pf and SMP and busy wires

Max Laier max at love2party.net
Wed Mar 26 09:54:34 PDT 2008


On Wednesday 26 March 2008 17:02:03 Nejc Škoberne wrote:
> I like pf very much and I was planning to use it as a "central"
> firewall at one of the customers like this:
>
>                       subnet_3
>
>
> subnet_1 ---------- PF_firewall --------------- subnet_2
>
>
>                     internet_gw
>
> However, since these are subnets with many computers, these would be
> gigabit connections. But, I am afraid that this machine would not be
> able to process data with gigabit speeds. So my questions are:
>
> 1. Are there any real-life performance evaluations with PF as
> firewall(s) (doing also NAT if possible)?

Yes there are, but I don't have a concrete example at hand.  NAT isn't all 
that expensive with pf.  In general you can hope for up to 750kpps 
forwarding performance.  If that's enough in your situation depends on 
the kind of traffic you are looking at.

> 2. How efficiently does PF use SMP (FreeBSD 7.0)?

Not at all.  I have plans to change that, though:
 http://pf4freebsd.love2party.net/pflock/

N.B. this is a long shot and something for the 8.0 time frame.

> 3. How much would I profit if I had a server with two Dual-Core Intel
> processors? This means 4 cores, right? I guess this should be able to
> process data with gigabit speed in the situation above?

While pf is a serialization point, the rest of the processing 
(ether_input -> ip_input -> forward -> ip_output -> ether_output) and the 
internet servicing can run in parallel.  If you just do forwarding the 
natural limit for parallelization is the number of interfaces, although 
you won't likely achieve that kind of parallelism more cores certainly 
help.  If you add other processing - e.g. VPN endpoints - it's even 
better to have "spare" cores.

> 4. How would PF scale if there were 5 or more such subnets instead of 3
> (with gigabit speeds)?

The limiting factor for any firewall/packet forwarder are packets per 
second, not throughput (so much).  pf on FreeBSD currently provides 
~750kpps (1M has been reported with careful tuning).  This is roughly 
1Gbps with 1500 Byte packets.

> 5. Are there any PF vs Cisco|Juniper|3Com layer3 switches comparisons?

Not that I'm aware of, but pf on commodity hardware will always have an 
edge in the cost/performance column.  You have to pay quite a bit to 
obtain a hardware solution that can really *firewall* 750kpps and this 
will usually fall short of pf in terms of additional features.

Note for example, the possibility to build a redundant firewall with ARP 
load balancing using CARP and pfsync.

> 6. What role does the network cards play when looking at performance?
> Are there network cards which do more work by themselves to let CPU to
> do other things?

YES!  Buying good network cards is essential!  The general consensus seems 
to be to stick with Intel server cards.  In any case stay away from the 
low end on-board stuff.  The bus interface is also very important!  The 
plain old PCI bus has a limit of ~1Gbps itself, so go for PCI-X or better 
yet PCIe.  Buy a motherboard that offers more than one bus.

In the end it very much depends on your traffic patterns and security if 
pf is the right choice for you.  If you should really have steady 1Gbps 
streams between your subnets it very likely is not.  But then again, 
there are very few alternatives to choose from.  If you are only looking 
at sporadic inter-subnet communication and reliable, secure internet 
access for all of them (where usually the uplink is the limiting 
factor) - then FreeBSD and pf can certainly provide what you need.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News


More information about the freebsd-pf mailing list