[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipnet/ipf performance

To: Barclay Osborn <bosborn@cyberpass.net>
Subject: Re: ipnet/ipf performance
From: Bob Beck <beck@bofh.ucs.ualberta.ca>
Date: Thu, 23 Sep 1999 08:22:47 -0600
Cc: misc@openbsd.org


>Does anyone have experience with the performance degradation induced by
>ipnat and ipf?  I'm looking at installing a firewall that'll be doing basic
>ipnat (2-6 rules) and a reasonable amount of ipf (30-40 rules) with a peak
>of 10Mb/s, ~8Mb/s sustained.  What sort of [x86] hardware would this
>require?  What about 9 Mb/s peak, 6Mb/s sustained?  Any help/hardware
>recommendations is greatly appreciated.

   Techically, yes. 
   
   practically, No, 

   I run a firewall with several VPN nodes connected via 100MB full
duplex net. I see little practical performance degredation with much
more complex filter rules than yours for unencrypted traffic. It also
runs IPSEC with several peers and I get 15-20 Mb/s through the
encrypted tunnel. Hardware (at each end of the tunnel) is Pentium II
400, Intel 10/100 Pro (fxp) ethernet cards.  You shouldn't need too
much jam to sustain 10mb/s unencrypted and just filtering.

	    -Bob

References:
- ipnet/ipf performance
  - From: Barclay Osborn <bosborn@cyberpass.net>

Prev by Date: Re: MySQL Startup
Next by Date: HOWTOs vs. manpages: SHUT UP!
Prev by thread: ipnet/ipf performance
Next by thread: in defence of man pages
Index(es):
- Date
- Thread