[nzlug] Network speed

Mon Aug 6 18:35:36 NZST 2007

On Mon, 6 Aug 2007, Nick 'Zaf' Clifford wrote:

> As for how fast BSD is as a NAT'ing firewall, you'd probably have to
> talk to BSD people about that if it is a limiting factor.

Not sure if it holds for NAT (since the connection table is a bit more 
complex than for simple stateful firewalling), but OpenBSD's pf should be 
able to run at nearly wire-rate with GigE, provided the box isn't 
CPU-bound with regard to rule processing. If you've got a complex set of 
rules, and the box doesn't have the CPU juice to match quickly (pf is a 
last-match firewall, unless you've got "quick" on a rule) or lacks the RAM 
to maintain state tables completely in physical memory, then you'll be 
seeing reduced performance.
Being aware that "Building Firewalls with OpenBSD and pf" reckons that a 
fairly early Pentium II should be able to handle a 100Mb/s link, anything 
even vaguely resembling a modern CPU shouldn't have processor power 
issues with GigE.

> That said, with the hardware you've specified, with PCI-E NICs, BSD
> should not be putting a significant reduction in the speed.
>
If any reduction at all. pf is pretty efficient, due to its table-based 
design for rule construction and state maintenance.

> Then put the BSD firewall in there.
>
And rule out pf as the culprit by running "pfctl -d". That'll turn it into 
a simple router, one which should be easily capable of saturating the link 
provided the cards are up to it, and eliminate or confirm pf as the source 
of performance issues with that segment.

-- 
Matthew Poole
"Don't use force.  Get a bigger hammer."