Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 2 Jan 2005 09:32:14 -0500
From:      Bill Moran <wmoran@potentialtech.com>
To:        "Victor Foulk" <VFoulk@KEWD.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD Gateway
Message-ID:  <20050102093214.10d4b2e1.wmoran@potentialtech.com>
In-Reply-To: <000001c4f09b$f67534d0$68bbbbc0@kewdaeahnhd04i>
References:  <000001c4f09b$f67534d0$68bbbbc0@kewdaeahnhd04i>

next in thread | previous in thread | raw e-mail | index | archive | help
"Victor Foulk" <VFoulk@KEWD.com> wrote:
> Hello all,
> 
> I have been looking into setting up a network gateway
> using a FreeBSD box, so that I may employ many of the
> network security features of the system (and to 
> overcome the fact that the current network is
> insecurely connected to a much larger ~public LAN).
> 
> The configuration would be much like this:
> {Internet}--{Huge/NastyLAN}--{FreeBSDGate}--{SafeLAN}
> 
> Most of what I see states that I should use 
> a *minimum* of:
> 
> 266Mhz processor
> 64MB RAM
> 1GB HD (actually ~2GB based on number 
>         desired security apps)
> 2 Compatible NIC's
> 
> What I really had hoped to find, was more of an experienced
> networking guru's thumb rule equating the number of safeLAN
> workstations with the required gateway RAM/Processor; to 
> enable all safeLAN users to experience a minimal network
> transaction time roughly equivalent to what they would see
> if plugged directly into a really good hub.
> Something maybe in the form of:
> Proc Speed = X*Users+Y
> RAM = W*Users+Z
> 
> I am far too new at this to have a clue what numbers to use
> to even approximate. Any advice on this matter would be most
> appreciated.
> Thanks!
> Victor

Unfortunatley, there isn't a simple way to develop such an
equation.  How much CPU/RAM you need is going to be dependant
on more than just the number of computers involved.  Two additional
factors can play a large part: 1) The number of firewall rules and
2) the amount of traffic (such as UDP) that creates dynamic rules.
Rules take time to process, and more traffic takes more time with
more rules.  UDP traffic usually requires stateful rules, and that
generates dynamic rules, which increases the amount of time to
process each packet.  So it's important to design your ruleset
carefully to avoid unnecessary processing.

However, in my experience, the most critical hardware choice is
the network cards themselves.  Cheapo network cards will really
hurt performance under load.  So toss the cheapo Realtek cards
into the trash and spend a little extra on an Intel or other name
brand card designed for a server.

As a general rule of thumb, I won't put FreeBSD on anything smaller
than a 1Ghz with 128M of RAM and 4G of disk space.  While you can
get away with smaller, that's about the minimum before using the
box for maintenance purposes becomes a terrible burdon.  Try upgrading
and rebuilding world on a 266!

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050102093214.10d4b2e1.wmoran>