优化,参看www.freebsdchina.org
论坛的相关精华文章。#
内核NET
引用:
#
# NET -- NET kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
#
http://www.FreeBSD.org/doc/en_US.ISO8859-1...fig-config.html #
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (
http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.51.2.2 2003/03/25 23:35:15 jhb Exp $
machine i386
cpu I686_CPU
ident NET #你的内核名字,要与内核配置文件名一致。
maxusers 0
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=0 #Delay (in ms) before probing SCSI
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options CPU_ENABLE_SSE
options AUTO_EOI_1
#NETWORK#
#IPF
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_DEFAULT_BLOCK #block all packets by default
# NET SAFE
options IPSTEALTH #support for stealth forwarding
options RANDOM_IP_ID
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
# OPTION
makeoptions CONF_CFLAGS=-fno-builtin #Don't allow use of memcmp, etc.
options PANIC_REBOOT_WAIT_TIME=0
options VGA_NO_FONT_LOADING # don't save/load font
options VGA_NO_MODE_CHANGE # don't change video modes
options MAXCONS=4 # number of virtual consoles
options SC_DISABLE_DDBKEY # disable `de
bug' key
options SC_DISABLE_REBOOT # disable reboot key sequence
options SC_HISTORY_SIZE=20 # number of history buffer lines
# You can selectively disable features in syscons.
options SC_NO_CUTPASTE
options SC_NO_FONT_LOADING
options SC_NO_SYSMOUSE
device isa
device eisa
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device vga0 at isa?
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100
device agp # support several AGP chipsets
# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13
# PCI Ethernet NICs that use the common
MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device rl # RealTek 8129/8139
# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device pty # Pseudo-ttys (telnet etc)
# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter
附录:(给没编译过内核的菜鸟看的,老手不用管了)
当在/sys/i386/conf/建立好 内核配置文件后,按下面步子编译内核:
# cd /usr/src/sys/i386/conf
# /usr/sbin/config 你的内核配置文件名
# cd ../../compile/你的内核配置文件名
# make depend
# make
# make install
# reboot
3.2 rc.conf文件
引用:
# -- sysinstall generated deltas -- # Sun Feb 29 01:11:45 2004
# -- sysinstall generated deltas -- # Sun Feb 29 01:15:50 2004
# Created: Sun Feb 29 01:11:45 2004
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
kern_securelevel_enable="NO"
nfs_reserved_port_only="YES"
ifconfig_rl0="inet 333.333.333.333 netmask 255.255.255.0"
ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
gateway_enable="YES"
defaultrouter="333.333.333.1"
sshd_enable="NO"
ine
td_enable="NO"
tcp_extensions="YES"
hostname="SV.QDNET.NET"
check_quotas="NO"
sendmail_enable="NONE"
usbd_enable="NO"
syslogd_enable="NO" # Run syslog daemon (or NO).
fsck_y_enable="YES" # Set to YES to do fsck -y if the initial preen fails.
#####NTP-Network Time Protocol####
ntpdate_enable="YES" # Run ntpdate to sync time on boot (or NO).
ntpdate_program="/usr/sbin/ntpdate" # path to ntpdate, if you want a different one.
ntpdate_flags="211.39.143.103" # Korea Flags to ntpdate (if enabled).
#####IPF####
ipfilter_enable="YES" # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
###SYN-FIN###
# For the following option you need to have TCP_DROP_SYNFIN set in your
tcp_drop_synfin="YES" # Set to YES to drop TCP packets with SYN+FIN
###ICMP###
icmp_drop_redirect="YES" # Set to YES to ignore ICMP REDIRECT packets
###IPNAT###
ipnat_enable="YES" # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat" # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
3.3 ipf.rules文件(注意,因为是做实验,
测试速度,因此全面开放,没有安全措施。实际运用,请根据自己需要,自行增加安全策略。)
引用:
# ipf command:
#ipf -Fa
#ipf -f PATH/ipf.conf
#ipfstat #show ipf working
pass in on lo0 all
pass out on lo0 all
pass in on rl0 all
pass out on rl0 all
pass in on rl1 all
pass out on rl1 all
3.4 ipnat.rules文件
引用:
map rl0 192.168.0.0/24 -> 333.333.333.333/32 tcp/udp portmap 10000:65000
map rl0 192.168.0.0/24 -> 333.333.333.333/32 proxy port ftp ftp/tcp
map rl0 192.168.0.0/24 -> 333.333.333.333/32
3.5 sysctl.conf文件,对内核、tcp协议、ipf的微调,使之更适合作NAT。
wangx_d 写到:
vfs.vmiodirenable=1
kern.ipc.maxsockbuf=2097152
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.tcp.delayed_ack=0
net.inet.tcp.sendspace=65535
net.inet.tcp.re
cvspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
delphij 写到:
# Tweaked IPF parameters
net.inet.ipf.fr_tcpclosewait=120
net.inet.ipf.fr_tcplastack=120
net.inet.ipf.fr_tcptimeout=240
net.inet.ipf.fr_tcpclosed=60
net.inet.ipf.fr_tcphalfclosed=300
net.inet.ipf.fr_udptimeout=90
net.inet.ipf.fr_icmptimeout=35
4. ipnat 打开LARGE_NAT 的方法 #此方法似乎只可以在FreeBSD 4.x 使用,据说有朋友在5.x 这样作,就编译不下去了。#
delphij 写到:
编辑ipfilter源代码 /sys/contrib/ipfilter/netinet/ip_nat.h
把#undef LARGE_NAT 字段 改成:#define LARGE_NAT 就可在编译内核后,打开LARGE_NAT 选项
看注释,说是专门给1000~2000以上的大客户准备的。
5. 我找到的8139forBSD的官方驱动原码包,以及替换方法 5.1 Realtek官方8139 for FreeBSD 驱动下载地址:
#此驱动,RealTek官方,标明只是支持FreeBSD 4.x版本!有朋友在5.x使用过,
性能比原5.x带的要差好多。#
ftp://210.51.181.211/cn/nic/rtl8139abcd8130810xseries/freebsd-8139(110).zip
5.2 替换方法:
把下载的驱动压缩包解压,把里面的if_r
lreg.h if_rl.c
复制到 /usr/src/sys/pci 把原FreeBSD 原码带的 rl驱动原码覆盖就可以了。
#在重新编译内核后,就已经使用新的RealTek官方8139驱动了。
5.3 FreeBSD 4.8原带的8139原码 与 Realtek官方原码 的说明注释对比:
a. FreeBSD:
代码:
* Copyright (c) 1997, 1998
* Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved.
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/sys/pci/if_rl.c,v 1.126 2003/11/28 05:28:29 imp Exp $");
/*
* RealTek 8129/8139 PCI NIC driver
b. RealTek官方驱动:
代码:
Copyright (c) 1997, 1998
* Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved.
* $FreeBSD: src/sys/pci/if_rl.c,v 1.38.2.7 2001/07/19 18:33:07 wpaul Exp $
*/
/*
* RealTek 8129/8139 PCI NIC driver
c.FreeBSD 版的8139 驱动作者在 驱动原码里对8139 网卡的 评价!很恶劣,但是的确是实话!
引用:
Well, I wouldn't get that card if I were you. FreeBSD has a driver for it,
but a
clearcase/" target="_blank" >ccording to the author (Bill Paul), it's a really crappy card. Here's
a quote from FreeBSD's sys/pci/if_rl.c:
/*
* RealTek 8129/8139 PCI NIC driver
*
* Supports several extremely cheap PCI 10/100 adapters based on
* the RealTek chipset. Datasheets can be obtained from
* www.realtek.com.tw.
*
* Written by Bill Paul <wpaul@ctr.columbia.edu>
* Electrical Engineering Department
* Columbia University, New York City
*/
/*
* The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is
* probably the worst PCI ethernet controller ever made, with the possible
* exception of the FEAST chip made by SMC. The 8139 supports bus-master
* DMA, but it has a terrible interface that nullifies any performance
* gains that bus-master DMA usually offers.
[ ... ]
*
* It's impossible given this rotten design to really achieve decent
* performance at 100Mbps, unless you happen to have a 400Mhz PII or
* some equally overmuscled CPU to drive it.
*
[ ... ]
6. 一些提到的相关网卡polling /轮循 机制的问题 在讨论网卡性能时,有朋友提到可以打开网卡的polling :
建议1:“polling(4)的manpage里面的列表明确支持rl(4),而且我本人就在用啊……
升级到4.9-RELEASE吧。”
建议2:“POLLING在低负载的时候对性能的影响很可能是降低,但高负载就不一定了。”
但是我在FreeBSD 4.8 的内核配置的 全功能样例文件/sys/i386/conf/lint 文件里polling 的相关注释,说明只支持"dc" "fxp" "sis" 三种网卡。
以下是原文:
代码:
# DEVICE_POLLING adds support for mixed inter
rupt-polling handling
# of network device drivers, which has significant benefits in terms
# of robustness to overloads and responsivity, as well as permitting
# accurate scheduling of the CPU time between kernel network processing
# and other activities. The drawback is a moderate (up to 1/HZ seconds)
# potential increase in response times.
# It is strongly recommended to use HZ=1000 or 2000 with DEVICE_POLLING
# to achieve smoother behaviour.
# Additionally, you can enable/disable polling at runtime with the
# sysctl variable kern.polling.enable (defaults off), and select
# the CPU fraction reserved to userland with the sysctl variable
# kern.polling.user_frac (default 50, range 0..100).
#
# Only the "dc" "fxp" and "sis" devices support this mode of operation at
# the time of this writing.
options DEVICE_POLLING
7. 在www.freebsdchina.org 的相关讨论原文链接 引用:
(补发)救急!做NAT(ipf) ,内外网都可通,就是不能NAT!!都装两遍了!哈哈,自己解决了
http://www.freebsdchina.org/forum/viewtopic.php?t=9772&highlight= FreeBSD比Win2KS慢!!!奇怪,慢!大家给看看!
http://www.freebsdchina.org/forum/viewtopic.php?t=8980&highlight= FreeBSD较Win2k慢的原因已经解决。。只能换Linux了。。
http://www.freebsdchina.org/forum/viewtopic.php?t=9026&highlight= 看来有必要讲一下,关于 RealTek 和 D-LINK 网卡的问题
http://www.freebsdchina.org/forum/viewtopic.php?t=9066&highlight= 为何我的intel网卡在FreeBSD4.9下怎么慢?
http://www.freebsdchina.org/forum/viewtopic.php?t=9071&highlight=
原文转自:http://www.ltesting.net