IPFW + BRIDGE: network capacity question
Christopher Schulte
schulte+freebsd at nospam.schulte.org
Thu Oct 23 09:26:24 PDT 2003
Hello everyone. I have an Intel D815EGEW board with a single PIII 1GHZ,
256MEG RAM, 2 Intel Pro 100MB cards. This will be used as an IPFW+bridging
firewall with FreeBSD 4.8 (RELENG_4_8, perhaps RELENG_4_9 when available).
My message is about network capacity.
Assume that it will be processing at peak all of this at once:
500 TCP connections with long lived sessions (an hour or more at a
time)
500 UDP 'connections'
500 web (HTTP port 80 tcp) connections per second (graphics, small
html pages)
The HTTP sessions will be short lived, so lots of TCP
handshakes
at *least* a good portion will not utilize persistant HTTP
The total bandwidth could be 20-50 megabits, mostly outbound to clients on
the internet.
Should I tweak the kernel at all for this? NMBCLUSTERS or NMBUFS? Something
else?
For IPFW, I figure that adding accept rules that catch most of the packets
up front will help lower CPU usage. Is this correct? Maybe allow TCP if
the session is established, allow setup of outbound TCP, allow setup of
incoming TCP/80, allow outbound UDP packets to be happy, etc.
Does anyone see any possible issues with this configuration and the expected
network load?
Thank you, folks! Any suggestions are very appreciated.
More information about the freebsd-net
mailing list