From owner-freebsd-pf@FreeBSD.ORG Wed Mar 26 16:54:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76D2B1065678 for ; Wed, 26 Mar 2008 16:54:34 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 1450A8FC1A for ; Wed, 26 Mar 2008 16:54:34 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-046-062.pools.arcor-ip.net [88.66.46.62]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1JeYtU30d0-0000Wt; Wed, 26 Mar 2008 17:54:33 +0100 Received: (qmail 49511 invoked from network); 26 Mar 2008 16:53:42 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 26 Mar 2008 16:53:42 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 26 Mar 2008 17:52:50 +0100 User-Agent: KMail/1.9.9 References: <47EA737B.8060009@skoberne.net> In-Reply-To: <47EA737B.8060009@skoberne.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200803261752.50776.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/F3LFukBMr/03XrQOoxRDIAfRmGVrr82/FGpa fY7yrlsj/NRHC77b3qJWG23qwjCVaYGI5CK53TC5OM739jCOMh CPflULbN3u5PXi1SWj+7g== Cc: Subject: Re: pf and SMP and busy wires X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 16:54:34 -0000 On Wednesday 26 March 2008 17:02:03 Nejc =A9koberne wrote: > I like pf very much and I was planning to use it as a "central" > firewall at one of the customers like this: > > subnet_3 > > > subnet_1 ---------- PF_firewall --------------- subnet_2 > > > internet_gw > > However, since these are subnets with many computers, these would be > gigabit connections. But, I am afraid that this machine would not be > able to process data with gigabit speeds. So my questions are: > > 1. Are there any real-life performance evaluations with PF as > firewall(s) (doing also NAT if possible)? Yes there are, but I don't have a concrete example at hand. NAT isn't all= =20 that expensive with pf. In general you can hope for up to 750kpps=20 forwarding performance. If that's enough in your situation depends on=20 the kind of traffic you are looking at. > 2. How efficiently does PF use SMP (FreeBSD 7.0)? Not at all. I have plans to change that, though: http://pf4freebsd.love2party.net/pflock/ N.B. this is a long shot and something for the 8.0 time frame. > 3. How much would I profit if I had a server with two Dual-Core Intel > processors? This means 4 cores, right? I guess this should be able to > process data with gigabit speed in the situation above? While pf is a serialization point, the rest of the processing=20 (ether_input -> ip_input -> forward -> ip_output -> ether_output) and the=20 internet servicing can run in parallel. If you just do forwarding the=20 natural limit for parallelization is the number of interfaces, although=20 you won't likely achieve that kind of parallelism more cores certainly=20 help. If you add other processing - e.g. VPN endpoints - it's even=20 better to have "spare" cores. > 4. How would PF scale if there were 5 or more such subnets instead of 3 > (with gigabit speeds)? The limiting factor for any firewall/packet forwarder are packets per=20 second, not throughput (so much). pf on FreeBSD currently provides=20 ~750kpps (1M has been reported with careful tuning). This is roughly=20 1Gbps with 1500 Byte packets. > 5. Are there any PF vs Cisco|Juniper|3Com layer3 switches comparisons? Not that I'm aware of, but pf on commodity hardware will always have an=20 edge in the cost/performance column. You have to pay quite a bit to=20 obtain a hardware solution that can really *firewall* 750kpps and this=20 will usually fall short of pf in terms of additional features. Note for example, the possibility to build a redundant firewall with ARP=20 load balancing using CARP and pfsync. > 6. What role does the network cards play when looking at performance? > Are there network cards which do more work by themselves to let CPU to > do other things? YES! Buying good network cards is essential! The general consensus seems= =20 to be to stick with Intel server cards. In any case stay away from the=20 low end on-board stuff. The bus interface is also very important! The=20 plain old PCI bus has a limit of ~1Gbps itself, so go for PCI-X or better=20 yet PCIe. Buy a motherboard that offers more than one bus. In the end it very much depends on your traffic patterns and security if=20 pf is the right choice for you. If you should really have steady 1Gbps=20 streams between your subnets it very likely is not. But then again,=20 there are very few alternatives to choose from. If you are only looking=20 at sporadic inter-subnet communication and reliable, secure internet=20 access for all of them (where usually the uplink is the limiting=20 factor) - then FreeBSD and pf can certainly provide what you need. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News