Really, nobody firewalls at multi-Gbps? Or have I contravened some convention, in my questions, or wording?
On Friday 22 January 2010 23:55:45 Mike Williams wrote: > I missed two bits of information... > Routing. With only one upstream routing device these would only have one > route, maybe two (internet, and internal). > A bit of mental gymnastics, ok a calculator, gives something like 400 Kpps. > Which, if my assumptions on packet sizes is right, isn't mind numbingly > scary. > > On Friday 22 January 2010 20:12:29 Mike Williams wrote: > > Hey all, > > > > I was hoping there are some heavy PF users here, who wouldn't mind > > sharing some of their experiences? > > So I've watched Hennings talk about PF performance, read the PDF, but I > > haven't actually seen anyone saying they can, and do, PF at 10Gbps. > > Can it? > > If so, what actual hardware can? Or more precisely, what hardware could > > sustain our expected usage? > > > > > > We've got a big project in it's earliest stages which would require very > > basic firewalling at multi-gigabit-per-second. Probably in the region of > > 3Gbps (yes yes, PPS is the real killer), with peaks for software > > releases much higher. No NAT, just routing (bgpd/ospfd), and simple > > limits on what ports are available. I can't imagine needing more than > > 200-300 rules. I'm actually a Linux guy, and I'm pretty confident that > > netfilter simply won't keep up, and while we've not personally used > > OpenBSD in "anger" yet, there is plenty of time to get acquainted. > > > > So, at the edges I'm imagining a large hardware router, handing off to > > OpenBSD to sub-route, VLAN, PF, to the actual servers, and then a few > > 10s of Mbps of IPSec stuff back to base. > > The traffic patterns expected are very approximately: > > 5Mbps DNS > > 30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000 > > hits per day. > > 300Mbps of "normal" HTTP. > > 2-3Gbps of several hundred KB, to many-MB, files over HTTP. > > 20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc. > > > > Nearer the core will have much more complex PF rules, but only on a few > > hundred Mbps, so easy for modest hardware. > > > > > > Thanks > -- Mike Williams
