On Thu, Feb 11, 2010 at 08:46:22PM +0100, Henning Brauer wrote: > * Diana Eichert <deich...@wrench.com> [2010-02-11 17:02]: > > > > yes, people run firewalls on 10G circuits > > > > I am not aware of anyone filtering at 10G who is using off the shelf > > hardware, with open source O/S. > > I know of some. > > I don't remember specifics, dunno wether anybody does linerate and > with what kind of packet characteristics.
I'm interested in this discussion in a low-key sense; I don't need 10Gbps firewalling, but would like to move beyond 1Gbps. 2Gbps would do nicely for a start. My current firewall hardware, which is a carp failover pair of now-oldish Dell 1750s with Intel 1000/pro MT nics, is probably close to the limit of what it can do, at around 600-700Mbps (the switch from openbsd 4.4 to 4.6 did make a night and day difference for them - the recent network stack tuning has been amazing). I wonder if it's a viable option simply to run an active-active carp/pf pair, since the pfsync changes in 4.6? In principle it should even be possible to add nodes to the pfsync cluster to scale bandwidth beyond 2Gbps. For my specific situation, where the high-bandwidth transfers tend to be applications like gridftp, involving many different hosts, it seems like this could work well. Obviously no single stream could exceed the bandwidth of one node, but besides that, are there any big shortfalls to this approach? Graham --