iptables on multiple CPUs (SMP & Hyperthreading question)

iptables on multiple CPUs (SMP & Hyperthreading question)

[Michael Buffer]

I'm considering purchasing some firewall machines for my organization, and
I am trying to decide whether a machine with multiple CPUs is worth the
additional expense performance-wise (aside from being able to assign CPUs
to interfaces).  I'd also like to know whether there are any stability
issues with iptables & SMP (and/or hyperthreading with multiple CPUs).
Any input would be appreciated.

Thanks,
Michael

Re: iptables on multiple CPUs (SMP & Hyperthreading question)

[/dev/rob0]

Michael Buffer wrote:
> I'm considering purchasing some firewall machines for my organization, and
> I am trying to decide whether a machine with multiple CPUs is worth the
> additional expense performance-wise (aside from being able to assign CPUs

??? I cannot believe this is even under consideration. Just how big is 
your organisation?

I run iptables firewalls on very modest machines, with single and dual 
T1 lines, and there is never any CPU load from the packet filtering nor 
the NAT. I don't have any really large sites, but I strongly suspect 
that iptables firewalling of very large sites could easily be handled by 
dumpster-grade equipment.

Of course with a budget like yours you'll want something new, which is 
better (we hope) for the physical reliability of the machine. A fast CPU 
  is useful for a fast boot time to minimise down time in the event of 
problems. Otherwise, a waste.

Listen, I ran my home cable, with multiple simultaneous large downloads 
and 3-4 busy Web browsers on a 386. It never broke a sweat. This of 
course used ISA 10Mbit NIC's. It could have handled many times the load 
without problem.

Why did I decommision it? Electricity. I only had so many outlets, and I 
needed a machine to perform more complex tasks, so the firewall job got 
handed off to another machine, and the 386 was retired. Still here in 
case I need it again.

I need a new computer ATM. How about I build a firewall machine for you, 
and you send me that SMP super machine? ;)
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header

Re: iptables on multiple CPUs (SMP & Hyperthreading question)

[Sertys]

On Thu, 02 Jun 2005 21:15:23 -0500, /dev/rob0 <rob0@gmx.co.uk> wrote:

> Michael Buffer wrote:
>> I'm considering purchasing some firewall machines for my organization,  
>> and
>> I am trying to decide whether a machine with multiple CPUs is worth the
>> additional expense performance-wise (aside from being able to assign  
>> CPUs
>
> ??? I cannot believe this is even under consideration. Just how big is  
> your organisation?
>
> I run iptables firewalls on very modest machines, with single and dual  
> T1 lines, and there is never any CPU load from the packet filtering nor  
> the NAT. I don't have any really large sites, but I strongly suspect  
> that iptables firewalling of very large sites could easily be handled by  
> dumpster-grade equipment.
>
> Of course with a budget like yours you'll want something new, which is  
> better (we hope) for the physical reliability of the machine. A fast CPU  
>   is useful for a fast boot time to minimise down time in the event of  
> problems. Otherwise, a waste.
>
> Listen, I ran my home cable, with multiple simultaneous large downloads  
> and 3-4 busy Web browsers on a 386. It never broke a sweat. This of  
> course used ISA 10Mbit NIC's. It could have handled many times the load  
> without problem.
>
> Why did I decommision it? Electricity. I only had so many outlets, and I  
> needed a machine to perform more complex tasks, so the firewall job got  
> handed off to another machine, and the 386 was retired. Still here in  
> case I need it again.
>
> I need a new computer ATM. How about I build a firewall machine for you,  
> and you send me that SMP super machine? ;)

This of course seems to me like a stupendous statement. OK? If your  
firewall is hit by 3000 packets per minute - that's not a great load  
issue. But imagine you have 30000 clients you need to NAT and route.  
That's awful lotta power and you don't have to underestimate the chance of  
you CPU not handling them. I've seen such situations in many ISP's.Their  
routers(x86) just can't handle the traffic. And the dude one step before  
in the thread asked you the right question anyway : Just how big is your  
organisation? Measure your traffic! If it is less than 200-300 mbit/s you  
should not be worrying. If it's more and you have some intense  
services(IDS's , slow-rule traversal,because of many rules,multiple  
servers on each machine), that's when you shall invest your $$$ in BIGGER  
machines. Indeed linux handles SMP almost perfectly, same for HT, but both  
of them is not a good idea(2x2 Xeons for example), because of the  
inconvinience of the posix threading model and the lack of specialized  
support for this type of process queuing.

-- 
www.supportivo.org

I can't stop myself checking for pigs in the outlets. Everybody thinks i'm  
a punk, cause of the hairstyle(220V).
end

Re: iptables on multiple CPUs (SMP & Hyperthreading question)

[Mogens Valentin]

Michael Buffer wrote:
> I'm considering purchasing some firewall machines for my organization, and
> I am trying to decide whether a machine with multiple CPUs is worth the
> additional expense performance-wise (aside from being able to assign CPUs
> to interfaces).  I'd also like to know whether there are any stability
> issues with iptables & SMP (and/or hyperthreading with multiple CPUs).
> Any input would be appreciated.

To second the other very good remarks...
I've had a Celeron 430 with 128MB ram or so handling 8 interfaces (quad 
Dlink cards) as a firewall/router, while also running the facility's 
internal bind and dhcpd, plus acting as a FreeSwan IPsec concentrator 
for three external departments.
On a 2Gbit connection, load was mostly idle. I even had it running seti 
(priority -19) for a while, just to see how it handled the load.

This was for an educational facility with some 200 students and 30+ 
staff on the central setup, and maybe 40 students +8 teachers at the 
external depts.
Quite a lot of those students didn't know how to activate themselves, so 
there was -a lot- of browsing, chatting, and downloading taking place.

The only times I would've liked more raw power was for my homeoffice ssh 
connections

But I can fully agree to other remarks on setting up clustered solutions 
with failover.


-- 
Kind regards,
Mogens Valentin


The dual core chips are dubbed the "brains" of a computer.
Although Intel has recently changed that description by
describing its dual core processors as having a heart as well.
   -- fun on theinquirer.net

RE: iptables on multiple CPUs (SMP & Hyperthreading question)

[Gary W. Smith]

We bought 10 Dell GX150's (1ghz, 256mb) off Ebay for $1500.  We made 4 clusters of firewalls for 4 locations running LinuxHA, drbd, ipsec, pptpd and iptables.  The average load spikes to 10% at night when it's rotating the log files.  Otherwise it's idle.
 
One of the sets is running at my home office and also has MySQL and Apache on it (more of less for development).  The load is still nominal.
 
The cluster at our primary location is for a central mail hub which receives over 200k emails per day on a T3.  The second location is the central office connected via T3 to the network.
 
The catch is, $1500 is the entire environment for 4 different locations for redundant firewalls.
 
So, I'll sweaten the offer.  Give me the new box and I'll send you a cluster (retail $300) LOL.
 
Gary Smith

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of /dev/rob0
Sent: Thu 6/2/2005 7:15 PM
To: netfilter@lists.netfilter.org
Subject: Re: iptables on multiple CPUs (SMP & Hyperthreading question)



Michael Buffer wrote:
> I'm considering purchasing some firewall machines for my organization, and
> I am trying to decide whether a machine with multiple CPUs is worth the
> additional expense performance-wise (aside from being able to assign CPUs

??? I cannot believe this is even under consideration. Just how big is
your organisation?

I run iptables firewalls on very modest machines, with single and dual
T1 lines, and there is never any CPU load from the packet filtering nor
the NAT. I don't have any really large sites, but I strongly suspect
that iptables firewalling of very large sites could easily be handled by
dumpster-grade equipment.

Of course with a budget like yours you'll want something new, which is
better (we hope) for the physical reliability of the machine. A fast CPU
  is useful for a fast boot time to minimise down time in the event of
problems. Otherwise, a waste.

Listen, I ran my home cable, with multiple simultaneous large downloads
and 3-4 busy Web browsers on a 386. It never broke a sweat. This of
course used ISA 10Mbit NIC's. It could have handled many times the load
without problem.

Why did I decommision it? Electricity. I only had so many outlets, and I
needed a machine to perform more complex tasks, so the firewall job got
handed off to another machine, and the 386 was retired. Still here in
case I need it again.

I need a new computer ATM. How about I build a firewall machine for you,
and you send me that SMP super machine? ;)
--
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header