pf and SMP and busy wires
max at love2party.net
Wed Mar 26 09:54:34 PDT 2008
On Wednesday 26 March 2008 17:02:03 Nejc Škoberne wrote:
> I like pf very much and I was planning to use it as a "central"
> firewall at one of the customers like this:
> subnet_1 ---------- PF_firewall --------------- subnet_2
> However, since these are subnets with many computers, these would be
> gigabit connections. But, I am afraid that this machine would not be
> able to process data with gigabit speeds. So my questions are:
> 1. Are there any real-life performance evaluations with PF as
> firewall(s) (doing also NAT if possible)?
Yes there are, but I don't have a concrete example at hand. NAT isn't all
that expensive with pf. In general you can hope for up to 750kpps
forwarding performance. If that's enough in your situation depends on
the kind of traffic you are looking at.
> 2. How efficiently does PF use SMP (FreeBSD 7.0)?
Not at all. I have plans to change that, though:
N.B. this is a long shot and something for the 8.0 time frame.
> 3. How much would I profit if I had a server with two Dual-Core Intel
> processors? This means 4 cores, right? I guess this should be able to
> process data with gigabit speed in the situation above?
While pf is a serialization point, the rest of the processing
(ether_input -> ip_input -> forward -> ip_output -> ether_output) and the
internet servicing can run in parallel. If you just do forwarding the
natural limit for parallelization is the number of interfaces, although
you won't likely achieve that kind of parallelism more cores certainly
help. If you add other processing - e.g. VPN endpoints - it's even
better to have "spare" cores.
> 4. How would PF scale if there were 5 or more such subnets instead of 3
> (with gigabit speeds)?
The limiting factor for any firewall/packet forwarder are packets per
second, not throughput (so much). pf on FreeBSD currently provides
~750kpps (1M has been reported with careful tuning). This is roughly
1Gbps with 1500 Byte packets.
> 5. Are there any PF vs Cisco|Juniper|3Com layer3 switches comparisons?
Not that I'm aware of, but pf on commodity hardware will always have an
edge in the cost/performance column. You have to pay quite a bit to
obtain a hardware solution that can really *firewall* 750kpps and this
will usually fall short of pf in terms of additional features.
Note for example, the possibility to build a redundant firewall with ARP
load balancing using CARP and pfsync.
> 6. What role does the network cards play when looking at performance?
> Are there network cards which do more work by themselves to let CPU to
> do other things?
YES! Buying good network cards is essential! The general consensus seems
to be to stick with Intel server cards. In any case stay away from the
low end on-board stuff. The bus interface is also very important! The
plain old PCI bus has a limit of ~1Gbps itself, so go for PCI-X or better
yet PCIe. Buy a motherboard that offers more than one bus.
In the end it very much depends on your traffic patterns and security if
pf is the right choice for you. If you should really have steady 1Gbps
streams between your subnets it very likely is not. But then again,
there are very few alternatives to choose from. If you are only looking
at sporadic inter-subnet communication and reliable, secure internet
access for all of them (where usually the uplink is the limiting
factor) - then FreeBSD and pf can certainly provide what you need.
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf