I missed two bits of information... Routing. With only one upstream routing device these would only have one route, maybe two (internet, and internal). A bit of mental gymnastics, ok a calculator, gives something like 400 Kpps. Which, if my assumptions on packet sizes is right, isn't mind numbingly scary.
On Friday 22 January 2010 20:12:29 Mike Williams wrote: > Hey all, > > I was hoping there are some heavy PF users here, who wouldn't mind sharing > some of their experiences? > So I've watched Hennings talk about PF performance, read the PDF, but I > haven't actually seen anyone saying they can, and do, PF at 10Gbps. > Can it? > If so, what actual hardware can? Or more precisely, what hardware could > sustain our expected usage? > > > We've got a big project in it's earliest stages which would require very > basic firewalling at multi-gigabit-per-second. Probably in the region of > 3Gbps (yes yes, PPS is the real killer), with peaks for software releases > much higher. No NAT, just routing (bgpd/ospfd), and simple limits on what > ports are available. I can't imagine needing more than 200-300 rules. > I'm actually a Linux guy, and I'm pretty confident that netfilter simply > won't keep up, and while we've not personally used OpenBSD in "anger" yet, > there is plenty of time to get acquainted. > > So, at the edges I'm imagining a large hardware router, handing off to > OpenBSD to sub-route, VLAN, PF, to the actual servers, and then a few 10s > of Mbps of IPSec stuff back to base. > The traffic patterns expected are very approximately: > 5Mbps DNS > 30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000 > hits per day. > 300Mbps of "normal" HTTP. > 2-3Gbps of several hundred KB, to many-MB, files over HTTP. > 20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc. > > Nearer the core will have much more complex PF rules, but only on a few > hundred Mbps, so easy for modest hardware. > > > Thanks > -- Mike Williams
