Recommended hardware for iptables based firewall/router

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dennis Jacobfeuerborn <dennisml@conversis.de>
To: netfilter@vger.kernel.org
Subject: Recommended hardware for iptables based firewall/router
Date: Sun, 02 Nov 2014 04:51:28 +0100	[thread overview]
Message-ID: <5455AA40.6050302@conversis.de> (raw)

Hi,
we recently bought an Uqbiquity EdgeRouter Pro but it seems the claims
about 2 Mio. pps that it should be able to handle are not real-world
numbers. We are running about 120mbit through this system and are
already seeing the two risc cores struggling with high softirq load and
packet drops.

So my question is what a good hardware base would look like for a linux
based firewall using iptables/conntrack/ipset. Do offload features help
or can't these be used because iptables needs to process the packets
anyway? I assume multiqueuing would be nice too.
The idea is to be able to actually process 1gbit of traffic i.e. handle
two gbit ports (WAN and LAN) at wire-speed.

Does anyone have any specific recommendations for NICs and maybe tips
for other bottlenecks to look out for?

Regards,
  Dennis

next             reply	other threads:[~2014-11-02  3:51 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-02  3:51 Dennis Jacobfeuerborn [this message]
2014-11-02 22:38 ` Recommended hardware for iptables based firewall/router Neal Murphy
2014-11-09  0:40   ` Dennis Jacobfeuerborn
     [not found]     ` <CAJygYd07-y0bDSr8THXWjNEW-e1rK5ZhGiE8aeJ_jXYJpFiL2A@mail.gmail.com>
2014-11-09  0:49       ` Yucong Sun
2014-11-09  1:11         ` Dennis Jacobfeuerborn
  -- strict thread matches above, loose matches on Subject: below --
2014-11-09  5:15 Stig Thormodsrud
2014-11-09 14:05 ` Dennis Jacobfeuerborn
2014-11-09 14:52   ` Dennis Jacobfeuerborn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5455AA40.6050302@conversis.de \
    --to=dennisml@conversis.de \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.