On Tue, Mar 25, 2008, Patrick Clochesy wrote:
Very interesting study I had not seen, and a bummer. That really puts a cramp in my advocation of our CARP+pf load balancers/firewalls/gateways. Than again, what's a PIX box capable of?
Well, you get what you pay for. If you're willing to blow $10k on a firewall, maybe you'll be willing to blow $10k on a *BSD developer to work on improving forwarding performance. It'd only take ten or so people to make donations or sponsor work of that size for the benefits to appear.
I also had to switch to OpenBSD as there was a fatal crash with the bridge device in FreeBSD when used with my paticular OpenVPN/CARP/pf combination.
Did you log a bug? :)
AFAIK pf/forwarding only takes place on one core and wouldn't take advantage of the other 3 cores, correct?
Uhm, its not quite that simple. ithreads on FreeBSD at least will run on one CPU at a time (unless you're running some hacked up russian-driven intel gige driver, which runs multiple ithreads for the device to improve performance under certain circumstances!) and these classes of cards and busses wouldn't benefit from >1 core contending for one card/bus. If you're running >1 card then you may find the ithreads run on different CPUs, each doing lookups and forwarding, but I haven't sat down and looked at that sort of forwarding performance under FreeBSD. My focus at the moment is "tcp proxy on a stick" throughput with one interfaces and >1 core doing userland processing. Adrian