Filtering Performance

[selfish]

Hi all, I am putting together my first transparent bridge firewall after years of building gateways. Everything is working but I have a question.

When I was building out the ruleset I couldn't get traffic to pass until I put this in:

 set skip on bridge0

I started wondering if it would be easier to filter on the bridge interface and only have one decision point for the rules. I know normally we put the filter closest to the originating host. Is there a performance gain by using the physical interface instead of the bridge, or is it just a logical separation thing?

Thoughts?

Thanks for looking.

 

[strldd]

Do you have ip address assigned to your nics
post your

ifconfig

and your pf.conf

 

[RusDyr]

I was filtering and shaping ~500Mbit/sec on the bridge (Core2Duo), with ipfw() and dummynet(). In theory, it should works faster than L3 filter (like routers), and it really was, from my experience. But for me buying a more powerful server is more simple that trying to get even 10% of performance increasing the old one.

 

[selfish]

Yeah, this was mostly an exercise of my curiosity. I can't be bothered enough to set up test gear to find out which one is better.

 

[SirDice]

I just read one of the status reports and there's some work being done to make pf(4) more SMP friendly. Not really relevant to your question but it should improve PF's performance on SMP systems. It's in -CURRENT now but I'm hoping it will get merged to 9.x some time soon.

http://www.freebsd.org/news/status/report-2012-10-2012-12.html#SMP-Friendly-pf(4)