On Fri, Jan 22, 2010 at 08:12:29PM +0000, Mike Williams wrote: > Hey all, > > I was hoping there are some heavy PF users here, who wouldn't mind sharing > some of their experiences? > So I've watched Hennings talk about PF performance, read the PDF, but I > haven't actually seen anyone saying they can, and do, PF at 10Gbps. > Can it? > If so, what actual hardware can? Or more precisely, what hardware could > sustain our expected usage? > > > We've got a big project in it's earliest stages which would require very > basic > firewalling at multi-gigabit-per-second. Probably in the region of 3Gbps (yes > yes, PPS is the real killer), with peaks for software releases much higher. > No NAT, just routing (bgpd/ospfd), and simple limits on what ports are > available. I can't imagine needing more than 200-300 rules. > I'm actually a Linux guy, and I'm pretty confident that netfilter simply > won't > keep up, and while we've not personally used OpenBSD in "anger" yet, there is > plenty of time to get acquainted. > > So, at the edges I'm imagining a large hardware router, handing off to > OpenBSD > to sub-route, VLAN, PF, to the actual servers, and then a few 10s of Mbps of > IPSec stuff back to base. > The traffic patterns expected are very approximately: > 5Mbps DNS > 30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000 hits > per day. > 300Mbps of "normal" HTTP. > 2-3Gbps of several hundred KB, to many-MB, files over HTTP. > 20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc. > > Nearer the core will have much more complex PF rules, but only on a few > hundred Mbps, so easy for modest hardware.
Performance, cheapness, quality. You should choose only two of these. Do not play with totally-software routers, buy Juniper. -- MINO-RIPE
