From: Marco Padovan <evcz@evcz.tk>
To: Julien Vehent <julien@linuxwall.info>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: Using Netfilter with high bandwidth
Date: Thu, 06 Sep 2012 21:16:46 +0200 [thread overview]
Message-ID: <5048F69E.2090504@evcz.tk> (raw)
In-Reply-To: <56bebadff4785d716c997d7aba22b9dd@linuxwall.info>
Solutions like these:
http://shader.kaist.edu/packetshader/
are surfacing lately... and those can't be compared with CPU processing ;)
Il 31/08/2012 21:38, Julien Vehent ha scritto:
> Hi All,
>
> At work, we're building a new office, and we are considering building
> our own edge firewalls instead of giving bucket loads of money to the
> big guys. We're a Linux shop, so it makes sense to build those new
> firewall/vpn boxes using Linux. But we are concerned about
> performances and complexity. I make a simple diagram of what we want
> below. We would have a point to point WAN connection between the two
> networks, and then an uplink on each side.
>
> So I figured I would ask the Netfilter heavy users:
> * How much traffic can we expect to route to a decently configured
> Firewall ? Can we target 10GBPS with good NICs/CPUs and proper kernel
> tuning, or is that completely out of range ?
> * If I recall correctly, some ISPs are using Linux/Netfilter boxes on
> their network. Do we know the limits of such systems ?
> * Can we consider conntrack and conntrack synchronization between
> master and slave ?
> * What type of network cards will handle 1GBPS and 10GBPS
> (eventually) ? Any recommendation on the hardware ?
> * We are considering starting with a base ubuntu setup and then
> tuning the kernel/system to fit our needs. Some distros are more
> network oriented than others, is there anything that would stand out
> for our setup ?
>
> Any pointer to tuning/recommendations is more than welcome. If you
> have experience with such a setup but don't want to share publicly,
> feel free to contact me directly.
>
>
> ........... ...... ..........
> ... I N T E R N E T ...
> +--------+.. .+---------+
> 500 MBPS ............................. |500
> MBPS
> UPLINK |UPLINK
> | |
> +----+-----------+ 1 GBPS WAN
> +---------+------+
> |
> +-------------------------------> |
> | LAN FIREWALL |---+ | DATACENTER
> FW |---+
> +---^+-----------+ |
> +---^+-----------+ |
> || +-------------+ ||
> +-------------+
> || ||
> || ||
> ||1 GBPS LAN ||1 GBPS LAN
> || ||
> || ||
> ..+v.... |v......
> .. .. .. ..
> .. L A N .. .. Datacenter.
> ............. ...........
>
>
> Thanks a lot everyone :)
>
> Julien
>
prev parent reply other threads:[~2012-09-06 19:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-31 19:38 Using Netfilter with high bandwidth Julien Vehent
2012-08-31 22:39 ` Jan Engelhardt
2012-09-03 7:56 ` Jesper Dangaard Brouer
2012-09-06 17:56 ` Julien Vehent
2012-09-06 18:42 ` Jan Engelhardt
2012-09-06 18:29 ` Luigi Rizzo
2012-09-25 11:30 ` Jan Engelhardt
2012-09-06 19:16 ` Marco Padovan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5048F69E.2090504@evcz.tk \
--to=evcz@evcz.tk \
--cc=julien@linuxwall.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.