Jordi Espasa Clofent wrote:
I was still wondering what could be considered "maximum" session
concurrency that I could expect, with various hardware combinations?
Is anyone that can tell me if it could be feasible with OpenBSD and
better hardware? Even if we have to move to a different platform than
i386, like maybe a Sun Fire T1000, as I don't see that as being a
problem if it solves our issues. What we would like most if possible
is to find something that could scale in the million concurrent
sessions, but with a couple of thousands of new sessions per second.
I know it's something very hardware demanding and even most
enterprise class firewalls like Juniper and Fortinet don't scale much
more than a million even on their higher end models, so that's why
I'm curious as to what I could expect a PF setup to scale.
?A million concurrent sessions with a couple of thousands of new
sessions per second? They're high values.... I think the current
highest value in PF is 750k packets per second and all PF's
behaviour/performance will be conditioned by it.
Please, feel free to correct me if I'm wrong.
Nice to know. We're currently far from reaching those packets per second
output at the moment. I'd say with all our traffic we'd probably be
looking at 200K. I guess the platform might be the issue then, as even
after putting in place all the recommendations that I have received so
far on my setup, which includes limiting the scrub to the external
interface, doing a skip on one of the interfaces, having the rule that
has 95% of the traffic be the 5th rule in the effective ruleset (pfctl
-sr) and trying various sysctl and PF options, we're still seeing some
congestion on the traffic.
We even bumped the hardware yesterday to a Xeon 5130 (core2 xeon @2GHz)
with new Intel PCIe 4x dual gigabit network cards and the congestion
statistics are exactly the same as they were before with the older
hardware. I honestly did think I was going to get at least equal amount
of performance from this setup than from our unoptimized netfilter sytem
that we want to replace, if not even more, so that's an added reason as
to why I'm so perplexed right now :-)
Thanks!
