[geeks] Routing problem: solution in progress

Charles Shannon Hendrix shannon at widomaker.com
Sat Dec 23 09:52:42 CST 2006 

Sat, 23 Dec 2006 @ 14:57 +0200, Michael-John Turner said:

> On Fri, Dec 22, 2006 at 12:26:17PM -0500, Charles Shannon Hendrix wrote:
> > I think I've found a solution for my routing situation.
> 
> Great :) 

It would have been greater if I'd not made such a basic mistake: I
forgot to tell the other LAN where my LAN was.  It had no gateway back
to me, and that's why I couldn't make things work.

Just once, when I screw up, I'd like for it to be something major
that really is difficult to avoid, rather than something simple and
blindingly obvious... :)

> How do you find the performance of the Ultra 1? 

I'm pretty happy with it so far.

So far I don't have much for firewall rules, because the NAT box I'm
using is a firewall.

Routing at least, seems to have little impact on the machine.

Both interfaces are 100baseT happy meals, one built-in one X1059A sbus
card.

The machine runs NetBSD 3.1 sparc64 and has 640MB of RAM.

Once I had everything configured, I tested the configuration with a set
of ftp downloads, interactive sessions, and peer-to-peer programs.

The traffic:

	- several ssh sessions to remote hosts
	- gtk-gnutella peer-to-peer, which by itself does thousands of
	  network connections per hour, and keeps 40-50 of them open
	  and active at any one time.
	- a large ftp transfer at 500K/sec average
	- an internal rsnapshot backup job at around 500K/sec average
	- a bittorrent download of Jericho 11

All of the transfers worked. Redirection rules for the peer-to-peer
appeared to function perfectly and were easy to set up. The reason I
still need redirection even with the other LAN having a NAT box is that
the other LAN has rules to hit my Ultra 1's hme1 interface for p2p
programs. I set it up like that to see if double-NATting worked, and
apparently it does, and quite transparently.

Not a big deal, I'd just never done it before. 

I never noticed any serious delays in ssh session interactive response.
Obviously there was some with that many packets going in and out, but
never enough that I couldn't type and edit, etc.

I monitored the LANs with "trafshow" on NetBSD, and both interfaces
reported abount 5MB/sec constant transfer. Each interface had around
100-140 flows fairly contantly.

I don't know if I maxxed out the Ultra 1, or if that was all the traffic
that I could generate with the various programs.

CPU usage was quite low. In fact, most of it seemed to be the other
tasks on the box like mail, news, and DNS, not the routing. When the
server processes were idle, CPU usage for just the routing never seemed
to hit more than a few percent.

Of course, I have no complex firewall rules yet, and right now ipfilter
setup is minimal, and I'm not running a snooper yet.

If I notice any particular problems, I'll post them here.

I've read that you generally want 200MHz of USII CPU power per interface
pair on Sun systems, but that might be assuming a certain level of
packet processing.

> I'm considering
> replacing my current firewall/router (a Dell PPro) with an U1 (primarily
> because I have several of them, along with a number of qfes, lying unused),
> so I'm curious to know what kind of speeds you see, particularly for LAN
> traffic.

If you can think of something for me to try, let me know.  I don't mind
running a test for you if you think it would help.

For example, if you can think of a packet filtering load to try while
doing various transfers between hme0 and hme1, let me know.

It's going to take me awhile to get my firewall rules written and its
not a priority since I'm already behind one anyway.

The other firewall rules I have are for protecting my ppp0 link, and
it's never a load.

-- 
shannon "AT" widomaker.com -- ["The determined programmer can write a
FORTRAN program in any language." ]

More information about the geeks mailing list