Re: routing and pf at 10Gbps

[Jacob Yocom-Piatt]

Mike Williams wrote:
Really, nobody firewalls at multi-Gbps?
  


anybody who does firewall at high bandwidth / pps is unlikely to provide 
this information freely. also note that you've not made an effort to do 
any tests and share them, so it is not surprising that others are not 
sharing data with you.

i have found that openbsd mailing lists are not good places to post 'i 
want to do this' sort of stuff and expect a reply, especially on a topic 
that requires pretty specialized and likely valuable knowledge. if you 
try something out, it doesn't work how you want and you want assistance 
getting it to work you will likely get more feedback.


Or have I contravened some convention, in my questions, or wording?

On Friday 22 January 2010 23:55:45 Mike Williams wrote:
  
I missed two bits of information...
Routing. With only one upstream routing device these would only have one
route, maybe two (internet, and internal).
A bit of mental gymnastics, ok a calculator, gives something like 400 Kpps.
Which, if my assumptions on packet sizes is right, isn't mind numbingly
 scary.

On Friday 22 January 2010 20:12:29 Mike Williams wrote:
    
Hey all,

I was hoping there are some heavy PF users here, who wouldn't mind
sharing some of their experiences?
So I've watched Hennings talk about PF performance, read the PDF, but I
haven't actually seen anyone saying they can, and do, PF at 10Gbps.
Can it?
If so, what actual hardware can? Or more precisely, what hardware could
sustain our expected usage?


We've got a big project in it's earliest stages which would require very
 basic firewalling at multi-gigabit-per-second. Probably in the region of
 3Gbps (yes yes, PPS is the real killer), with peaks for software
releases much higher. No NAT, just routing (bgpd/ospfd), and simple
limits on what ports are available. I can't imagine needing more than
200-300 rules. I'm actually a Linux guy, and I'm pretty confident that
netfilter simply won't keep up, and while we've not personally used
OpenBSD in "anger" yet, there is plenty of time to get acquainted.

So, at the edges I'm imagining a large hardware router, handing off to
 OpenBSD to sub-route, VLAN, PF, to the actual servers, and then a few
10s of Mbps of IPSec stuff back to base.
The traffic patterns expected are very approximately:
5Mbps DNS
30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000
 hits per day.
300Mbps of "normal" HTTP.
2-3Gbps of several hundred KB, to many-MB, files over HTTP.
20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc.

Nearer the core will have much more complex PF rules, but only on a few
hundred Mbps, so easy for modest hardware.


Thanks