#1 2017-03-04 21:53:00

WSS
Trusted Member
Registered: 2016-12-22
Posts: 255

Fastest way to forward data from external IP to NAT'd host?

I posted this on the other forum, but this may make more sense, since it's guaranteed to have people who deal with this daily..

Hi Guys,

I've setup my own services-in-KVM on a cheap KS machine which is completely overspec'd for the nameserver I'm going to be using it as.  I've got my NIC setup as a bridge, and my clients each have their own unique MAC address.  This is simple, and seems to work the easiest (as well as make the most sense).

The problem I have, though, is that there is a minimal-but existent delay between the host to the KVM, forwarding both TCP and UDP to port 53. Client OS is OpenBSD running native virtio drivers on both client and host.  Obviously, this is NOT ideal, but I can't really think of a better way of doing this.

Here's a broken-apart snippit of iptables on the host to allow UDP/TCP on 53, at least how I'm doing it:

iptablesSuck wrote:

/sbin/iptables -A PREROUTING -t nat -i br0 -p tcp --dport 53 -j DNAT --to 192.168.0.100:53
/sbin/iptables -A PREROUTING -t nat -i br0 -p udp --dport 53 -j DNAT --to 192.168.0.100:53
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -d 192.168.0.100 --dport 53 -j ACCEPT

I'm aware that packets on the bridge can be queued through iptables twice since it hits iptables' INPUT, and then a second time after it sees that the virtual MAC is a local destination.  So, I've got this beauty setup so it only goes through once.  Keep in mind that the verbs for broute are stupidly named (DROP means frame has to be routed, ACCEPT means frame has to be bridged).

ebtablesSuckToo wrote:

/sbin/ebtables -t broute -A BROUTING -d my:br:mac:address:goes:here -j redirect --redirect-target DROP

I've yet to have it drop or lose any UDP packets before the client moves on to the next host, but it just isn't snappy.  What can I do to get this *just a bit faster*?


RbyeR4Nm.png

Offline

#2 2017-03-05 09:45:19

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: Fastest way to forward data from external IP to NAT'd host?

Interesting one, a few questions, what is the measurable delay, what makes you believe it is iptables specifically?

Initial reaction is I do not believe there is any other way to do the rules, the delay will be iptables processing them itself, would making a small ramdrive and forcing iptables to run entirely from ram speed it up enough to compensate?


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#3 2017-03-06 02:43:25

WSS
Trusted Member
Registered: 2016-12-22
Posts: 255

Re: Fastest way to forward data from external IP to NAT'd host?

I'd say it's less than 100ms, but I don't have sample data in front of me.  Of course, it's not as fast as being native.   I'm blaming iptables because I dislike iptables.  Heck, I dislike a lot of design changes Linux has had over the years- most recently, systemd. smile

I don't think it'd help much- I've thought about loading tools into an initrd to spawn QEMU and soforth, but that's beyond insane for shaving off a few ms.   The OBSD client has logging off, so the virtual disk doesn't need much- the entire instance could be cached in RAM.


RbyeR4Nm.png

Offline

#4 2017-04-12 05:07:44

AuroraZero
Slacker
From: Slacker Labs
Registered: 2017-04-01
Posts: 60
Website

Re: Fastest way to forward data from external IP to NAT'd host?

Can't you pass the required IP directly through the iproute of the network config and bypass iptables all together?


The world is full of nuts.....Come join us. smile

Offline

#5 2017-04-12 14:57:37

WSS
Trusted Member
Registered: 2016-12-22
Posts: 255

Re: Fastest way to forward data from external IP to NAT'd host?

AuroraZero wrote:

Can't you pass the required IP directly through the iproute of the network config and bypass iptables all together?

Thanks for your response.

Perhaps it's the fact that it's still dark-thirty, but I'm having problems parsing this.   If I wanted to run the services directly on the host, there wouldn't be a need- but this machine hosts several KVMs and for things like DNS, I just want a tit-for-tat for the port.   Other things aren't quite so important.

The overhead isn't very much, but being that this forum is by-and-for NAT NUTters, I thought I'd see if anyone had a better idea.


RbyeR4Nm.png

Offline

#6 2017-04-12 21:27:41

AuroraZero
Slacker
From: Slacker Labs
Registered: 2017-04-01
Posts: 60
Website

Re: Fastest way to forward data from external IP to NAT'd host?

I see now yeah I am afraid iptables or etables is the only the way I know. The delay will be there but it should not effect it too much, unless it was a gaming thing.


The world is full of nuts.....Come join us. smile

Offline

Board footer