Date: Mon, 31 May 2004 13:13:51 -0400 From: Bill Moran <wmoran@potentialtech.com> To: hugle <hugle@vkt.lt> Cc: freebsd-questions@freebsd.org Subject: Re: routing for 1000 users and 10Mbit internet. Message-ID: <40BB67CF.4090603@potentialtech.com> In-Reply-To: <8935715836.20040531193600@vkt.lt> References: <1025899241.20040531165223@vkt.lt> <20040531121948.T84772-100000@cactus.fi.uba.ar> <8935715836.20040531193600@vkt.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
hugle wrote: > FG> On Mon, 31 May 2004, hugle wrote: > >>>The question in what machine do i need? >>>What CPU and how much of ram ? > > FG> I set up a firewall for more than 300 users, a DMZ with a public webserver, > FG> webmail and MX on a PII-350MHz with 128 MB RAM. > dammit.. > why then my users eats so much CPU? > look: > CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle > Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free > > I have only 61% idle ? > usualy i have ~50 idle.. > now I have P4 2.4GHZ > > maybe my setup is bad (kernel I mean)? > ps. what those interrupt means? It probably means you have a cheapo network card and the OS has to work very hard to keep it moving data. The vmstat screen of systat will break down the interrupt usage per device, which will tell you if my guess is right or not. If I'm right, it would be worth your while to research the particular NIC you're using to see if there are known problems. Or, if you know it's a cheap NIC, you might want to just replace it. OTOH, if the machine is keeping up with the load, you might want to just leave that NIC in there and let the CPU do its job. There's also the option to switch to polling (if that NIC's drivers support it) See "man polling" for the gory detail. > FG> On another client, I set up a firewall for 50 users with a Pentium 90MHz > FG> with 64MB RAM. > >>>dual or single processor ? > > FG> One. Don't waste you money. A firewall isn't very CPU intensive. And given > FG> the fact that ipf works at the IP stack level, I don't think you can have > FG> more than one thread active at a time messing with the IP data structures. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40BB67CF.4090603>