Nick Holland wrote:
Steve D. wrote:
Hi,
I'm setting up a gateway (1.7 Ghz machine with 1 Gig of ram) for 700+
users using pf with NAT and BINAT's (90% NAT). I would like to
know if anyone has any recommendations on tweaking the runtime
options in PF. This box will pretty much just be handling the
natting with a bare minimum of filtering, just enough to keep the box
secure.
Yes:
DON'T TOUCH ANYTHING UNTIL YOU KNOW WHAT THE GOAL IS.
Apparently, there are some OSs people are used to that ship in a
nearly useless state, at least judging by the queries like this. With
OpenBSD, you aren't supposed to have to tweak things..it should Just
Work.
See if you run into a problem. Don't start twisting knobs until you
see if there is a reason to do so, and until you know what the desired
outcome is. The defaults are set pretty darned well to start with --
you are much more likely to break something by "tweaking" than you are
to improve anything.
For comparison: we have ~850 people, hiding behind a CARP'd pair of
machines -- primary is a Celeron 600, 384M RAM. Failover box is a
PIII-750, 512M RAM, in an otherwise identical box. Hooked to a 45Mbps
DS3. We aren't exercising the system much at this point (neither the
box nor the DS3). I suspect some day, we'll start seeing some limits
hit on this thing, we'll worry about it then...assuming these boxes
haven't died of old age by the time that happens. :)
Nick.
Nick,
Thanks for the info. That's what I was looking for. I'm going to be
dropping this into production and I don't want things to grind to a halt
in 30 seconds. What kind of thruput are you seeing on the box? The
only tweaks I was wondering about were in the pf runtime options (limit
states etc.).
Thanks again,
Steve