[geeks] Routing problem: solution in progress
Phil Stracchino
phil.stracchino at speakeasy.net
Tue Dec 26 06:15:12 CST 2006
Michael-John Turner wrote:
> On Sat, Dec 23, 2006 at 10:52:42AM -0500, Charles Shannon Hendrix wrote:
>> Of course, I have no complex firewall rules yet, and right now ipfilter
>> setup is minimal, and I'm not running a snooper yet.
>
> You should take a look at pf - I switched from IPFilter to pf a few years
> back and I'm very happy. NetBSD 3.1 supports it, but not in the GENERIC
> kernel - you'll either need to load the lkm or build a custom kernel with
> pf support.
pf was, in fact, one of the two reasons I specifically selected
OpenBSD[1] for my firewall (along with OpenBSD's security record). I'm
not running a snooper either though.
>> I've read that you generally want 200MHz of USII CPU power per interface
>> pair on Sun systems, but that might be assuming a certain level of
>> packet processing.
>
> Yep, I've heard something similar. And I think 500Mhz of US-II for each
> GigE interface.
yama, with three active 10/100 interfaces (plus the onboard hme unused),
seems to run just fine on a USII-333.
> Thanks. I think the biggest concern for me is LAN routing performance -
> whether the U1 will be able to achieve close to wire speed with 100Mbps
> interfaces. What's the max rate you've been able to achieve on the LAN
> interfaces?
Well, really, the only traffic that goes through the router is to and
from my DSL link, so it's 1.5Mbit max anyway. (Plus of course Bacula
backup traffic directly *from* the router, which generally peaks - from
yama - at about 2Mbyte/second sustained throughput). The gating factor
on LAN traffic is my switch and the 10/100 NICs on everything but vorlon
(which has dual gigabit interfaces) and the Macs; in past testing, I can
sustain about 97-98Mbit/second between minbar's 12-way striped array
and, say, babylon5 across my Netgear FS516 switch.
> I sometimes think it may be better to just put my (currently unused) U5/360
> into use as a firewall/router - it has PCI, which will make it easier to
> add GigE support when I upgrade my LAN. The only problem is that I have no
> quad FastE PCI cards, whereas I have a plethora of quad hme SBus cards
> lying unused. Argh, choices, choices.
I don't have any quads, to my knowledge, but I think I may still have a
couple more dual EEPro100s lying around.
--
Same geek, same site, new location
Phil Stracchino Landline: 603-429-0220
phil.stracchino at speakeasy.net Mobile: 603-216-7037
Renaissance Man, Unix generalist, Perl hacker, Free Stater
More information about the geeks
mailing list