On Thu, Feb 11, 2010 at 08:46:22PM +0100, Henning Brauer wrote:
> * Diana Eichert <deich...@wrench.com> [2010-02-11 17:02]:
> > 
> > yes, people run firewalls on 10G circuits
> > 
> > I am not aware of anyone filtering at 10G who is using off the shelf
> > hardware, with open source O/S.
> 
> I know of some.
> 
> I don't remember specifics, dunno wether anybody does linerate and
> with what kind of packet characteristics.

I'm interested in this discussion in a low-key sense; I don't need
10Gbps firewalling, but would like to move beyond 1Gbps. 2Gbps would do
nicely for a start.

My current firewall hardware, which is a carp failover pair of now-oldish
Dell 1750s with Intel 1000/pro MT nics, is probably close to the limit of
what it can do, at around 600-700Mbps (the switch from openbsd 4.4 to
4.6 did make a night and day difference for them - the recent network
stack tuning has been amazing).

I wonder if it's a viable option simply to run an active-active carp/pf
pair, since the pfsync changes in 4.6? In principle it should even be
possible to add nodes to the pfsync cluster to scale bandwidth beyond
2Gbps. For my specific situation, where the high-bandwidth
transfers tend to be applications like gridftp, involving many different
hosts, it seems like this could work well. Obviously no single stream
could exceed the bandwidth of one node, but besides that, are there any
big shortfalls to this approach?

Graham
-- 

Reply via email to