From: Julien Vehent <julien@linuxwall.info>
To: netfilter <netfilter@vger.kernel.org>
Subject: Using Netfilter with high bandwidth
Date: Fri, 31 Aug 2012 15:38:47 -0400 [thread overview]
Message-ID: <56bebadff4785d716c997d7aba22b9dd@linuxwall.info> (raw)
Hi All,
At work, we're building a new office, and we are considering building our
own edge firewalls instead of giving bucket loads of money to the big guys.
We're a Linux shop, so it makes sense to build those new firewall/vpn boxes
using Linux. But we are concerned about performances and complexity. I make a
simple diagram of what we want below. We would have a point to point WAN
connection between the two networks, and then an uplink on each side.
So I figured I would ask the Netfilter heavy users:
* How much traffic can we expect to route to a decently configured Firewall
? Can we target 10GBPS with good NICs/CPUs and proper kernel tuning, or is
that completely out of range ?
* If I recall correctly, some ISPs are using Linux/Netfilter boxes on their
network. Do we know the limits of such systems ?
* Can we consider conntrack and conntrack synchronization between master
and slave ?
* What type of network cards will handle 1GBPS and 10GBPS (eventually) ?
Any recommendation on the hardware ?
* We are considering starting with a base ubuntu setup and then tuning the
kernel/system to fit our needs. Some distros are more network oriented than
others, is there anything that would stand out for our setup ?
Any pointer to tuning/recommendations is more than welcome. If you have
experience with such a setup but don't want to share publicly, feel free to
contact me directly.
........... ...... ..........
... I N T E R N E T ...
+--------+.. .+---------+
500 MBPS ............................. |500 MBPS
UPLINK |UPLINK
| |
+----+-----------+ 1 GBPS WAN +---------+------+
| +-------------------------------> |
| LAN FIREWALL |---+ | DATACENTER FW
|---+
+---^+-----------+ | +---^+-----------+
|
|| +-------------+ ||
+-------------+
|| ||
|| ||
||1 GBPS LAN ||1 GBPS LAN
|| ||
|| ||
..+v.... |v......
.. .. .. ..
.. L A N .. .. Datacenter.
............. ...........
Thanks a lot everyone :)
Julien
--
Julien Vehent - http://jve.linuxwal.info
next reply other threads:[~2012-08-31 19:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-31 19:38 Julien Vehent [this message]
2012-08-31 22:39 ` Using Netfilter with high bandwidth Jan Engelhardt
2012-09-03 7:56 ` Jesper Dangaard Brouer
2012-09-06 17:56 ` Julien Vehent
2012-09-06 18:42 ` Jan Engelhardt
2012-09-06 18:29 ` Luigi Rizzo
2012-09-25 11:30 ` Jan Engelhardt
2012-09-06 19:16 ` Marco Padovan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56bebadff4785d716c997d7aba22b9dd@linuxwall.info \
--to=julien@linuxwall.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).