Daniel Ouellet wrote:
Florin Andrei wrote:
I'm building several firewalls that need to be able to sustain 1000
Mbit throughput. We're using AMD64 processors a lot, so that's the
kind of architecture I'm looking at right now. I will use OpenBSD 4.1
64 bit version.
The set of rules on the firewalls will be relatively small and simple.
At least some of these firewalls will need to be redundant, connected
in an active/standby configuration. I will need at least 6 interfaces
on each firewall, at least 2 of them capable of gigabit speed.
Well, not a small order for sure, but to sustain 1000 Mbit throughput on
two interface, I would suggest first to find a way to make sure PF will
be able to do this!
I am certainly going to run some tests, but first I want to see if there
are any known issues or typical recommendations for such a situation.
Someone told me he built a pair of redundant OpenBSD firewalls using 1
GHz CPUs and fairly good network cards (some kind of Intel chips, I
forgot what type exactly), and the machines were actually able to route
1Gb/s.
So, I'm thinking, if I use motherboards with just as good or faster
northbridge, certainly faster CPUs, and hopefully even better network
cards (with checksumming and stuff like that done in hardware, provided
that the driver supports those features), then I should be able to at
least match that speed.
Meaning, can't you help with this one for your own benefit?
http://marc.info/?l=openbsd-misc&m=118172436205643&w=2
I actually brought this to the attention of the management, let's see
what happens.
--
Florin Andrei
http://florin.myip.org/
