From owner-freebsd-net@freebsd.org Thu Oct 11 18:47:17 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 386BB10C3F4B for ; Thu, 11 Oct 2018 18:47:17 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-it1-x141.google.com (mail-it1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1ED87CD8F for ; Thu, 11 Oct 2018 18:47:16 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-it1-x141.google.com with SMTP id k206-v6so8992378ite.0 for ; Thu, 11 Oct 2018 11:47:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=NbVXRJXoPkuZDoZfW5lzFxgrlKfuQXtcvMUSg1hlE/U=; b=mdv5hNJ/fQ4z9kSByjvEHvIoKrPDdhIK3yWa2hbGRa6XIKEZqFQrOXj5aIbNlpG7xW MlODwS1g+oDtwVN+nqe7V22v5SCWCbOLjeAfhQ1JFmPx5GgvrcxsHS3fcDhNDZ/7mps9 J1P54naPkI9r5yszc88OVxiw7JpABVCyshmEW7F8NpYEbSvsZvbyUjgAbsZxvL8ocMvd iXocvVBLCGX2rTj5JlkYhSvHDv8XbLzcVZKo4rsAeOgsFYNV9NGNhESlHr1NzMb3VmDS jS7akcsJfA3ynJSVYprTk+O/dfthpVBwB7Ui8DNNfP7+dvPnb84ddp8JreLYXr60ab+d wr5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=NbVXRJXoPkuZDoZfW5lzFxgrlKfuQXtcvMUSg1hlE/U=; b=MXcOxwHF6JBjAY1RoZy7K/BluIruz2XIwjl2ENZiGV/7SrySizbm5yNUAkCQdvhV5J 88RMQhlym8wupHbpj6pgTZIaSmz/ZGoLgSQafLpcizsUfeNVdOc5Z1WrAvMYIGaWD21E gZOaPDiJK1PiCUyzQT8foiJ44PZMjMizgAHWi5pmZVovUPIsv5iKlF/1ZyXiyblAMfor kprVTzTt2CQCasQgRS0dHM69GIoRBkIVwPfGZb+9L410tFuzYuD4KgyiTuvljXQWhjMW 6XXIabhHFTu+aLVedtCJuFwr2/5/Eo3jAu39+TRh7dXvWUtaRCrKb3XaUi1E1oOqU4v/ Oxww== X-Gm-Message-State: ABuFfoikXI9Fe5KMnOThxCZSK2cjPDbxISQT7Q/y46vkI2Lds31ne73u AclnGViIvPofDxKANQ7oKhQw4QrriR1QPSEcJMQ= X-Google-Smtp-Source: ACcGV63rXxbJ/nBoHT10rYtL6uy7Q03Tzym8fkWXl9cKtV1u0Rg3SyYeonBNf9UCXPl5SW0YOYjjkP1DCfZV2EJG3LA= X-Received: by 2002:a24:ad44:: with SMTP id a4-v6mr2216909itj.132.1539283635846; Thu, 11 Oct 2018 11:47:15 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:151a:0:0:0:0:0 with HTTP; Thu, 11 Oct 2018 11:47:15 -0700 (PDT) From: grarpamp Date: Thu, 11 Oct 2018 14:47:15 -0400 Message-ID: Subject: FreeBSD Solution Comparable to VyOS (BGP IPv4+6 FW) in Tor Intensive Environments To: conrad@rockenhaus.com Cc: freebsd-net@freebsd.org, tor-relays@lists.torproject.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Oct 2018 18:47:17 -0000 On 10/11/18, Conrad Rockenhaus wrote: > Hello, > > I=E2=80=99m researching for a new colo, and in order to bring it online u= ntil I can > consolidate some hardware, I would like to temporarily run a VyOS Router = as > the main router so I can start getting things online sooner than later. T= his > VyOS Router will be running BGP with the upstream providers, IPv4, and IP= v6, > and basic filtering to protect the router and other essential hardware. > > I=E2=80=99ve seen VyOS perform quite wonderfully on 4-6 gbps links with t= raffic > coming primarily from a CDN. My question is does anyone here have any > experience running VyOS with that much traffic with that traffic primaril= y > consisting of Tor traffic? Are there any other suggestions for a basic > non-hardware router based solution as a temporary implementation, perhaps > even using FreeBSD? > > Thanks, Conrad FreeBSD can work fine in this application and would be a natural and complementary tool to your efforts in supporting relay diversity towards more BSD (FreeBSD) nodes. Further, Linux's older iptables, even its current nftables, will seem very different compared to the FreeBSD IPFW or PF with which you are surely familiar. You'll probably find more answers as to some BGP, packet filter, and hardware solutions for this on the freebsd-net mailing list above. And or on freebsd-questions , freebsd-isp , freebsd-ipfw , freebsd-pf , ... https://forums.freebsd.org/ See also (note: wikipedia often outdated / trivial)... https://wikipedia.org/wiki/List_of_open-source_routing_platforms Mentioned but not yet linked in above list... https://frrouting.org/ https://wikipedia.org/wiki/List_of_router_and_firewall_distributions https://forum.opnsense.org/index.php?topic=3D3534 Includes some bits from HardenedBSD, its onions are below... http://dxsj6ifxytlgq33k.onion/ http://3jkjhrvkdbdkqisnwhdpe4afh2j2g3suhsfcewiemsyk5ecd6gadmxyd.onion/ https://wikipedia.org/wiki/Comparison_of_firewalls