Re: Speed issues with bridge firewall
Dom De Vitto wrote: Damn straight. That's 94% of wire speed! But largely irrelevant, as it is packets per second and not bytes per second that matter. As it is probably interrupts that are loading the box and not packet processing, you could perster tedu@ for his devpoll patch, but to quote his page: email me about it and i'll hate you forever. http://www.stanford.edu/~tedu/polling.html I believe the fastest appliance out there currently is the Cisco PIX535, coming in at a max of 1.7gb/s, but the other firewall appliances around are way behind that and are well sub-1gb/s. FYI: Nokia IP1260 w/FW-1 quotes 4.2Gbps NetScreen 5400 quotes 12Gbps -d
RE: Speed issues with bridge firewall
Henning/Daniel, is there any plans to implement polling in 3.4? Or have a patch for it? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henning Brauer Sent: Monday, September 01, 2003 3:47 PM To: [EMAIL PROTECTED] Subject: Re: Speed issues with bridge firewall On Mon, Sep 01, 2003 at 12:20:04PM -0500, Mathew Binkley wrote: The firewall box is a SuperMicro 1U box with ServerWorks GC-LE chipset, dual 1.8 GHz Xeons, 1 GB RAM, 40 gig hard drive, and two gigabit NIC's (one Intel, the other NatSemi 83820). OpenBSD doesn't support SMP, so only one of the processors is being used. dmesg would help. my bet is on the nge(4), tho. at GigE - esp. when you run jumbo frame - it is not very efficient. I'd be interested in figures with a second em(4). Results: No firewall:939 Mbits/sec thoroughput Firewall: 785 Mbits/sec thoroughput that's already pretty impressive... check systat vmstat while doing the tests. I bet the interrupt #s kill you. check especially which device causes how many. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Speed issues with bridge firewall
Damien Miller wrote: I believe the fastest appliance out there currently is the Cisco PIX535, coming in at a max of 1.7gb/s, but the other firewall appliances around are way behind that and are well sub-1gb/s. Nokia IP1260 w/FW-1 quotes 4.2Gbps NetScreen 5400 quotes 12Gbps You can find even greater marketing values. For example the Cisco Firewall Services Module (a PIX, inserted into a 6k5 switch) offers up to 20 Gbps, but you may achieve even more than that with Juniper Networks T640 with the integrated IP filter. I guess it's not stateful, but has interesting features, from which the 770 Mpps forwarding rate sounds promising :) And it runs BSD. -- Attila Nagy e-mail: [EMAIL PROTECTED] Free Software Network (FSN.HU) phone @work: +361 210 1415/127 ISOs: http://www.fsn.hu/?f=downloadcell.: +3630 306 6758
Re: Speed issues with bridge firewall
On Tue, Sep 02, 2003 at 12:12:59AM -0400, Amir Seyavash Mesry wrote: Henning/Daniel, is there any plans to implement polling in 3.4? in 3.4 for sure not. even later - nobody has yet shown that it pays out. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Speed issues with bridge firewall
Henning Brauer wrote: On Tue, Sep 02, 2003 at 12:12:59AM -0400, Amir Seyavash Mesry wrote: Henning/Daniel, is there any plans to implement polling in 3.4? in 3.4 for sure not. even later - nobody has yet shown that it pays out. If anyone's interested I'm willing to test a patch (as long as it's reasonably idiot-proof; I'm a sysadmin/fortran programmer, not a kernel/C hacker). Mat
Re: Speed issues with bridge firewall
On Monday 01 September 2003 19:20, Mathew Binkley wrote: So our bridging firewall achieves ~84% of full line speed. However, during testing the firewall had a load level of 4.3. There doesn't appear to be any packet loss, but I'm not sure if it is affecting latency or not. Does anyone know a good way of testing that? The firewall console is completely frozen when it's under that stress. ...too many interrupts... Does OpenBSD 3.3 not support zero-copy? Or is there something trivial I'm missing here? I wouldn't have expecting bridging to put that kind of load on the CPU. Device Polling is the answer... tedu@ said he was working on it. I hope someone will find time to port FreeBSD code. Here you can find an explanation with code. Maybe you give pf on FreeBSD a try: http://pf4freebsd.love2party.net/ this will give you said device polling and allows you to use the second processor. Once the netlocking is done, you will maybe even see a further speedup. On the other hand, bridging on FreeBSD with pf filtering is not working propperly without a patch. We hope that 5.2R will have solutions for that. Max
Re: Speed issues with bridge firewall
On Mon, Sep 01, 2003 at 12:20:04PM -0500, Mathew Binkley wrote: The firewall box is a SuperMicro 1U box with ServerWorks GC-LE chipset, dual 1.8 GHz Xeons, 1 GB RAM, 40 gig hard drive, and two gigabit NIC's (one Intel, the other NatSemi 83820). OpenBSD doesn't support SMP, so only one of the processors is being used. dmesg would help. my bet is on the nge(4), tho. at GigE - esp. when you run jumbo frame - it is not very efficient. I'd be interested in figures with a second em(4). Results: No firewall:939 Mbits/sec thoroughput Firewall: 785 Mbits/sec thoroughput that's already pretty impressive... check systat vmstat while doing the tests. I bet the interrupt #s kill you. check especially which device causes how many. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
RE: Speed issues with bridge firewall
Damn straight. That's 94% of wire speed! I believe the fastest appliance out there currently is the Cisco PIX535, coming in at a max of 1.7gb/s, but the other firewall appliances around are way behind that and are well sub-1gb/s. Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henning Brauer Sent: Monday, September 01, 2003 8:47 PM To: [EMAIL PROTECTED] Subject: Re: Speed issues with bridge firewall On Mon, Sep 01, 2003 at 12:20:04PM -0500, Mathew Binkley wrote: The firewall box is a SuperMicro 1U box with ServerWorks GC-LE chipset, dual 1.8 GHz Xeons, 1 GB RAM, 40 gig hard drive, and two gigabit NIC's (one Intel, the other NatSemi 83820). OpenBSD doesn't support SMP, so only one of the processors is being used. dmesg would help. my bet is on the nge(4), tho. at GigE - esp. when you run jumbo frame - it is not very efficient. I'd be interested in figures with a second em(4). Results: No firewall:939 Mbits/sec thoroughput Firewall: 785 Mbits/sec thoroughput that's already pretty impressive... check systat vmstat while doing the tests. I bet the interrupt #s kill you. check especially which device causes how many. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
