From owner-freebsd-questions@FreeBSD.ORG Fri May 28 11:38:39 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 01142106564A for ; Fri, 28 May 2010 11:38:39 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from muon.cran.org.uk (unknown [IPv6:2001:470:1f09:679::1]) by mx1.freebsd.org (Postfix) with ESMTP id BA5848FC12 for ; Fri, 28 May 2010 11:38:38 +0000 (UTC) Received: from muon.cran.org.uk (localhost [127.0.0.1]) by muon.cran.org.uk (Postfix) with ESMTP id 9E820C400F; Fri, 28 May 2010 11:38:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on muon.cran.org.uk X-Spam-Level: X-Spam-Status: No, score=-2.8 required=8.0 tests=AWL,BAYES_00,RDNS_DYNAMIC autolearn=no version=3.2.5 Received: from [192.168.1.140] (87-194-158-129.bethere.co.uk [87.194.158.129]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by muon.cran.org.uk (Postfix) with ESMTPSA; Fri, 28 May 2010 11:38:37 +0000 (UTC) Message-ID: <4BFFAB30.8050307@cran.org.uk> Date: Fri, 28 May 2010 12:38:24 +0100 From: Bruce Cran User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Svein Skogen (Listmail Account)" References: <4BFFA988.7020807@stillbilde.net> In-Reply-To: <4BFFA988.7020807@stillbilde.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router - large scale X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 11:38:39 -0000 On 28/05/2010 12:31, Svein Skogen (Listmail Account) wrote: > On 27.05.2010 17:00, Kevin Wilcox wrote: > >> Hello everyone. >> >> We're in the very early stages of considering [Free|Open]BSD on >> commodity hardware to handle NAT *and* firewall duties for (what I >> consider to be) a sizable deployment. Overall bandwidth is low, only a >> gigabit connection, but we handle approximately fifteen thousand >> devices. DHCP and DNS would be passed through to other servers, this >> hardware would only be responsible for address translation and pf. >> >> I've done this on a very, very small scale (small/home office, small >> business) but I'm curious how many other folks are doing it on this >> scale, the hardware they are running on and any "gotchas" they may >> have faced. Does pf on FreeBSD take advantage of multiple cores/SMP? >> Is it preferable, as with OpenBSD, to go for a very stout processor >> without much consideration to cores? Would freebsd-net@ be a better >> place to ask this? >> >> I'm getting ready to start digging in to memory and other resources >> needed based on available documentation but real-world usage is much >> preferred to my academic assessment. >> >> > Actually, I'd find an answer from the FreeBSD Networking gurus useful as > well. My trusted Cisco 3640 is getting old (had it's > ten-years-of-service birthday a little while ago), so I guess I must be > prepared to replace it with something new. Preferrably something that > can do proper NAT port mapping to the inside servers in an > RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming > VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC > tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with > crypto for remote-sites, etc > > If somebody has a good starting-point for documentation on these > features, I'm more than willing to "do a procject on it" to create a > mini-howto/handbook-section on "setting up FreeBSD as your border > gateway", provided I have someone to ask when the documentation is ... > flaky. ;) > This is possibly the wrong place to be saying this, but isn't OpenBSD usually recommended for routers? I believe the version of pf, for example, is normally kept more up-to-date than than in FreeBSD. The major downside I know of is that it's not nearly as user-friendly; for example my recollection of its installer is that you have to input sector offsets manually in the partition editor! -- Bruce Cran