From: Julien Vehent <julien@linuxwall.info>
To: netfilter <netfilter@vger.kernel.org>
Subject: Using Netfilter with high bandwidth
Date: Fri, 31 Aug 2012 15:38:47 -0400 [thread overview]
Message-ID: <56bebadff4785d716c997d7aba22b9dd@linuxwall.info> (raw)
Hi All,
At work, we're building a new office, and we are considering building our
own edge firewalls instead of giving bucket loads of money to the big guys.
We're a Linux shop, so it makes sense to build those new firewall/vpn boxes
using Linux. But we are concerned about performances and complexity. I make a
simple diagram of what we want below. We would have a point to point WAN
connection between the two networks, and then an uplink on each side.
So I figured I would ask the Netfilter heavy users:
* How much traffic can we expect to route to a decently configured Firewall
? Can we target 10GBPS with good NICs/CPUs and proper kernel tuning, or is
that completely out of range ?
* If I recall correctly, some ISPs are using Linux/Netfilter boxes on their
network. Do we know the limits of such systems ?
* Can we consider conntrack and conntrack synchronization between master
and slave ?
* What type of network cards will handle 1GBPS and 10GBPS (eventually) ?
Any recommendation on the hardware ?
* We are considering starting with a base ubuntu setup and then tuning the
kernel/system to fit our needs. Some distros are more network oriented than
others, is there anything that would stand out for our setup ?
Any pointer to tuning/recommendations is more than welcome. If you have
experience with such a setup but don't want to share publicly, feel free to
contact me directly.
........... ...... ..........
... I N T E R N E T ...
+--------+.. .+---------+
500 MBPS ............................. |500 MBPS
UPLINK |UPLINK
| |
+----+-----------+ 1 GBPS WAN +---------+------+
| +-------------------------------> |
| LAN FIREWALL |---+ | DATACENTER FW
|---+
+---^+-----------+ | +---^+-----------+
|
|| +-------------+ ||
+-------------+
|| ||
|| ||
||1 GBPS LAN ||1 GBPS LAN
|| ||
|| ||
..+v.... |v......
.. .. .. ..
.. L A N .. .. Datacenter.
............. ...........
Thanks a lot everyone :)
Julien
--
Julien Vehent - http://jve.linuxwal.info
next reply other threads:[~2012-08-31 19:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-31 19:38 Julien Vehent [this message]
2012-08-31 22:39 ` Using Netfilter with high bandwidth Jan Engelhardt
2012-09-03 7:56 ` Jesper Dangaard Brouer
2012-09-06 17:56 ` Julien Vehent
2012-09-06 18:42 ` Jan Engelhardt
2012-09-06 18:29 ` Luigi Rizzo
2012-09-25 11:30 ` Jan Engelhardt
2012-09-06 19:16 ` Marco Padovan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56bebadff4785d716c997d7aba22b9dd@linuxwall.info \
--to=julien@linuxwall.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.