Do a lot of Port Forwarding Rules impact traffic speed?



  • Hi guys,

    This week I changed the firewall server of our company from a very old TMG to a shiny new server with pfSense running on it.

    After installing and basic configurations everything was working fine and the speed were snappy 100 Mbit/s up and down.

    Our setup is the following:

    The ISP provides us with 254 public IPs which are all (except ***.***.***.1 which is the ISP modem) configured as Virtual IPs of the WAN interface.
    Behind pfSense are now hundreds of machines, which are provided with IP addresses just fine and can access the internet.
    about 250 of these machines need port forwarding of at least 2 ports.

    So I created a NAT port forwarding rule for every machine, so that the external IP ***.***.***.xxx maps the internal IP 10.0.0.xxx, for example for the ssh protocol.

    NAT worked fine, tested it from outside of our network. But with every rule my connection speed got slower. I'm not sure if it really is caused by the NAT rules or if I'm looking at the wrong places.

    Now I'm at approx. 520 rules and that are not even the custom ones special server need additionally to the two I already forwarded…

    Loading a website form within the network takes several seconds up to a minute instead of an almost instant load.

    Does anyone have experienced such a behavior and found a solution? Or am I just naive to think 500+ rules would just work like a dream?

    tl;dr: Do a lot of Port Forwarding Rules impact traffic speed?

    Cheers, Esbit



  • Did you try the NAT outbound with Translation pool options?



  • 500 isn't all that many. Certainly wouldn't have any significant impact on performance. You have something else going on there. Capture the traffic from the slow requests, see what it's doing and not doing.



  • Okay… xD

    First of all, thanks for your replies!

    I thought so, too, that 500 rules should be nothing. And in the end it wasn't that.

    The next day I opened pfSense and saw, thanks to Darkstat, that we had one server that was just blocking the whole bandwidth. All the time. Soooo, blocked it and now it's working like a dream!

    Thanks again! The thread can be closed :)

    Cheers,
        Esbit



  • Isn't this what 1:1 NAT for?


Log in to reply