Alan Chandler wrote:
On Saturday 26 August 2006 15:45, Erik Persson wrote:
I can't answer your question directly, but I can give you a point in the
ground.
I run a debian (was sarge - just updated to etch) server with two 100Mb
ethernet cards in to act as a router/firewall AND web server, tomcat
applications server, mail server, fileserver, print server, name server, dhcp
server etc etc.
CPU load rarely gets above 3% except when people are accessing the web site
(thats the java machines in topcat). That is with a 1.7Gh Celeron
Thanks!
We are running an Athlon 64 3200+ with 3 100Mbit/s nics with and a
rather large set of iptables rules. The maximum number of client
computers running at the same time in our internal net is probably
around a couple of hundred (some of the client computers, the actual
numbers are unknown to us, are however behind nat-ing routers.) This
works without any problems. However the external if is only 50mbit/s,
and the number of computers *running at the same time* is thus not very
high. On this computer the load rarely gets above 1% (I can't even
remember having seen it reaching 1%).
Before the computer above we had a PIII 900Mhz which fullfilled the same
task also without any problems.
From this perspective one would guess that there really shouldn't be
any problems with 1 gb/s. But I think there's more to it.
Just to get a feeling of the speed, an ordinary PCI 32 bit 33MHz has a
peak transfer rate of about 1000 mbit/s "half duplex".
I have however seen some tests of iptables and routing on double 1gb/s
nics and it seems that iptables don't really scale that well. There are
however other packet filtering options that does a better job. Routing
could be a problem as well, but the packet filtering seems to be the
real bottleneck.
1 gb/s is a large amount of data and the pps would be very high. Let's
for the sake of argument say that the average packet size is 100 bytes
and that there's no overhead at all on the 1 gb/s. That would yield 1,25
million pps. This is a huge amount of packages.
From the link below you can see that a dual opteron 2,2 GHz managed
about 700 000 pps, but there are other factors in this as well (as the
55 000 new connections per sec in the test). This is only routing, and I
guess the gb-link was saturated.
When using firewalling the pps fell rather dramatically to about 250 000
pps (and 25000 new connections per sec). That is *not* saturating the
link and is about 1/3 of the pps reached when doing only routing.
I don't think we ever will reach that number of new connections per
second, and this will probably relieve the router/firewall of some burden.
On debian-isp I was adviced to read the following link:
http://www.hipac.org/
Iptables, nf-hipac (etc) and router performance:
http://people.netfilter.org/kadlec/nftest.pdf
I have heard some people saying it is possible to run linux as a
gb-router on pc-hardware and some have actually tested it, but it would
be very nice to hear from some more people who have tried it!
Nothing beats the real world.
/erik persson
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
