From: Marco Padovan <evcz@evcz.tk>
To: Julien Vehent <julien@linuxwall.info>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: Using Netfilter with high bandwidth
Date: Thu, 06 Sep 2012 21:16:46 +0200 [thread overview]
Message-ID: <5048F69E.2090504@evcz.tk> (raw)
In-Reply-To: <56bebadff4785d716c997d7aba22b9dd@linuxwall.info>
Solutions like these:
http://shader.kaist.edu/packetshader/
are surfacing lately... and those can't be compared with CPU processing ;)
Il 31/08/2012 21:38, Julien Vehent ha scritto:
> Hi All,
>
> At work, we're building a new office, and we are considering building
> our own edge firewalls instead of giving bucket loads of money to the
> big guys. We're a Linux shop, so it makes sense to build those new
> firewall/vpn boxes using Linux. But we are concerned about
> performances and complexity. I make a simple diagram of what we want
> below. We would have a point to point WAN connection between the two
> networks, and then an uplink on each side.
>
> So I figured I would ask the Netfilter heavy users:
> * How much traffic can we expect to route to a decently configured
> Firewall ? Can we target 10GBPS with good NICs/CPUs and proper kernel
> tuning, or is that completely out of range ?
> * If I recall correctly, some ISPs are using Linux/Netfilter boxes on
> their network. Do we know the limits of such systems ?
> * Can we consider conntrack and conntrack synchronization between
> master and slave ?
> * What type of network cards will handle 1GBPS and 10GBPS
> (eventually) ? Any recommendation on the hardware ?
> * We are considering starting with a base ubuntu setup and then
> tuning the kernel/system to fit our needs. Some distros are more
> network oriented than others, is there anything that would stand out
> for our setup ?
>
> Any pointer to tuning/recommendations is more than welcome. If you
> have experience with such a setup but don't want to share publicly,
> feel free to contact me directly.
>
>
> ........... ...... ..........
> ... I N T E R N E T ...
> +--------+.. .+---------+
> 500 MBPS ............................. |500
> MBPS
> UPLINK |UPLINK
> | |
> +----+-----------+ 1 GBPS WAN
> +---------+------+
> |
> +-------------------------------> |
> | LAN FIREWALL |---+ | DATACENTER
> FW |---+
> +---^+-----------+ |
> +---^+-----------+ |
> || +-------------+ ||
> +-------------+
> || ||
> || ||
> ||1 GBPS LAN ||1 GBPS LAN
> || ||
> || ||
> ..+v.... |v......
> .. .. .. ..
> .. L A N .. .. Datacenter.
> ............. ...........
>
>
> Thanks a lot everyone :)
>
> Julien
>
prev parent reply other threads:[~2012-09-06 19:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-31 19:38 Using Netfilter with high bandwidth Julien Vehent
2012-08-31 22:39 ` Jan Engelhardt
2012-09-03 7:56 ` Jesper Dangaard Brouer
2012-09-06 17:56 ` Julien Vehent
2012-09-06 18:42 ` Jan Engelhardt
2012-09-06 18:29 ` Luigi Rizzo
2012-09-25 11:30 ` Jan Engelhardt
2012-09-06 19:16 ` Marco Padovan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5048F69E.2090504@evcz.tk \
--to=evcz@evcz.tk \
--cc=julien@linuxwall.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).