> My old companion, OpenBSD router/firewall (Intel Atom based and 5 > Gigabit Intel network interfaces) died 2 weeks ago ... (Really think > motherbord is dead :( ).
Quickest choice would be to replicate the updated hardware spec from last time with newer model optionally better manufacturer motherboard, better cooling, new PSU, as far as you go with the network cards etc. > I temporary replaced it by an unused old workstation based on AMD64x2 > processor, 4GB Ram, and with a (unique) Realtek Gigabit card (I use vlan > for routing). > > Installed it with OpenBSD 5.9 amd64, and works pretty well, but seems to > be difficult for this hardware to handle load. Before throwing much more money, consider all aspects of the bottleneck. > So I try to get a better hardware. > > Context : > Optic fiber with 200Mbits/s DL, 50Mbits/s UL came to home this week > (Tuesday) replacing 2 DSL connections. > (that I keep for now : network throughput is somewhat ridiculous > compared to Optic fiber, but stability is really great : being an > homeworker, Internet uptime is a prime goal, despite the throughput). > > About 20 VLAN to handle ... and for most of them, PF rules apply. > > Compared to delivered "router" from ISP (SFR in France, "NB6V box" for > those who know this provider), this temporary "router" seems to lack of > CPU/network interrupts while downloading at high speed (above 10 > MBytes/s) on WAN. As you observed it is not fair to compare a minimal distribution on a resource constrained embedded box, it is just a different device for user convenience to get you started, mostly as a proof of concept ;-) > ping on other hosts drastically increases (+50~200ms based from 4~10 ms > when link is not heavily used) while OpenBSD tries to route/firewall/nat > the WAN traffic. This may be as simple as prioritising your return packets as intended. > I already used Routerboards/RouterOS for several customers : works > pretty great while using high throughput Internet connections. > Customer's need is achieved for all cases, but the inside RouterOS > doesn't feat my needs. (IPv6 policy based routing, and IPv6 NPT for > instance). > > About hardware : > RB2011 (XXX) or RB3011 (XXX) can, I think, match my needs. Inexpensive ubiquitous x86 systems can do much more for the cost range. The difference is that in one case you get the optimisation pre-applied with the device operating system in a convenient GUIsh style, while the latter requires more insight but gives you more options in the long run. There is absolutely incomparably more you can do better with a more powerful hardware platform system and with better software toolkit. > About software : > OpenBSD stands out for a while for being my privileged OS for a > router/firewall, and clearly feats my needs while it's simple to handle > some particular cases ... (compared to a Linux based router for instance). > If not, what's the best hardware you know to operate an OpenBSD router > with high throughput networks and many (about 450~500, including > bridge/tag rules) PF rules ? This is up to you, the platforms listed on the main page say it all: OpenBSD Platforms [http://www.openbsd.org/plat.html] > Best CPU, best known network driver (handling inside hardware > implementations), and so on ... The interesting part of the question, success stories from the field.
