On Wednesday 26 March 2008 17:02:03 Nejc Škoberne wrote: > I like pf very much and I was planning to use it as a "central" > firewall at one of the customers like this: > > subnet_3 > > > subnet_1 ---------- PF_firewall --------------- subnet_2 > > > internet_gw > > However, since these are subnets with many computers, these would be > gigabit connections. But, I am afraid that this machine would not be > able to process data with gigabit speeds. So my questions are: > > 1. Are there any real-life performance evaluations with PF as > firewall(s) (doing also NAT if possible)?
Yes there are, but I don't have a concrete example at hand. NAT isn't all that expensive with pf. In general you can hope for up to 750kpps forwarding performance. If that's enough in your situation depends on the kind of traffic you are looking at. > 2. How efficiently does PF use SMP (FreeBSD 7.0)? Not at all. I have plans to change that, though: http://pf4freebsd.love2party.net/pflock/ N.B. this is a long shot and something for the 8.0 time frame. > 3. How much would I profit if I had a server with two Dual-Core Intel > processors? This means 4 cores, right? I guess this should be able to > process data with gigabit speed in the situation above? While pf is a serialization point, the rest of the processing (ether_input -> ip_input -> forward -> ip_output -> ether_output) and the internet servicing can run in parallel. If you just do forwarding the natural limit for parallelization is the number of interfaces, although you won't likely achieve that kind of parallelism more cores certainly help. If you add other processing - e.g. VPN endpoints - it's even better to have "spare" cores. > 4. How would PF scale if there were 5 or more such subnets instead of 3 > (with gigabit speeds)? The limiting factor for any firewall/packet forwarder are packets per second, not throughput (so much). pf on FreeBSD currently provides ~750kpps (1M has been reported with careful tuning). This is roughly 1Gbps with 1500 Byte packets. > 5. Are there any PF vs Cisco|Juniper|3Com layer3 switches comparisons? Not that I'm aware of, but pf on commodity hardware will always have an edge in the cost/performance column. You have to pay quite a bit to obtain a hardware solution that can really *firewall* 750kpps and this will usually fall short of pf in terms of additional features. Note for example, the possibility to build a redundant firewall with ARP load balancing using CARP and pfsync. > 6. What role does the network cards play when looking at performance? > Are there network cards which do more work by themselves to let CPU to > do other things? YES! Buying good network cards is essential! The general consensus seems to be to stick with Intel server cards. In any case stay away from the low end on-board stuff. The bus interface is also very important! The plain old PCI bus has a limit of ~1Gbps itself, so go for PCI-X or better yet PCIe. Buy a motherboard that offers more than one bus. In the end it very much depends on your traffic patterns and security if pf is the right choice for you. If you should really have steady 1Gbps streams between your subnets it very likely is not. But then again, there are very few alternatives to choose from. If you are only looking at sporadic inter-subnet communication and reliable, secure internet access for all of them (where usually the uplink is the limiting factor) - then FreeBSD and pf can certainly provide what you need. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
