Date: Fri, 28 May 2010 13:31:20 +0200 From: "Svein Skogen (Listmail Account)" <svein-listmail@stillbilde.net> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD router - large scale Message-ID: <4BFFA988.7020807@stillbilde.net> In-Reply-To: <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com> References: <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On 27.05.2010 17:00, Kevin Wilcox wrote:
> Hello everyone.
>
> We're in the very early stages of considering [Free|Open]BSD on
> commodity hardware to handle NAT *and* firewall duties for (what I
> consider to be) a sizable deployment. Overall bandwidth is low, only a
> gigabit connection, but we handle approximately fifteen thousand
> devices. DHCP and DNS would be passed through to other servers, this
> hardware would only be responsible for address translation and pf.
>
> I've done this on a very, very small scale (small/home office, small
> business) but I'm curious how many other folks are doing it on this
> scale, the hardware they are running on and any "gotchas" they may
> have faced. Does pf on FreeBSD take advantage of multiple cores/SMP?
> Is it preferable, as with OpenBSD, to go for a very stout processor
> without much consideration to cores? Would freebsd-net@ be a better
> place to ask this?
>
> I'm getting ready to start digging in to memory and other resources
> needed based on available documentation but real-world usage is much
> preferred to my academic assessment.
>
Actually, I'd find an answer from the FreeBSD Networking gurus useful as
well. My trusted Cisco 3640 is getting old (had it's
ten-years-of-service birthday a little while ago), so I guess I must be
prepared to replace it with something new. Preferrably something that
can do proper NAT port mapping to the inside servers in an
RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming
VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC
tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with
crypto for remote-sites, etc
If somebody has a good starting-point for documentation on these
features, I'm more than willing to "do a procject on it" to create a
mini-howto/handbook-section on "setting up FreeBSD as your border
gateway", provided I have someone to ask when the documentation is ...
flaky. ;)
It would be interesting to see what kind of performance modern hardware
could get, compared to dedicated hardware a decade old. :)
//Svein
--
--------+-------------------+-------------------------------
/"\ |Svein Skogen | svein@d80.iso100.no
\ / |Solberg Østli 9 | PGP Key: 0xE5E76831
X |2020 Skedsmokorset | svein@jernhuset.no
/ \ |Norway | PGP Key: 0xCE96CE13
| | svein@stillbilde.net
ascii | | PGP Key: 0x58CD33B6
ribbon |System Admin | svein-listmail@stillbilde.net
Campaign|stillbilde.net | PGP Key: 0x22D494A4
+-------------------+-------------------------------
|msn messenger: | Mobile Phone: +47 907 03 575
|svein@jernhuset.no | RIPE handle: SS16503-RIPE
--------+-------------------+-------------------------------
If you really are in a hurry, mail me at
svein-mobile@stillbilde.net
This mailbox goes directly to my cellphone and is checked
even when I'm not in front of my computer.
------------------------------------------------------------
Picture Gallery:
https://gallery.stillbilde.net/v/svein/
------------------------------------------------------------
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
iEYEARECAAYFAkv/qY0ACgkQODUnwSLUlKS7JACfbB5QqUN6QLlpvmELx6UZqqzE
XH8An1WTV54Us+x90OVHPb4Gk2dPmgt4
=sIGD
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BFFA988.7020807>