Re: 400Mbps PF based firewall, which hardware?
On 7/8/05, Kirill Ponazdyr wrote: > Hello, > > We are in need of "core" firewall for our new datacenter. > > This firewall will not be directly connected to internet but rather > serve as a separator for security zones within the "application" part > of our network, classical fileserver traffic will not go thru this > firewall. > > Network is full duplex 100Mbps Ethernet, there will be 25 machines > split into 6 zones, we estimate that our rules will be around 200 > lines per zone. No Syproxy, no NAT, no QOS, "just" a stateful packet > filter. > > The largest traffic types would be: http/s,postgres,imap and a daily > backup which runs over network. > TCP connections wise we expect to see no more then 30k concurrent > connections, so taking 60k as a goal would fit very well. > > We would like this firewall to be able to fill 2 of its 100mbs ports > with duplex traffic (400Mbps) at any given moment without significant > latency due to the firewall itself. > Since your network is only 100Mpbs my recommendation is a dlink ehternet card. Now I may not be fully correct but from my experience it performs well :-) kind regards Siju > Which hardware would you advise for such environment? > > Any gotchas / hints to watch out? > > Kind Regards > > Kirill > - > When replying via E-Mail, please remove duplicate > "@" from the address. > - >
Re: ALTQ on PF for gaming
On Tue, Jun 28, 2005 at 04:52:17PM +0100, Bob wrote: > I thought the problem was that you needed to limit incoming traffic as > well as outgoing traffic. i've found that limiting incoming data by queueing on the internal "LAN-facing" interface can be very beneficial if configured correctly. for instance, RTT to my default gateway is normally 12ms. the highest download bandwidth i can realize is roughly 2650 Kb/s. if i am downloading without queueing incoming, pings to the gateway under full-tilt download hover at around 500-700ms. if i set pf to queue incoming at an altq bandwidth of around 2500 Kb/s, i do not find that i lose much in the way of potential download throughput, however under a full-tilt download, the RTT only goes to about 180-300. cutting the altq bandwidth down to about 2400 brings that down further, yielding around a 40-60ms RTT. in a situation where one is trying to use queueing to achieve a high- quality RTT across the circuit to your ISP, queueing on incoming data also could be a very important factor. naturally, a hidden factor would be whether there is a bandwidth shortage leaving the DSLAM/HeadEnd you terminate at, or any other bandwidth shortages further up the food-chain as you traverse your ISPs network. ( eg - if you are provisioned at 3Mb, but there are only a 2 T1s leaving the remote unit, and there are 40 other people on there, it is probably a good idea to be a bit more conservative... in any case, one could run pings to whatever hop on the ISP's network is most applicable, graph them (or whatever) and look. spend a day or two without being involved in large data transfers ) jared - [ openbsd 3.7 GENERIC ( jun 25 ) // i386 ]
Re: 400Mbps PF based firewall, which hardware?
cool... great to know that. We blindly got a batch of sks here without knowing it's quality... just the price was good. What makes it far better than the well stablished intel? - Original Message - From: "Henning Brauer" <[EMAIL PROTECTED]> To: Sent: Friday, July 08, 2005 11:32 AM Subject: Re: 400Mbps PF based firewall, which hardware? * Gustavo A. Baratto <[EMAIL PROTECTED]> [2005-07-08 17:34]: Aparently gigabit intel NICs are the best out there, but this is just what I've heard. sk is far better. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: 400Mbps PF based firewall, which hardware?
On 7/8/05, Gustavo A. Baratto <[EMAIL PROTECTED]> wrote: > You gonna need a server with a very fast bus, and a very fast memory. > Some motherboards have dedicated PCI controllers for each slot, So, each NIC > has its own dedicated controller, decreasing the interrupts for each one. > Aparently gigabit intel NICs are the best out there, but this is just what > I've heard. > actually for Gigabit NICs Theo and other developers recommend sk(4) for a list of them please visit http://www.openbsd.org/cgi-bin/man.cgi?query=sk&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html kind regards Siju
Re: 400Mbps PF based firewall, which hardware?
Henning Brauer wrote: * Gustavo A. Baratto <[EMAIL PROTECTED]> [2005-07-08 17:34]: Aparently gigabit intel NICs are the best out there, but this is just what I've heard. sk is far better. It looks like from the study quoted on the sk website: http://www.syskonnect.com/syskonnect/performance/gig-over-copper.htm that the 3Com 3c996BT outperforms the sk at 1500 MTU for most of their tests. Another comparison: http://www.accs.com/p_and_p/GigaBit/
Re: pfauth vs. ip-authentication
Thanks, this cleared up some things. From the documentation I can see that the magic lies in the keep-alives. I'll look into implementation this right away.
