From owner-freebsd-stable@FreeBSD.ORG Tue Jun 17 15:03:03 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 42845BB8 for ; Tue, 17 Jun 2014 15:03:03 +0000 (UTC) Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1ED5291F for ; Tue, 17 Jun 2014 15:03:02 +0000 (UTC) Received: by mail-lb0-f180.google.com with SMTP id w7so2129175lbi.25 for ; Tue, 17 Jun 2014 08:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=d5hJ5dxOnNnJHGX6N5/w2aQaD6ZBrPlVHtbV5ezHcCg=; b=Y9tJFYe9WvB85UsbgeRrLWMjm2wGH1h4s2h+dC/UBYj7jLLo6FYrsxi5Cce0A9T8lH kgLAIOqz30/MYqfLGaX8mO3TW6A0om/2mihlmn4M2N6kbxmrKjW4Aw3NvhvM61pk829n uKngSsJ5XWH8c2+hSj9UUOaztKhGH768aNmeCPalBOE3YcjEiput+YWQlNkLnTHT8MY/ U4xWcsNlfILutG8LNKTBr1JoMx9iI9WIQsCxMG5ZQXfOvNmWk5nAz3dtqiVTAEeTUVsf Dgh1FKvZQV10ouWbjLM7LB8uoSDQAjsstEMiEIZ7J73XJr7tK6HmJnOhWAEi58HOvdRj A36Q== MIME-Version: 1.0 X-Received: by 10.152.45.37 with SMTP id j5mr2034597lam.58.1403017380585; Tue, 17 Jun 2014 08:03:00 -0700 (PDT) Received: by 10.112.137.69 with HTTP; Tue, 17 Jun 2014 08:03:00 -0700 (PDT) In-Reply-To: <20140615090845.GB42502@server.rulingia.com> References: <20140613121732.GA61092@behemoth> <20140615090845.GB42502@server.rulingia.com> Date: Tue, 17 Jun 2014 16:03:00 +0100 Message-ID: Subject: Re: Suggestions for low-power gigE firewall? From: Tom Evans To: Peter Jeremy Content-Type: text/plain; charset=UTF-8 Cc: Chris Nehren , FreeBSD stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2014 15:03:03 -0000 On Sun, Jun 15, 2014 at 10:08 AM, Peter Jeremy wrote: > On 2014-Jun-13 08:17:33 -0400, Chris Nehren wrote: >>Speaking of Soekris elsethread, I'm presently interested in >>picking up a small device to use as a router + firewall for my >>home network. > > One thing to keep in mind is that 'gigE firewall' is fairly meaningless by > itself. Most of the load is per-packet and GigE could be anywhere between > (roughly) 80kpps and 1.5mpps. > > That said, since you mention 'home network', I presume you don't need complex > packet manipulation at wire-speed. Note that whilst the re(4) driver doesn't > have the same comments as the rl(4) driver, you will still need significantly > more CPU power to get the same thruput from a RTL8111 as (eg) an em. This is quite interesting to me; I'm very fortunate in that my ISP provides synchronous gigabit, which comes in to my block of flats as fibre and then is presented to me as ethernet. The ISP provided a router; they also noted that the router was not capable of utilizing the whole connection, and the most that I could achieve out of it would be ~ 800-900Mbit. Plus, although it's a pretty good router, I want to run my own dhcpd settings, configure tunnels and VPNs etc. Ideally, I'd replace it with my home server, but there is not enough space in the "comms room" (aka the washing machine closet) to put that there, and not enough wiring to route the WAN connection to where the server is now and then back to the patch panel in the comms room to distribute throughout the flat. The next best would be to replace it with a small Soekris style box running BSD that can fit in the comms room - but how to know what will be sufficient, or even where the bottlenecks would be - is it pps that is the issue, or is NAT at high throughput going to be a problem? And how to measure my current usage? If I'm "filling" my GigE, then it is probably because I am downloading something, which means it's unlikely to be hundreds of thousands of small packets, right? Talk about first world problems! Cheers Tom