On Thu, Apr 16, 2009 at 12:34:47AM -0400, Daniel Ouellet wrote: >> I'm looking for hardware to replace my current firewalls, and >> my understanding is that Opteron gear is the way to go for pf >> performance. > > As Theo said there is not point in that. The only thing I could think of > really is put your money more into good network card, or hardware with > good built in nic, a single core processor would be best as the kernel > is not fully taking advantage of it yet. Sure getting better and better > all the time and as it looks like soon may be pretty good. Don't get me > wrong, it's not bad as is, but for firewall and router for example, > unless things have changed dramatically in the last two year, you still > best to have single core CPU for this type of setup.
Although I've subscribed to this philosophy for a while now, I recently deployed a pf pair where it was beneficial to run the MP kernel. At least it was according to systat. This particular site does nothing but forward packets at layer 3. No translation or bridging. It has a typical traffic profile for a high-volume website, except that we also recently merged networks to include their mail campaigns as well. We completed the migration after upgrading their core firewalls to a pair of SuperMicro systems with all em(4) interfaces on snapshots from around the 4.5 tagging (primarily to take advantage of recent interrupt mitigation and livelock enhancements). While the firewalls handled the workload, CPU numbers were very high. The MASTER node peaked between 80-90% each day, almost exclusively from interrupts. I had thoroughly tested these systems before deploying them, but hadn't triggered this behavior in my benchmarks. We had a spare set of servers available, so I went back to the lab and reproduced the traffic profile. I then tested the same load with the MP kernel. My tests revealed that even though the kernel is not threaded, we benefit from equal distribution of interrupts across all cores. Our interrupt load effectively decreased by a factor of 4; since we aren't performing any userland activity, the other 3 cores are otherwise unused. I've been meaning to bring this up with some of the pf developers. This seems like a good place to address it. I hope that my findings are accurate and not a user (or systat) error. Perhaps this will help others with their purchasing decisions. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
