Hey all,
I was hoping there are some heavy PF users here, who wouldn't mind
sharing some of their experiences?
So I've watched Hennings talk about PF performance, read the PDF, but I
haven't actually seen anyone saying they can, and do, PF at 10Gbps.
Can it?
If so, what actual hardware can? Or more precisely, what hardware could
sustain our expected usage?
We've got a big project in it's earliest stages which would require very
basic firewalling at multi-gigabit-per-second. Probably in the region of
3Gbps (yes yes, PPS is the real killer), with peaks for software
releases much higher. No NAT, just routing (bgpd/ospfd), and simple
limits on what ports are available. I can't imagine needing more than
200-300 rules. I'm actually a Linux guy, and I'm pretty confident that
netfilter simply won't keep up, and while we've not personally used
OpenBSD in "anger" yet, there is plenty of time to get acquainted.
So, at the edges I'm imagining a large hardware router, handing off to
OpenBSD to sub-route, VLAN, PF, to the actual servers, and then a few
10s of Mbps of IPSec stuff back to base.
The traffic patterns expected are very approximately:
5Mbps DNS
30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000
hits per day.
300Mbps of "normal" HTTP.
2-3Gbps of several hundred KB, to many-MB, files over HTTP.
20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc.
Nearer the core will have much more complex PF rules, but only on a few
hundred Mbps, so easy for modest hardware.
Thanks