From: Dennis Jacobfeuerborn <dennisml@conversis.de>
To: Yucong Sun <sunyucong@gmail.com>,
Neal Murphy <neal.p.murphy@alum.wpi.edu>,
netfilter@vger.kernel.org
Subject: Re: Recommended hardware for iptables based firewall/router
Date: Sun, 09 Nov 2014 02:11:27 +0100 [thread overview]
Message-ID: <545EBF3F.60801@conversis.de> (raw)
In-Reply-To: <CAJygYd1FOu7XPbP00i_jjpMm_zWnuYJAiKXudBbQgjwBQ1rxGQ@mail.gmail.com>
On 09.11.2014 01:49, Yucong Sun wrote:
> Dennis Jacobfeuerborn <dennisml@conversis.de>
>
> The EdgeRouter 's asic couldn't handle all use cases , Having some
> special rule will make it go to "offload" disabled mode. You should
> research if that's the problem.
Yes that seems to be the problem. Unfortunately the only things we use
are vlan's and iptables+conntrack which I consider the be fairly
standard features required for basic firewalling. I the system cannot
handle traffic at a decent rate with these features than its hardware
seems to be ill-spec'ed for its purpose.
Things got better when I was able to enable vlan offloading...until the
cpu stalled and the system rebooted itself. Apparently the offloading is
unstable.
None of this inspires confidence in a Product that is specifically
advertised as a router/firewall that is sold with 8 Gbit ports and
promises to handle 2 Mio+ pps.
> As for Linux as a router, the key thing you want to test for is PPS,
> not BPS. Commodity hardware should be able to handle up to 1Mpps. Buy
> the best Xeon within your budget. Don't bother look at anything else.
> (if your project is serious and need to survive a ddos attack)
For now I have chosen a 2 quad-core cpu Xeon system I already have here
and that has multiqueue capable Intel nics and have configured the
appropriate irq affinity and XPS so each queue is handled by a dedicated
core. I think this should provide relatively decent performance.
Regards,
Dennis
next prev parent reply other threads:[~2014-11-09 1:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-02 3:51 Recommended hardware for iptables based firewall/router Dennis Jacobfeuerborn
2014-11-02 22:38 ` Neal Murphy
2014-11-09 0:40 ` Dennis Jacobfeuerborn
[not found] ` <CAJygYd07-y0bDSr8THXWjNEW-e1rK5ZhGiE8aeJ_jXYJpFiL2A@mail.gmail.com>
2014-11-09 0:49 ` Yucong Sun
2014-11-09 1:11 ` Dennis Jacobfeuerborn [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-11-09 5:15 Stig Thormodsrud
2014-11-09 14:05 ` Dennis Jacobfeuerborn
2014-11-09 14:52 ` Dennis Jacobfeuerborn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=545EBF3F.60801@conversis.de \
--to=dennisml@conversis.de \
--cc=neal.p.murphy@alum.wpi.edu \
--cc=netfilter@vger.kernel.org \
--cc=sunyucong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).