likuku
注册时间: 2003-09-17 文章: 4848 来自: 陕西 西安
|
发表于: Mon 2004-04-19 23:22:38 发表主题: 《解决“FreeBSD NAT 较Win2ksNAT慢”难题备忘录》 |
|
|
1.0版,版权所有(C)2004,likuku :本文为likuku原创,只要承认作者的版权,允许任意转载,但是不得用于商业目的。 其中引文版权,仍归原作者所有!完成于2004-04-17 20:34 目录: 1. 前言 2. 与Win2ks 和 RH9Linux作的对比试验及结果。 3. 修正后的最终版内核配置,和rc.conf ipf.rules ipnat.rules sysctl.conf文件。 4. ipnat 打开LARGE_NAT 的方法。 5. 我找到的8139forBSD的官方驱动原码包,以及替换方法。 6. 一些提到的相关网卡polling /轮循 机制的问题。 7. 在 的相关讨论原文链接。 8. 在 的相关讨论原文链接。
正文:
1. 前言: 本来就是作个网吧使用的FreeBSD网关机,仅提供NAT 服务。指望依赖BSD超稳定性,提供稳定的网络服务。 可是一开始就犯了大错,选了个8139网卡,没成想,出了个大问题:网速慢!在痛苦好几日,在freebsdchina上与众高手讨论研究后,总算圆满解决!
我感谢freebsdchina的伙伴们尤其是:delphij 等人的热情援助,还有chinaunix的 zyme quakelee wolfop等人的帮助,使我确定了网卡是关键。 再次感谢大家支持!
教训:FreeBSD对Intel 3com等高端网卡支持好,最好不要用8139 530等网卡!否则作一些特别依赖网卡的服务,会麻烦不断。。
注:我的环境 NAT服务器: P4 1.6G 512MRAM 8139x2 文件服务器: CII 1000A 512MRAM 网卡intel eepro100+ x1 Win2ks+SP4 客户机120台 Win98se 256MRAM C4p4 2.4G 8139 一般都有80人以上上座。
2. 与Win2ks 和 RH9Linux作的对比试验及结果:
都按照日期排序:
试验条件:陕西本省 ISP 的 软件下载, Win2kSP4CHN 大小128MB
注:2月27~3月3日 时,是默认的FreeBSD4.8+ipf+ipNAT 网速,任何时候,不超过1024MB/s,徘徊在800~900KB/s
以下是记录截图。。表格的,弄不上来!
基本上,最后用FreeBSD + ipf + ipnat 就是早上最快8.9MB/s;网络繁忙时 有1MB/s左右;一般时段 有2Mb~5MB/s的速度。
用Win2ks + NAT 最多只有4.5MB/s.再高就没有了。Linux和FreeBSD 速度,是一个档次,但是FB的系统安全比Linux好处理,FB本身的安全机制已经非常出色了。
系统稳定性上,自然不用多说,FB绝对的老大!Linux用着总觉的系统要散架似的。。系统不紧凑,觉得很松散的样子。
3. 修正后的最终版内核配置,和rc.conf ipf.rules ipnat.rules sysctl.conf文件
#为了方便,这里假设外网卡rl0的参数是ip:333.333.333.333 netmask:255.255.255.0 geteway:333.333.333.1#
3.1 最终版内核配置文件
#我的内核,是为作NAT网关配置,充分优化、精简的,不支持鼠标、光驱、软驱、scsi设备、dos分区、没有tun设备不可用ppp、pppoe、不可用X。#
#详细关于内核优化,参看 论坛的相关精华文章。#
内核NET
引用: |
# # NET -- NET kernel configuration file for FreeBSD/i386 # # For more information on this file, please read the handbook section on # Kernel Configuration Files: # # # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server () for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ./LINT configuration file. If you are # in doubt as to the purpose or necessity of a line, check first in LINT. # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.51.2.2 2003/03/25 23:35:15 jhb Exp $
machine i386 cpu I686_CPU ident NET #你的内核名字,要与内核配置文件名一致。 maxusers 0
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options UFS_DIRHASH #Improve performance on big directories
options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=0 #Delay (in ms) before probing SCSI
options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM #Rate limit bad replies options CPU_ENABLE_SSE options AUTO_EOI_1
#NETWORK# #IPF options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default
# NET SAFE options IPSTEALTH #support for stealth forwarding options RANDOM_IP_ID options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
# OPTION makeoptions CONF_CFLAGS=-fno-builtin #Don't allow use of memcmp, etc.
options PANIC_REBOOT_WAIT_TIME=0
options VGA_NO_FONT_LOADING # don't save/load font options VGA_NO_MODE_CHANGE # don't change video modes
options MAXCONS=4 # number of virtual consoles
options SC_DISABLE_DDBKEY # disable `debug' key options SC_DISABLE_REBOOT # disable reboot key sequence options SC_HISTORY_SIZE=20 # number of history buffer lines
# You can selectively disable features in syscons. options SC_NO_CUTPASTE options SC_NO_FONT_LOADING options SC_NO_SYSMOUSE
device isa device eisa device pci
# ATA and ATAPI devices
device ata device atadisk # ATA disk drives
# atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1
device vga0 at isa?
# syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100
device agp # support several AGP chipsets
# Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13
# PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device rl # RealTek 8129/8139
# Pseudo devices - the number indicates how many units to allocate. pseudo-device loop # Network loopback pseudo-device ether # Ethernet support pseudo-device pty # Pseudo-ttys (telnet etc)
# The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter |
附录:(给没编译过内核的菜鸟看的,老手不用管了)
当在/sys/i386/conf/建立好 内核配置文件后,按下面步子编译内核:
# cd /usr/src/sys/i386/conf
# /usr/sbin/config 你的内核配置文件名
# cd ../../compile/你的内核配置文件名
# make depend
# make
# make install
# reboot
3.2 rc.conf文件
引用: |
# -- sysinstall generated deltas -- # Sun Feb 29 01:11:45 2004 # -- sysinstall generated deltas -- # Sun Feb 29 01:15:50 2004 # Created: Sun Feb 29 01:11:45 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. kern_securelevel_enable="NO" nfs_reserved_port_only="YES" ifconfig_rl0="inet 333.333.333.333 netmask 255.255.255.0" ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" gateway_enable="YES" defaultrouter="333.333.333.1" sshd_enable="NO" inetd_enable="NO" tcp_extensions="YES" hostname="SV.QDNET.NET" check_quotas="NO" sendmail_enable="NONE" usbd_enable="NO" syslogd_enable="NO" # Run syslog daemon (or NO). fsck_y_enable="YES" # Set to YES to do fsck -y if the initial preen fails.
#####NTP-Network Time Protocol#### ntpdate_enable="YES" # Run ntpdate to sync time on boot (or NO). ntpdate_program="/usr/sbin/ntpdate" # path to ntpdate, if you want a different one. ntpdate_flags="211.39.143.103" # Korea Flags to ntpdate (if enabled). #####IPF#### ipfilter_enable="YES" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see ###SYN-FIN### # For the following option you need to have TCP_DROP_SYNFIN set in your tcp_drop_synfin="YES" # Set to YES to drop TCP packets with SYN+FIN ###ICMP### icmp_drop_redirect="YES" # Set to YES to ignore ICMP REDIRECT packets ###IPNAT### ipnat_enable="YES" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat |
3.3 ipf.rules文件(注意,因为是做实验,测试速度,因此全面开放,没有安全措施。实际运用,请根据自己需要,自行增加安全策略。)
引用: |
# ipf command: #ipf -Fa #ipf -f PATH/ipf.conf #ipfstat #show ipf working
pass in on lo0 all pass out on lo0 all
pass in on rl0 all pass out on rl0 all
pass in on rl1 all pass out on rl1 all |
3.4 ipnat.rules文件
引用: |
map rl0 192.168.0.0/24 -> 333.333.333.333/32 tcp/udp portmap 10000:65000 map rl0 192.168.0.0/24 -> 333.333.333.333/32 proxy port ftp ftp/tcp map rl0 192.168.0.0/24 -> 333.333.333.333/32 |
3.5 sysctl.conf文件,对内核、tcp协议、ipf的微调,使之更适合作NAT。
wangx_d 写到: |
vfs.vmiodirenable=1 kern.ipc.maxsockbuf=2097152 kern.ipc.somaxconn=8192 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.tcp.delayed_ack=0 net.inet.tcp.sendspace=65535 net.inet.tcp.recvspace=65535 net.inet.udp.recvspace=65535 net.inet.udp.maxdgram=57344 net.local.stream.recvspace=65535 net.local.stream.sendspace=65535 |
delphij 写到: |
# Tweaked IPF parameters net.inet.ipf.fr_tcpclosewait=120 net.inet.ipf.fr_tcplastack=120 net.inet.ipf.fr_tcptimeout=240 net.inet.ipf.fr_tcpclosed=60 net.inet.ipf.fr_tcphalfclosed=300 net.inet.ipf.fr_udptimeout=90 net.inet.ipf.fr_icmptimeout=35 |
4. ipnat 打开LARGE_NAT 的方法
#此方法似乎只可以在FreeBSD 4.x 使用,据说有朋友在5.x 这样作,就编译不下去了。#
delphij 写到: |
编辑ipfilter源代码 /sys/contrib/ipfilter/netinet/ip_nat.h
把#undef LARGE_NAT 字段 改成:#define LARGE_NAT 就可在编译内核后,打开LARGE_NAT 选项 |
看注释,说是专门给1000~2000以上的大客户准备的。
5. 我找到的8139forBSD的官方驱动原码包,以及替换方法。
5.1 Realtek官方8139 for FreeBSD 驱动下载地址:
#此驱动,RealTek官方,标明只是支持FreeBSD 4.x版本!有朋友在5.x使用过,性能比原5.x带的要差好多。#
5.2 替换方法:
把下载的驱动压缩包解压,把里面的if_rlreg.h if_rl.c
复制到 /usr/src/sys/pci 把原FreeBSD 原码带的 rl驱动原码覆盖就可以了。
#在重新编译内核后,就已经使用新的RealTek官方8139驱动了。
5.3 FreeBSD 4.8原带的8139原码 与 Realtek官方原码 的说明注释对比:
a. FreeBSD:
代码: |
* Copyright (c) 1997, 1998 * Bill Paul . All rights reserved. #include __FBSDID("$FreeBSD: src/sys/pci/if_rl.c,v 1.126 2003/11/28 05:28:29 imp Exp $");
/* * RealTek 8129/8139 PCI NIC driver
|
b. RealTek官方驱动:
代码: |
Copyright (c) 1997, 1998 * Bill Paul . All rights reserved. * $FreeBSD: src/sys/pci/if_rl.c,v 1.38.2.7 2001/07/19 18:33:07 wpaul Exp $ */
/* * RealTek 8129/8139 PCI NIC driver
|
c.FreeBSD 版的8139 驱动作者在 驱动原码里对8139 网卡的 评价!很恶劣,但是的确是实话!
引用: |
Well, I wouldn't get that card if I were you. FreeBSD has a driver for it, but according to the author (Bill Paul), it's a really crappy card. Here's a quote from FreeBSD's sys/pci/if_rl.c:
/* * RealTek 8129/8139 PCI NIC driver * * Supports several extremely cheap PCI 10/100 adapters based on * the RealTek chipset. Datasheets can be obtained from * * * Written by Bill Paul * Electrical Engineering Department * Columbia University, New York City */
/* * The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is * probably the worst PCI ethernet controller ever made, with the possible * exception of the FEAST chip made by SMC. The 8139 supports bus-master * DMA, but it has a terrible interface that nullifies any performance * gains that bus-master DMA usually offers. [ ... ] * * It's impossible given this rotten design to really achieve decent * performance at 100Mbps, unless you happen to have a 400Mhz PII or * some equally overmuscled CPU to drive it. * [ ... ]
|
6. 一些提到的相关网卡polling /轮循 机制的问题。
在讨论网卡性能时,有朋友提到可以打开网卡的polling :
建议1:“polling(4)的manpage里面的列表明确支持rl(4),而且我本人就在用啊…… 升级到4.9-RELEASE吧。”
建议2:“POLLING在低负载的时候对性能的影响很可能是降低,但高负载就不一定了。”
##注意:DEVICE_POLLING不能跟SMP同时使用! 感谢delphij大哥 核实/确认。##
但是我在FreeBSD 4.8 的内核配置的 全功能样例文件/sys/i386/conf/lint 文件里polling 的相关注释,说明只支持"dc" "fxp" "sis" 三种网卡。
以下是原文:
代码: |
# DEVICE_POLLING adds support for mixed interrupt-polling handling
# of network device drivers, which has significant benefits in terms
# of robustness to overloads and responsivity, as well as permitting
# accurate scheduling of the CPU time between kernel network processing
# and other activities. The drawback is a moderate (up to 1/HZ seconds)
# potential increase in response times.
# It is strongly recommended to use HZ=1000 or 2000 with DEVICE_POLLING
# to achieve smoother behaviour.
# Additionally, you can enable/disable polling at runtime with the
# sysctl variable kern.polling.enable (defaults off), and select
# the CPU fraction reserved to userland with the sysctl variable
# kern.polling.user_frac (default 50, range 0..100).
#
# Only the "dc" "fxp" and "sis" devices support this mode of operation at
# the time of this writing.
options DEVICE_POLLING
|
7. 在 的相关讨论原文链接。
引用: |
(补发)救急!做NAT(ipf) ,内外网都可通,就是不能NAT!!都装两遍了!哈哈,自己解决了
FreeBSD比Win2KS慢!!!奇怪,慢!大家给看看!
FreeBSD较Win2k慢的原因已经解决。。只能换Linux了。。
看来有必要讲一下,关于 RealTek 和 D-LINK 网卡的问题
为何我的intel网卡在FreeBSD4.9下怎么慢?
|
8. 在 的相关讨论原文链接。
引用: |
FreeBSD比Win2KS慢!!!奇怪,慢!大家给看看!
FreeBSD较Win2k慢的原因已经解决。。只能换Linux了。。
|
1.0版,版权所有(C)2004,likuku :本文为likuku原创,只要承认作者的版权,允许任意转载,但是不得用于商业目的。完成于2004-04-17 20:34
2004-04-19 23:00 最后修改。 _________________ OS --==LiKuKu==-- UniX&LinuX Is Best OS All OverTheWorlD | |