From owner-freebsd-questions Sun Feb 4 17:17:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 0991E37B491 for ; Sun, 4 Feb 2001 17:16:56 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 4 Feb 2001 17:15:04 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f151Fuo59976; Sun, 4 Feb 2001 17:15:56 -0800 (PST) (envelope-from cjc) Date: Sun, 4 Feb 2001 17:15:56 -0800 From: "Crist J. Clark" To: Lorin Lund Cc: FreeBSD Questions Subject: Re: How much processing power is needed for a firewall with encyption for a fat pipe? Message-ID: <20010204171556.Y91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <00c301c08eba$78f8b3c0$0200fea9@infowest.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <00c301c08eba$78f8b3c0$0200fea9@infowest.com>; from wbs@infowest.com on Sun, Feb 04, 2001 at 07:55:10AM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Feb 04, 2001 at 07:55:10AM -0700, Lorin Lund wrote: > If I were to implement a gateway/firewall with FreeBSD and IPsec, how much > bandwidth could I handle with, say a 1GHz processor? I'm interested in > getting a feel for how much processing power is needed for VPN gateways for > various size pipes. I hope to do some VPN work in my region. (Utah/Nevada) The best answer, as always: it depends. Unless you are going to have a T3 or other mega-pipe, the network is almost always going to be the choke point. Even multiple T1's is nothing for a properly configured PII 400 and up. Things to consider: - When you say IPsec, I assume you mean this machine is the end of a tunnel. If you are just passing IPsec through, that is no different than regular IP routing. - Certain portions of an IPsec connection take much more horsepower than others. Namely, the public key computations during the initial IKE exchanges as opposed to the symetric key algorithms used during the established connection. Is this machine a tunnel for a small number of connections with lots of traffic for each (something like gateway-to-gateway), or lots of low traffic connections (more like client-to-gateway). - What encryption algorithms? Yes. It matters. But... Again, the typical choke is the network. For example, fragmentation issues are much more likely to cause pain than too little CPU at the gateway. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message