Re: PF firewall system capable of handling a multi-gigabit link
2009/3/9 Ted Unangst ted.unan...@gmail.com On Sun, Mar 8, 2009 at 2:14 PM, Alface Voadora alface.voad...@gmail.com wrote: Do you know about any installed firewall cluster that has pf+carp+pfsync working along with ALTQ on a multi-gigabit configuration with an acceptable performance? how many gigabits is multi-gigabit? 2, 10, 400? 2 Gbps can't you just test openbsd and see if it works? Yes I can, and obviously I will test it.
Re: PF firewall system capable of handling a multi-gigabit link
could you point me to a post that discusses the set pf + pfsync + carp + ALTQ on gigabit networks? My problem is the inclusion of the ALTQ into the configuration. If you can answer me as quick as you replied with the obvious link from your last email I would be very appreciated. 2009/3/7 Alface Voadora alface.voad...@gmail.com: Could you please point me to one of the hundreds of this kind of installs in the archives? I would be very appreciated. http://kerneltrap.org/mailarchive/search/gigabit+firewall/openbsd-misc
Re: PF firewall system capable of handling a multi-gigabit link
Thanks, but stating the obvious is not very helpful. Do you know about any installed firewall cluster that has pf+carp+pfsync working along with ALTQ on a multi-gigabit configuration with an acceptable performance? Before your wise answer and my initial question to the list I found the below post: http://article.gmane.org/gmane.os.openbsd.misc/54958/match=throughput+pf+altq unfortunately, the bandwidth ranges it refers to are not the ones I pretend. Thanks 2009/3/8 SJP Lists sjp.li...@flashbsd.net 2009/3/8 Alface Voadora alface.voad...@gmail.com: Could you please point me to one of the hundreds of this kind of installs in the archives? I would be very appreciated. Just use search terms like: gigabit firewall firewall throughput packets per second
Re: PF firewall system capable of handling a multi-gigabit link
2009/3/9 Alface Voadora alface.voad...@gmail.com: Thanks, but stating the obvious is not very helpful. And failing to state how and what you researched is not helpful to people who might be interested in helping you. A consequence of that is that others need to state the obvious since they don't know where to start with where you are at in the process of helping yourself.
Re: PF firewall system capable of handling a multi-gigabit link
Please accept my apologies for the unfair and incorrect way I replied to you and to the list. My main doubt in the configuration relates with the ability of ALTQ being able to cope with a multi-gigabit throughput. 2009/3/9 SJP Lists sjp.li...@flashbsd.net 2009/3/9 Alface Voadora alface.voad...@gmail.com: Thanks, but stating the obvious is not very helpful. And failing to state how and what you researched is not helpful to people who might be interested in helping you. A consequence of that is that others need to state the obvious since they don't know where to start with where you are at in the process of helping yourself.
Re: PF firewall system capable of handling a multi-gigabit link
On Mon, Mar 09, 2009 at 01:08:54AM +0100, Alface Voadora wrote: Please accept my apologies for the unfair and incorrect way I replied to you and to the list. My main doubt in the configuration relates with the ability of ALTQ being able to cope with a multi-gigabit throughput. Yes. 2009/3/9 SJP Lists sjp.li...@flashbsd.net 2009/3/9 Alface Voadora alface.voad...@gmail.com: Thanks, but stating the obvious is not very helpful. And failing to state how and what you researched is not helpful to people who might be interested in helping you. A consequence of that is that others need to state the obvious since they don't know where to start with where you are at in the process of helping yourself.
Re: PF firewall system capable of handling a multi-gigabit link
On Sun, Mar 8, 2009 at 2:14 PM, Alface Voadora alface.voad...@gmail.com wrote: Do you know about any installed firewall cluster that has pf+carp+pfsync working along with ALTQ on a multi-gigabit configuration with an acceptable performance? how many gigabits is multi-gigabit? 2, 10, 400? can't you just test openbsd and see if it works?
Re: PF firewall system capable of handling a multi-gigabit link
Could you please point me to one of the hundreds of this kind of installs in the archives? I would be very appreciated. Thanks 2009/2/17 Alface Voadora alface.voad...@gmail.com hundreds! OK!! thanks!! 2009/2/16 Henning Brauer lists-open...@bsws.de * Alface Voadora alface.voad...@gmail.com [2009-02-08 21:37]: Did someone implement this kind of system before? Is it performing well? Is it impossible at all? you'd find hundreds of these kind of installs if you searched the list archives. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF firewall system capable of handling a multi-gigabit link
hundreds! OK!! thanks!! 2009/2/16 Henning Brauer lists-open...@bsws.de * Alface Voadora alface.voad...@gmail.com [2009-02-08 21:37]: Did someone implement this kind of system before? Is it performing well? Is it impossible at all? you'd find hundreds of these kind of installs if you searched the list archives. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF firewall system capable of handling a multi-gigabit link
* Alface Voadora alface.voad...@gmail.com [2009-02-08 21:37]: Did someone implement this kind of system before? Is it performing well? Is it impossible at all? you'd find hundreds of these kind of installs if you searched the list archives. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
PF firewall system capable of handling a multi-gigabit link
Hi all, in order to put in place a firewall system capable of handling a multi-gigabit connection, my company is also considering OpenBSD. I've been using it for my firewall setups since OpenBSD 3.5, but I have no experience on how will it perform on a multi-gigabit link. My company already uses OpenBSD. It had been a rock solid and high performance system on a 100 Mbps link to Internet since some years ago. The memory usage, as well as the load on the system are extremely low even when faced with an almost saturated 100 Mbps link. The server is a DELL PE 1950, equipped with Intel PRO/1000 PT dual port gigabit (PCI Express) network cards, and the idea is to use the same server model to implement the multi-gigabit firewall. Some information on the actual system (on the 100 Mpbs link): state table entries average ~ 12 state table lookups average rate ~ 3/s state table inserts average rate ~ 600/s state table removals average rate ~ 600/s The traffic profile - mainly HTTP traffic to several http/https servers - will be the same as we have now, which we expect to increase a lot in the next months. Also, we are considering to use ALTQ to implement traffic shapping. My questions: Did someone implement this kind of system before? Is it performing well? Is it impossible at all? Could the traffic shapping subsystem configuration be a bottleneck on such a system configuration? Thanks
