Peter, Why do you keep side-stepping my hardware messages?
Scott On 10/31/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > On Mon, 2005-10-31 at 20:20 +0200, Frimmel, Ivan (ISS South Africa) > wrote: > > For my own reference please .. > > > > The role of a firewall is supposed to be a filter rather than a router > > or a front end load balancer? If there is this much inbound traffic > > clearly other solutions would be appropriate? Or am I wrong? > > Right. I'm not putting any routing load on it (it just bridging > WAN->LAN to be transparent) I also do not use load balancing function of > pfsense at this point. > > The only extra use for it is traffic shaping and reporting. > > If you look generally I see there are a lot of functionality built in > commercial ferewalls these days - some routing, anti virus, anti spam, > some even have 16 port switch build in. :) > > > > > -----Original Message----- > > From: Peter Zaitsev [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 31, 2005 8:02 PM > > To: support@pfsense.com > > Subject: RE: [pfSense Support] Dump states featue > > > > On Mon, 2005-10-31 at 11:28 -0600, Fleming, John (ZeroChaos) wrote: > > > FYI a PIX 520 (the 300 mhz version) can not handle 50,000 entries in > > > the state table. It may on paper, but just because it has enough ram. > > > I want to say it starts to have problems at about 35,000, but then > > > again all my PIX firewalls were fully loaded with nics (6 10/100 I > > think). > > > > Right. I guess number of states is not only issue - packet rate is other > > thing - the "state" which is having packet passing by once per minute is > > different than one which constantly needs attention. Number of rules > > is another ( I had single rule in this test) > > > > And I guess 300Mhz CPU is a lot different from 2.4Ghz I have :) > > > > > > > > > > Kind of funny to boot a 520 and hear a video failure beep code. > > > > :) > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: Peter Zaitsev [mailto:[EMAIL PROTECTED] > > > Sent: Monday, October 31, 2005 10:48 AM > > > To: support@pfsense.com > > > Subject: Re: [pfSense Support] Dump states featue > > > > > > On Sun, 2005-10-30 at 17:25 -0500, Scott Ullrich wrote: > > > > If you want to push 50,000 states do you think this box is enough > > > > juice? With that amount of states it seems you want to use much > > > > better hardware. > > > > > > Well... I'm not going to have 50.000 states - I'm just stress > > > testing to see the limit. > > > > > > Now I see these number of states takes just few MB of memory - I never > > > > > got amount of memory used over 15% > > > > > > CPU usage in my understanding should grow with number of packets and > > > rules - states are secondary. It must be implemented as hash table > > > with semi-constant lookup time. > > > > > > And once again - my problem is not amount of packets I can pass at > > > this point but the way it keeps up with high load. > > > > > > > > > > > > Also This is better hardware which is included in Most of Firewalls. > > > For example SonicWall 2040 has 800Mhz x86 CPU, Cisco PIX - 300Mhz > > > Celeron. They might have some extra hardware offloading but also > > > have extra features such as deep packet inspections etc. > > > > > > > > > > > > > > > > > > > > On 10/30/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > > > > > On Sun, 2005-10-30 at 15:45 -0400, Scott Ullrich wrote: > > > > > > If you don't mind me asking, what hardware are you running > > > > > > pfsense > > > on > > > > > > for these tests? > > > > > > > > > > This is Dell PowerEdge 750 - 512Mb RAM, Celeron 2.4Ghz > > > > > 2 Intel 1Gbit NICs > > > > > > > > > > This seems to be much better than all firewalls below 5K$ have :) > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] For > > > > > additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For > > > > additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > > > > > commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > > > > > commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > > commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
