pf or what else for multi-core process

S

seyit

Hi,

I'm new in FreeBSD. I want to set up a firewall. But it must be multi-core process. I have 12 core CPU in my box. I want to bind all 12 cores for this firewall. Anyone knows which firewall supports multi-core processes? I don't want to set up a firewall that uses only 1 core.

Thanks.
 
You can do that with PF. However, that would be a big waste of CPU power unless you plan on terminating a few thousand IPSEC VPN connections there.
 
^^ whs.

Just FYI, even hardware firewalls like the Cisco ASA are only using a single, celeron core in the lower end models (e.g., my ASA 5510)

Code: 
Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Unless you're routing a LOT of traffic, using 12 cores is going to be massive overkill.
 
I need to set up multi-core process for a FreeBSD firewall. Which one has multi-core support, does anybody know it? It's massive overkill or not.. the problem is which one has multi-core support?

Thanks anyway.
 
As far as I know, PF is a strictly single-threaded.
So I would recommend you ipfw.

For example, I have 4-cores Xeon server what does large-grade (Bi-)NAT with pf, traffic collectors with ng_netflow and shaping with dummynet at ~2000 customers (~800 Mbit/sec and 100Mpps at rush hours). It works excellent and the most CPU load is NICs (interrupts handling of each nic's queue):

# top -aSCHIP
Code: 
last pid: 56695;  load averages:  0.09,  0.08,  0.02                                                                 up 29+22:31:12  15:59:47
151 processes: 6 running, 104 sleeping, 1 zombie, 40 waiting
CPU 0:  0.0% user,  0.0% nice,  0.0% system, 21.1% interrupt, 78.9% idle
CPU 1:  0.0% user,  0.0% nice, 21.1% system, 10.5% interrupt, 68.4% idle
CPU 2:  0.0% user,  0.0% nice,  0.0% system, 31.6% interrupt, 68.4% idle
CPU 3:  0.0% user,  0.0% nice,  0.0% system, 26.3% interrupt, 73.7% idle
Mem: 50M Active, 3270M Inact, 1173M Wired, 864K Cache, 827M Buf, 3408M Free
Swap: 1024M Total, 1024M Free

  PID USERNAME      PRI NICE   SIZE    RES STATE   C   TIME    CPU COMMAND
   10 root          171 ki31     0K    64K RUN     0 446.3H 85.69% {idle: cpu0}
   10 root          171 ki31     0K    64K RUN     3 501.5H 83.79% {idle: cpu3}
   10 root          171 ki31     0K    64K CPU1    1 501.4H 82.86% {idle: cpu1}
   10 root          171 ki31     0K    64K CPU2    2 487.4H 79.88% {idle: cpu2}
   11 root          -68    -     0K   656K WAIT    2  74.8H 13.77% {irq258: igb0:que}
   11 root          -68    -     0K   656K WAIT    3  72.5H 11.57% {irq259: igb0:que}
   11 root          -68    -     0K   656K WAIT    0  66.9H 10.60% {irq264: igb1:que}
   11 root          -68    -     0K   656K WAIT    2  65.3H 10.50% {irq262: igb1:que}
   11 root          -68    -     0K   656K CPU3    3  66.5H  9.96% {irq263: igb1:que}
   11 root          -68    -     0K   656K WAIT    1  67.6H  9.08% {irq261: igb1:que}
   11 root          -68    -     0K   656K WAIT    0  72.3H  8.25% {irq256: igb0:que}
   11 root          -68    -     0K   656K WAIT    1  72.1H  7.67% {irq257: igb0:que}
    0 root          -68    0     0K   400K -       1  63.1H  4.59% {igb1 que}
   11 root          -32    -     0K   656K WAIT    3 394:53  0.29% {swi4: clock}
    0 root          -68    0     0K   400K -       2  79.8H  0.10% {igb1 que}
    7 root           44    -     0K    16K pftm    0 380:15  0.10% [pfpurge]

Moreover, if you REALLY wants "high-load" firewalls, take a look on DIFFUSE project.
 
You must log in or register to reply here.
Back
Top