Date: Wed, 26 Mar 2008 17:52:50 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: pf and SMP and busy wires Message-ID: <200803261752.50776.max@love2party.net> In-Reply-To: <47EA737B.8060009@skoberne.net> References: <47EA737B.8060009@skoberne.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 26 March 2008 17:02:03 Nejc =A9koberne wrote: > I like pf very much and I was planning to use it as a "central" > firewall at one of the customers like this: > > subnet_3 > > > subnet_1 ---------- PF_firewall --------------- subnet_2 > > > internet_gw > > However, since these are subnets with many computers, these would be > gigabit connections. But, I am afraid that this machine would not be > able to process data with gigabit speeds. So my questions are: > > 1. Are there any real-life performance evaluations with PF as > firewall(s) (doing also NAT if possible)? Yes there are, but I don't have a concrete example at hand. NAT isn't all= =20 that expensive with pf. In general you can hope for up to 750kpps=20 forwarding performance. If that's enough in your situation depends on=20 the kind of traffic you are looking at. > 2. How efficiently does PF use SMP (FreeBSD 7.0)? Not at all. I have plans to change that, though: http://pf4freebsd.love2party.net/pflock/ N.B. this is a long shot and something for the 8.0 time frame. > 3. How much would I profit if I had a server with two Dual-Core Intel > processors? This means 4 cores, right? I guess this should be able to > process data with gigabit speed in the situation above? While pf is a serialization point, the rest of the processing=20 (ether_input -> ip_input -> forward -> ip_output -> ether_output) and the=20 internet servicing can run in parallel. If you just do forwarding the=20 natural limit for parallelization is the number of interfaces, although=20 you won't likely achieve that kind of parallelism more cores certainly=20 help. If you add other processing - e.g. VPN endpoints - it's even=20 better to have "spare" cores. > 4. How would PF scale if there were 5 or more such subnets instead of 3 > (with gigabit speeds)? The limiting factor for any firewall/packet forwarder are packets per=20 second, not throughput (so much). pf on FreeBSD currently provides=20 ~750kpps (1M has been reported with careful tuning). This is roughly=20 1Gbps with 1500 Byte packets. > 5. Are there any PF vs Cisco|Juniper|3Com layer3 switches comparisons? Not that I'm aware of, but pf on commodity hardware will always have an=20 edge in the cost/performance column. You have to pay quite a bit to=20 obtain a hardware solution that can really *firewall* 750kpps and this=20 will usually fall short of pf in terms of additional features. Note for example, the possibility to build a redundant firewall with ARP=20 load balancing using CARP and pfsync. > 6. What role does the network cards play when looking at performance? > Are there network cards which do more work by themselves to let CPU to > do other things? YES! Buying good network cards is essential! The general consensus seems= =20 to be to stick with Intel server cards. In any case stay away from the=20 low end on-board stuff. The bus interface is also very important! The=20 plain old PCI bus has a limit of ~1Gbps itself, so go for PCI-X or better=20 yet PCIe. Buy a motherboard that offers more than one bus. In the end it very much depends on your traffic patterns and security if=20 pf is the right choice for you. If you should really have steady 1Gbps=20 streams between your subnets it very likely is not. But then again,=20 there are very few alternatives to choose from. If you are only looking=20 at sporadic inter-subnet communication and reliable, secure internet=20 access for all of them (where usually the uplink is the limiting=20 factor) - then FreeBSD and pf can certainly provide what you need. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803261752.50776.max>