On Wednesday 26 March 2008 17:02:03 Nejc Škoberne wrote:
> I like pf very much and I was planning to use it as a
"central"
> firewall at one of the customers like this:
>
> subnet_3
>
>
> subnet_1 ---------- PF_firewall ---------------
subnet_2
>
>
> internet_gw
>
> However, since these are subnets with many computers,
these would be
> gigabit connections. But, I am afraid that this machine
would not be
> able to process data with gigabit speeds. So my
questions are:
>
> 1. Are there any real-life performance evaluations with
PF as
> firewall(s) (doing also NAT if possible)?
Yes there are, but I don't have a concrete example at hand.
NAT isn't all
that expensive with pf. In general you can hope for up to
750kpps
forwarding performance. If that's enough in your situation
depends on
the kind of traffic you are looking at.
> 2. How efficiently does PF use SMP (FreeBSD 7.0)?
Not at all. I have plans to change that, though:
http://pf4fr
eebsd.love2party.net/pflock/
N.B. this is a long shot and something for the 8.0 time
frame.
> 3. How much would I profit if I had a server with two
Dual-Core Intel
> processors? This means 4 cores, right? I guess this
should be able to
> process data with gigabit speed in the situation
above?
While pf is a serialization point, the rest of the
processing
(ether_input -> ip_input -> forward -> ip_output
-> ether_output) and the
internet servicing can run in parallel. If you just do
forwarding the
natural limit for parallelization is the number of
interfaces, although
you won't likely achieve that kind of parallelism more cores
certainly
help. If you add other processing - e.g. VPN endpoints -
it's even
better to have "spare" cores.
> 4. How would PF scale if there were 5 or more such
subnets instead of 3
> (with gigabit speeds)?
The limiting factor for any firewall/packet forwarder are
packets per
second, not throughput (so much). pf on FreeBSD currently
provides
~750kpps (1M has been reported with careful tuning). This
is roughly
1Gbps with 1500 Byte packets.
> 5. Are there any PF vs Cisco|Juniper|3Com layer3
switches comparisons?
Not that I'm aware of, but pf on commodity hardware will
always have an
edge in the cost/performance column. You have to pay quite
a bit to
obtain a hardware solution that can really *firewall*
750kpps and this
will usually fall short of pf in terms of additional
features.
Note for example, the possibility to build a redundant
firewall with ARP
load balancing using CARP and pfsync.
> 6. What role does the network cards play when looking
at performance?
> Are there network cards which do more work by
themselves to let CPU to
> do other things?
YES! Buying good network cards is essential! The general
consensus seems
to be to stick with Intel server cards. In any case stay
away from the
low end on-board stuff. The bus interface is also very
important! The
plain old PCI bus has a limit of ~1Gbps itself, so go for
PCI-X or better
yet PCIe. Buy a motherboard that offers more than one bus.
In the end it very much depends on your traffic patterns and
security if
pf is the right choice for you. If you should really have
steady 1Gbps
streams between your subnets it very likely is not. But
then again,
there are very few alternatives to choose from. If you are
only looking
at sporadic inter-subnet communication and reliable, secure
internet
access for all of them (where usually the uplink is the
limiting
factor) - then FreeBSD and pf can certainly provide what you
need.
--
/" Best regards, | mlaier freebsd.org
/ Max Laier | ICQ #67774661
X http://pf4freebsd.l
ove2party.net/ | mlaierEFnet
/ ASCII Ribbon Campaign | Against HTML Mail
and News
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|