10Gb/s packet inspection?

B

bubble1975

Hi Y'all,

We are playing with the idea of using a server we have for firewalling a network that, well, need firewalling. ;) We plan on using pfSense, based on the FreeBSD 7.2 RELEASE distro. Our server is a Sun (Oracle) server with 16 2.4GHz Nehalem cores and 24GB RAM. BSD runs fine on it. My question is, when the kernel (or whatever) is inspecting packets in a firewall situation and forwarding them on, how fast can it go? We plan on getting a MyriNet 10G NIC card, which can forward packets very fast (via offloading, etc), as demonstrated by the FreeBSD benchmarking on the bottom of this page:

http://www.myri.com/scs/performance/Myri10GE/

So, with 8 3GHz Nehalem cores they got about 9.2Gb/s and only ~10% CPU utilization (with 1500 byte frames). So my question is: Would it still be as fast if the server were not only 'forwarding' the packets but also 'inspecting and filtering' the packets in a firewall situation? Would the 16 cores on my server each rise to the task, or is the 'filtering' mechanism not very multi-threaded such that it doesn't matter how many CPU cores you have?

We hope to shove 5+Gb/s through such a firewall. Just wondering if I am completely nuts on this... ;)

Any insight welcome! I asked on the pfSense forums, but they suggested I ask here as well, as it is more of a FreeBSD core question rather than just a 'pfSense software' question.
 
You're completely nuts to be putting 16 cores into a firewall box. :)

Most of the code pathways in PF and IPFW are serialised, so you won't be able to use more than a couple CPU cores in a packet filtering firewall.

And you really don't need 24 GB of RAM in a firewall box. Our gigabit fibre routers only have 2 GB, and they rarely use more than 512 MB of RAM.

Find the fastest dual-core CPU you can. Give it 2-4 GB of the fastest RAM it can handle. And give it PCIe NICs with as much offloading capability as you can.

And be sure to use the latest version of FreeBSD, as network throughput, packet filtering, and forwarding have greatly improved in 8.x over 7.x. Plus, you get the latest drivers for the fastest NICs.
 
Ah, OK. Good to know. So it appears that the MyriNet 10G NIC does a ton of offloading, and it seems FreeBSD comes with the drivers for it, so I think that card is solid for this setup. So, I just did a quick search on Dell's website and found this server:

Dell R710
One Quad-core Intel Xeon x5570 2.93GHz, 8M cache, Turbo, HT
12GB 1333MHz Dual Ranked RDIMM memory

I'm not asking for anyone to verify the server as 'the correct one' to use, but just from looking at the specs, and presuming it will work with FreeBSD OK, would that possibly get me into the multi-gigabit filtering arena?
 
Well, I think phoenix is right from what I've seen. 2 GB is more than enough for a firewall. A Core 2 Duo or Core 2 Quad should also be fine (a Xeon processor would probably be a waste of resources).

The server you posted seems to be an overkill for a firewall, so I'd recommend buying a cheaper server. Look around and see if you have any spare computers and try them out. They might be up to the job, and it could save you some money.
 
Yeah, don't go overboard on those specs. I have a bridge with a dual fiber NIC, running about 150 Mbit/s both ways (so ~300 Mbit/s total), and keeping up with 25,000+ states. Moreover, there are separate rulesets for both interfaces, and there's some stuff (authentication, user session tracking and reporting) running on the bridge as well. It's a Core2Duo with 2GB on a 'higher-end' HP desktop PC, and it's idle (combined load < 0.1) most of the time.
 
You must log in or register to reply here.
Back
Top