From owner-freebsd-net Mon Jun 1 22:09:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA12291 for freebsd-net-outgoing; Mon, 1 Jun 1998 22:09:08 -0700 (PDT) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA12283 for ; Mon, 1 Jun 1998 22:08:56 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (localhost.softweyr.com [127.0.0.1]) by softweyr.com (8.8.8/8.8.7) with ESMTP id XAA26458 for ; Mon, 1 Jun 1998 23:08:48 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <357388DF.981DDCBF@softweyr.com> Date: Mon, 01 Jun 1998 23:08:47 -0600 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: freebsd-net@FreeBSD.ORG Subject: Re: router performance Content-Type: multipart/mixed; boundary="------------25D0B2508EA9A91761F23C4F" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------25D0B2508EA9A91761F23C4F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Oops, forgot the -net mailing list: -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com --------------25D0B2508EA9A91761F23C4F Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-ID: <357388A6.6E4C0B39@softweyr.com> Date: Mon, 01 Jun 1998 23:07:50 -0600 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: Tim Tsai Subject: Re: router performance References: <19980531230640.52576@futuresouth.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tim Tsai wrote: > > Can I expect a FreeBSD-based router (say, Pentium Pro 180 with 64-128megs > of RAM) to do the following reasonably well? > > 1) Route 2-4 T1's worth of traffic (judging from the recent fastforward > thread I don't think this is a problem) > 2) run BGP > 3) do *extensive* inbound packet filtering (anti-spoofing, no > broadcasts, etc.). > 4) talk to the rest of the LAN through an ethernet interface > > Our Cisco 3640 with a Mips R4700/100Mhz is choking routinely with two > T1's during periods of DoS attacks. It's quite capable of routing the > traffic but the packet filtering is eating up all the CPU. Throw in ip > accounting (which is only needed *during* an attack) and you can forget > about any response. One of the nice benefits of using FreeBSD for such a system is the scalability. If one single FreeBSD system doesn't cut it, you could use 5 of them. Put one on each T1 doing packet filtering/firewalling, routing to ethernet. Then use another system to route between the 4 "external" ethernets and your internet network. Actually, you should be able to do all of the above on a single Pentium- class system of 200 Mhz or so *when NOT under attack.* If you're looking at new hardware, a K6/233 (or so) should fit the bill nicely. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com --------------25D0B2508EA9A91761F23C4F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message