From owner-freebsd-pf@FreeBSD.ORG Wed Mar 26 16:17:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E419C1065670 for ; Wed, 26 Mar 2008 16:17:37 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from svarun.infrax.si (syssvarun.infrax.si [89.212.81.4]) by mx1.freebsd.org (Postfix) with ESMTP id 9A0B98FC21 for ; Wed, 26 Mar 2008 16:17:37 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (sysSvarun.infrax.si [89.212.81.4]) by svarun.infrax.si (Postfix) with ESMTP id A131324AA5A for ; Wed, 26 Mar 2008 17:02:10 +0100 (CET) Received: from svarun.infrax.si ([89.212.81.4]) by localhost (svarun.infrax.si [89.212.81.4]) (amavisd-maia, port 10024) with ESMTP id 36766-02 for ; Wed, 26 Mar 2008 17:02:07 +0100 (CET) Received: from [192.168.15.2] (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejko@infrax.si) by svarun.infrax.si (Postfix) with ESMTP id 37B4224AA36 for ; Wed, 26 Mar 2008 17:02:07 +0100 (CET) Message-ID: <47EA737B.8060009@skoberne.net> Date: Wed, 26 Mar 2008 17:02:03 +0100 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Subject: pf and SMP and busy wires X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 16:17:38 -0000 Hello, I like pf very much and I was planning to use it as a "central" firewall at one of the customers like this: subnet_3 | | subnet_1 ---------- PF_firewall --------------- subnet_2 | | internet_gw However, since these are subnets with many computers, these would be gigabit connections. But, I am afraid that this machine would not be able to process data with gigabit speeds. So my questions are: 1. Are there any real-life performance evaluations with PF as firewall(s) (doing also NAT if possible)? 2. How efficiently does PF use SMP (FreeBSD 7.0)? 3. How much would I profit if I had a server with two Dual-Core Intel processors? This means 4 cores, right? I guess this should be able to process data with gigabit speed in the situation above? 4. How would PF scale if there were 5 or more such subnets instead of 3 (with gigabit speeds)? 5. Are there any PF vs Cisco|Juniper|3Com layer3 switches comparisons? 6. What role does the network cards play when looking at performance? Are there network cards which do more work by themselves to let CPU to do other things? Thanks. Nejc