packet forwarding/firewall performance question
Chris Buechler
cbuechler at gmail.com
Thu Aug 13 23:10:22 UTC 2009
On Thu, Aug 13, 2009 at 5:25 PM, Tom Uffner<tom at uffner.com> wrote:
> I am curious what level of performance I should expect from the
> firewall box described below in terms of packets/sec and bytes/sec.
>
> it is an 800 MHz VIA c3 with a Gigabit switch on the inside interface
> and 20 Mbs symetric Fios on the outside. both interfaces are 100 Mbs.
> it is running sshd, bsnmpd, sendmail (outbound only), bind9 (serving
> local domain info & queries from 5-15 machines on the LAN) and isc-dhcpd.
> it acts as a border firewall/router for a small LAN w/ 5 static external
> addresses & the rest NATed.
>
Keeping this on pf since you aren't running -current.
With what sounds like a nearly identical box, I've gotten 100 Mb wire
speed with 7.x-based pfSense versions, which should be virtually
identical to stock FreeBSD performance. I would expect 100 Mb wire
speed with CPU to spare, using out of the box settings.
> so far in preliminary tests, enabling polling on the network interfaces
> reduces my performance slightly both to/from and through the box.
That's to be expected, the only benefit of polling is to prevent live
lock under extreme load. With only 100 Mb NICs I doubt if you could
even get into that scenario with an 800 MHz CPU.
> net.inet.ip.fastforwarding doesn't seem to make much difference either
> way but i haven't done very thorough testing of it.
I believe that has more impact with routing, and little or none when
firewalling/NATing.
> increasing
> net.inet.tcp.sendbuf_max & recvbuf_max may have helped, but again, not
> sufficiently tested.
I don't think that has any impact on traffic through the system,
rather that's for traffic initiated by the system, but not completely
sure.
More information about the freebsd-pf
mailing list