Hi list,
I have been conducting a variety of OpenBSD / PF performance tests
during the last week and I might as well share my findings with you.
The firewall tested is a Dell 2950 PE II equipped with 2 x Intel Quad
and 1 x Intel Dual NIC's running OpenBSD 4.2-CURRENT.
The test machines were 6 Dell PE II servers (1950 & 2950) running
Knoppix. We used iperf, nmap and hping for our tests.
Our data was pulled from a Dell PowerConnect 5324 switch using SNMP and
Cacti for drawing nice graphs. We did take random samples from netstat
and other OpenBSD tools on the firewall itself to verify that the SNMP
numbers were matching up nicely.
The first test was about raw throughput:
Using iperf we pulled ~920 Mbits/s per bridge over 2 bridge devices when
PF was disabled. When PF was enabled with a pass all ruleset throughput
was measured to ~760 Mbits/s.
A bidirectional iperf reached ~340 Mbit/s per bridge with a pass all PF
ruleset, again over 2 bridges.
When a 2100 line ruleset from an old production firewall was used
throughput went down to ~320 Mbit/s using a single bridge. That was
improved a _great deal_ by proper ruleset optimisation but your milage may
vary.
The second test was a simulated DDOS SYN-flood attack against 1 of our 4
bridge devices with the the following ruleset:
######################################################################
set timeout { adaptive.start 0, adaptive.end 0 interval 10 frag 10}
set limit { states 250000, frags 10000 }
set optimization normal
set block-policy drop
set skip on { lo0, em0, em1, em3, em5, em7, em9 }
scrub in all
table <block_test> persist file "/root/block_test"
block in quick on em4 from <block_test> to any
pass in all no state
pass out all no state
#######################################################################
The block_test table contained 2000 entirely random IPv4 addresses.
The results were pretty impressive:
~~120k pps ~40% interrup load (measured using top)
~~160k pps ~65% interupt load (-"-)
~~240k pps ~85% interupt load (-"-)
We reached a maximum of ~330k pps before the box went into a livelock.
As a side note, when flooding the NIC's that shared irq 6 with the LSI SAS
controller we discovered that noticeable fewer packets were needed to send
the box into a livelock but the exact numbers have unfortunatly escaped my
notes :(
Flooding all 4 bridges simultaniously yielded max ~75k pps per bridge.
For comparison reasons we actually repeated this test with a Cizzco ASA
5510 Security Plus firewall using the same ruleset and it was killed by
~~50k pps on a single bridge.
During the course of our tests we tuned the following sysctl parameters
to yield the best performance with our hardware,ruleset,traffic pattern,
etc :
kern.maxclusters
net.inet.ip.ifq.maxlen
Our tests showed that you can degrade your performance by blindly tuning
these values so caution (and proper testing) is advised.
--
Med venlig hilsen / Best Regards
Henrik Johansen
[EMAIL PROTECTED]
