On Tue, 25 Mar 2008, Aaron Glenn wrote:
On Tue, Mar 25, 2008 at 6:15 PM, Patrick Clochesy <patrick@chegg.com> wrote:
Very interesting study I had not seen, and a bummer. That really puts a cramp in my advocation of our CARP+pf load balancers/firewalls/gateways. Than again, what's a PIX box capable of?
I'd rather tweak a whitebox than pay through the nose for a PIX.
I also had to switch to OpenBSD as there was a fatal crash with the bridge device in FreeBSD when used with my paticular OpenVPN/CARP/pf combination.
AFAIK pf/forwarding only takes place on one core and wouldn't take advantage of the other 3 cores, correct?
Correct. There has been some great speed and efficiency improvements in pf and other networking parts of OpenBSD; though from anecdotal evidence, 10GbE is not ready for 'primetime' (for certain definitions of 'primetime').
Anybody who does any sort of home-brew routing NEEDS to read this post: http://lists.freebsd.org/pipermail/freebsd-current/2008-January/082469.html Quote: --- Forwarding (routing between multiple interfaces) and filtering (ipfw) IIRC with quad Intel e1000 NIC: Dual Intel Xeon 2.8GHz: 240Kpps 12k L1 cache Single Intel Xeon 2.8GHz: 380Kpps 12k L1 cache Core 2 Duo 1.8Ghz: 420kpps 12k L1 cache Single Pentium-M 1.8GHz: 550Kpps 32k L1 cache Dual AMD opteron 2GHz: 890Kpps 64k L1 cache Single AMD opteron 2GHz: 970Kpps 64k L1 cache All these hosts had 255 vlan interfaces with about 3000 routes and about 30000 firewall rules, with a good spread of packets between the interfaces with polling and fastforwarding. I struggled to generate enough packets to load the AMD routers. --- Quite interesting data, no? Especially when you can now get 3GHz opterons with 128k of L1 cache? How sweet is a sub-$1k router that can do multiple gig-e's at 1.5mpps? Sounds like a dynamite platform for high-end datacenter CPEs that are soft on dynamic routing...and even the open-source dynamic routing is reasonably solid these days... Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---