From owner-freebsd-questions@FreeBSD.ORG Thu Oct 23 09:26:24 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B77216A4B3; Thu, 23 Oct 2003 09:26:24 -0700 (PDT) Received: from monster.schulte.org (monster.schulte.org [209.134.156.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59C8E43F3F; Thu, 23 Oct 2003 09:26:23 -0700 (PDT) (envelope-from schulte+freebsd@nospam.schulte.org) Received: from localhost (localhost [127.0.0.1]) by monster.schulte.org (Postfix) with ESMTP id B90C51FB66; Thu, 23 Oct 2003 11:26:19 -0500 (CDT) Received: from thor (thor.schulte.org [209.134.156.204]) by monster.schulte.org (Postfix) with ESMTP id B424C1FB2F; Thu, 23 Oct 2003 11:26:18 -0500 (CDT) From: "Christopher Schulte" To: , Date: Thu, 23 Oct 2003 11:26:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOZgnUOPNFCnynETbasNK3ZIPvMGw== Message-Id: <20031023162618.B424C1FB2F@monster.schulte.org> X-Virus-Scanned: by AMaViS 0.3.12pre8 on monster.schulte.org Subject: IPFW + BRIDGE: network capacity question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 16:26:24 -0000 Hello everyone. I have an Intel D815EGEW board with a single PIII 1GHZ, 256MEG RAM, 2 Intel Pro 100MB cards. This will be used as an IPFW+bridging firewall with FreeBSD 4.8 (RELENG_4_8, perhaps RELENG_4_9 when available). My message is about network capacity. Assume that it will be processing at peak all of this at once: 500 TCP connections with long lived sessions (an hour or more at a time) 500 UDP 'connections' 500 web (HTTP port 80 tcp) connections per second (graphics, small html pages) The HTTP sessions will be short lived, so lots of TCP handshakes at *least* a good portion will not utilize persistant HTTP The total bandwidth could be 20-50 megabits, mostly outbound to clients on the internet. Should I tweak the kernel at all for this? NMBCLUSTERS or NMBUFS? Something else? For IPFW, I figure that adding accept rules that catch most of the packets up front will help lower CPU usage. Is this correct? Maybe allow TCP if the session is established, allow setup of outbound TCP, allow setup of incoming TCP/80, allow outbound UDP packets to be happy, etc. Does anyone see any possible issues with this configuration and the expected network load? Thank you, folks! Any suggestions are very appreciated.