Date: Fri, 28 May 2010 12:38:24 +0100 From: Bruce Cran <bruce@cran.org.uk> To: "Svein Skogen (Listmail Account)" <svein-listmail@stillbilde.net> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router - large scale Message-ID: <4BFFAB30.8050307@cran.org.uk> In-Reply-To: <4BFFA988.7020807@stillbilde.net> References: <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com> <4BFFA988.7020807@stillbilde.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28/05/2010 12:31, Svein Skogen (Listmail Account) wrote: > On 27.05.2010 17:00, Kevin Wilcox wrote: > >> Hello everyone. >> >> We're in the very early stages of considering [Free|Open]BSD on >> commodity hardware to handle NAT *and* firewall duties for (what I >> consider to be) a sizable deployment. Overall bandwidth is low, only a >> gigabit connection, but we handle approximately fifteen thousand >> devices. DHCP and DNS would be passed through to other servers, this >> hardware would only be responsible for address translation and pf. >> >> I've done this on a very, very small scale (small/home office, small >> business) but I'm curious how many other folks are doing it on this >> scale, the hardware they are running on and any "gotchas" they may >> have faced. Does pf on FreeBSD take advantage of multiple cores/SMP? >> Is it preferable, as with OpenBSD, to go for a very stout processor >> without much consideration to cores? Would freebsd-net@ be a better >> place to ask this? >> >> I'm getting ready to start digging in to memory and other resources >> needed based on available documentation but real-world usage is much >> preferred to my academic assessment. >> >> > Actually, I'd find an answer from the FreeBSD Networking gurus useful as > well. My trusted Cisco 3640 is getting old (had it's > ten-years-of-service birthday a little while ago), so I guess I must be > prepared to replace it with something new. Preferrably something that > can do proper NAT port mapping to the inside servers in an > RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming > VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC > tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with > crypto for remote-sites, etc > > If somebody has a good starting-point for documentation on these > features, I'm more than willing to "do a procject on it" to create a > mini-howto/handbook-section on "setting up FreeBSD as your border > gateway", provided I have someone to ask when the documentation is ... > flaky. ;) > This is possibly the wrong place to be saying this, but isn't OpenBSD usually recommended for routers? I believe the version of pf, for example, is normally kept more up-to-date than than in FreeBSD. The major downside I know of is that it's not nearly as user-friendly; for example my recollection of its installer is that you have to input sector offsets manually in the partition editor! -- Bruce Cran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BFFAB30.8050307>