On Sun, May 06, 2007 at 05:10:19PM +0200, Henning Brauer wrote: > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-04 09:12]: > > Hi, > > > > I have some time to come up with a new firewall/router/vpn solution > > for our datacentre, and I'm considering a shiny new server with > > OpenBSD and pf instead of a costly PIX. On the part of our network > > that I'm doing this for we might see maximum 20Mbit/s unencrypted > > traffic. > > > > Is anyone using an OpenBSD/pf solution in a production environment > > like this? What hardware are you using? How's it holding up? :-) > > for breakfast, yeah. > > with reasonable network cards and a reasonable ruleset pretty much any > system made in the last, what, make it 2 years, should able to do > several hundred MBit/s. > > the max I have going thru an OpenBSD box at a customer is in the 750 > MBit/s range (and that doesn't max out the machine), but that is > without pf and a carefully hand-crafted kernel. > > with pf, not sure where i have the biggest install... there's certainly > customers in the 50 MBit/s range where the machines mostly idle. > usually performance is just not a problem, so I don't look at these > numbers to closely...
Three years ago, I ran PF/altq in a datacenter on crap hardware. We handled 60-90Mb/s easily, with a default block policy and extensive ALTQ CBQ throttling. While I optimized the rules as per the PF FAQ, I did no kernel customization, no tweaking, no so-called optimizations. See this link: http://www.oreillynet.com/sysadmin/blog/2004/05/bsd_success_stories_1.html Look at the story "BSD in a Panic," that was me. The machine in question was, IIRC, a P500, 256 MB RAM. Once the panic was over, I wound up installing pfflowd as well. The machine was *still* mostly idle. I thought about putting DNS on it as well but decided that would be pushing my luck. OpenBSD and PF rock, hands-down. I've moved on from that employer now, but I *still* use OpenBSD/PF whenever I can. Frequently, to replace PIX solutions that just don't handle the load... ==ml -- Michael W. Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
