> Dennis Ljungmark: >> Hi, >> We're currently running 6 different 100-200Mbit relay/guard nodes, and >> are looking at some issues moving on towards high performant exit nodes. >> >> There are some administrative issues ( needing another IP block due to >> the RIPE registration, our ISP doesn't want their name on the exit nodes >> that we are responsible for ) >> which are generally minor ( are being resolved anyhow ) and then the big >> stumbling block. >> >> Right now, with iptables modifications ( raw tables hacks to disable >> conntrack, bucket increases, following the general best practices ) our >> firewall is running at high amounts of CPU, but coping. However, once we >> start introducing Exit Nodes into this equation, things turn sour. >> >> So, since we do not want to trust only routing level separation between >> Exit Nodes and internal networks, we're going to have to invest into new >> hardware that can cope with this. Before this, we tried Ingate firewalls, >> and they weren't capable of coping with the load of guard nodes. >> >> ( The traditional "linux box in front" doesn't quite cut it due to >> networking hardware in most cases. ) >> >> So, >> in summary, when you get to the point of actively dealing with 8-900Mbps >> of Tor traffic ( on top of normal users and others) what hardware is needed >> to cope with firewalling? >> > > Hey Dennis, > > What hardware are you using? In general iptables/netfilter should be > able to handle more than 200Mb without any trouble at all. > > I wonder if your network card is an issue? What CPUs are you using? What > versions of OpenSSL and other relevant software are in use? > > All the best, > Jacob > Also tweaking a few sysctls and playing around with txqueuelen will help. See https://www.torservers.net/wiki/setup/server. I'll add some more stuff to the high bandwidth part of that page in a minute, also. I've done some more tweaking towards gbit that certainly helped, which I haven't documented yet.
Julian
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
