Hey all, I was hoping there are some heavy PF users here, who wouldn't mind sharing some of their experiences? So I've watched Hennings talk about PF performance, read the PDF, but I haven't actually seen anyone saying they can, and do, PF at 10Gbps. Can it? If so, what actual hardware can? Or more precisely, what hardware could sustain our expected usage?
We've got a big project in it's earliest stages which would require very basic firewalling at multi-gigabit-per-second. Probably in the region of 3Gbps (yes yes, PPS is the real killer), with peaks for software releases much higher. No NAT, just routing (bgpd/ospfd), and simple limits on what ports are available. I can't imagine needing more than 200-300 rules. I'm actually a Linux guy, and I'm pretty confident that netfilter simply won't keep up, and while we've not personally used OpenBSD in "anger" yet, there is plenty of time to get acquainted. So, at the edges I'm imagining a large hardware router, handing off to OpenBSD to sub-route, VLAN, PF, to the actual servers, and then a few 10s of Mbps of IPSec stuff back to base. The traffic patterns expected are very approximately: 5Mbps DNS 30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000 hits per day. 300Mbps of "normal" HTTP. 2-3Gbps of several hundred KB, to many-MB, files over HTTP. 20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc. Nearer the core will have much more complex PF rules, but only on a few hundred Mbps, so easy for modest hardware. Thanks -- Mike Williams
