On 27.05.2010 17:00, Kevin Wilcox wrote:
> Hello everyone.
> We're in the very early stages of considering [Free|Open]BSD on
> commodity hardware to handle NAT *and* firewall duties for (what I
> consider to be) a sizable deployment. Overall bandwidth is low, only a
> gigabit connection, but we handle approximately fifteen thousand
> devices. DHCP and DNS would be passed through to other servers, this
> hardware would only be responsible for address translation and pf.
> I've done this on a very, very small scale (small/home office, small
> business) but I'm curious how many other folks are doing it on this
> scale, the hardware they are running on and any "gotchas" they may
> have faced. Does pf on FreeBSD take advantage of multiple cores/SMP?
> Is it preferable, as with OpenBSD, to go for a very stout processor
> without much consideration to cores?  Would freebsd-net@ be a better
> place to ask this?
> I'm getting ready to start digging in to memory and other resources
> needed based on available documentation but real-world usage is much
> preferred to my academic assessment.

Actually, I'd find an answer from the FreeBSD Networking gurus useful as
well. My trusted Cisco 3640 is getting old (had it's
ten-years-of-service birthday a little while ago), so I guess I must be
prepared to replace it with something new. Preferrably something that
can do proper NAT port mapping to the inside servers in an
RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming
VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC
tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with
crypto for remote-sites, etc

If somebody has a good starting-point for documentation on these
features, I'm more than willing to "do a procject on it" to create a
mini-howto/handbook-section on "setting up FreeBSD as your border
gateway", provided I have someone to ask when the documentation is ...
flaky. ;)

It would be interesting to see what kind of performance modern hardware
could get, compared to dedicated hardware a decade old. :)


  /"\   |Svein Skogen       | sv...@d80.iso100.no
  \ /   |Solberg Østli 9    | PGP Key:  0xE5E76831
   X    |2020 Skedsmokorset | sv...@jernhuset.no
  / \   |Norway             | PGP Key:  0xCE96CE13
        |                   | sv...@stillbilde.net
 ascii  |                   | PGP Key:  0x58CD33B6
 ribbon |System Admin       | svein-listm...@stillbilde.net
Campaign|stillbilde.net     | PGP Key:  0x22D494A4
        |msn messenger:     | Mobile Phone: +47 907 03 575
        |sv...@jernhuset.no | RIPE handle:    SS16503-RIPE
         If you really are in a hurry, mail me at
 This mailbox goes directly to my cellphone and is checked
        even when I'm not in front of my computer.
                     Picture Gallery:

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to