Replacing cisco etc routers with BSD

I read that openBSD and i am sure FreeBSD (n linux opensolaris..)
can replace cisco routers by confiuring a mchine with trunked NICS or just fast nics.

How feasable is this? For production?
I read that software defined networking is getting bigger with openstack etc but something deep in me senses that this is just stuff from good free unix os.

Where would one go to learn about networking(I am liux vet but never gained ninja status in networking) and where would one learn about using freebsd as hardcore replacement for production cisco routers? With redundancy, ability to remote in if trouble...and all the pro needed things?

I see:
https://github.com/ocochard/BSDRP (since https://bsdrp.net wont connect!)
https://www.pfsense.org/


some youtube I watched said real routers are better, some say nope do it with freebsd.

Also I know forum hates this but how slick is OpenBSD at this? I am in no way trying to start holy war but wonder if it is more specialized toward this task....Where freebsd obviously seems to win in disk performance and scheduler performance....
 
Also I know forum hates this but how slick is OpenBSD at this
We do not "hate" here. At the most some of us start disliking on from systemd on to the Redmonds.
Be assured the BSDs profit from each other and even with the "LINUXes" there is some common work. We respect each other in the professional way.
 
I read that openBSD and i am sure FreeBSD (n linux opensolaris..)
can replace cisco routers by confiuring a mchine with trunked NICS or just fast nics.
In three words no and yes. For the explanation read this wonderful post of Jim Thompson of pFsense fame.

https://www.reddit.com/r/networking/comments/6upchy/can_a_bsd_system_replicate_the_performance_of/

what Jim fails to mention is that JunoOS Juniper networks OS is essentially highly customised FreeBSD 4.xxx.

I am not sure what you mean by forum hates this. I am primarily OpenBSD users. Free and Open are vastly different OSs sharing common ancestry. Project have very different goals and groups have very different chemistry. OpenBSD is research network OS focussed on security and correctness.
 
I should have said "Some forums dislike comparisons to other os-es" not hate....sorry about that I didn't mean to say anyone hates something irrationally.
 
So to get back...wow that reddit had too many undefined terms.....it seems a BSD can handle routing duties as well as firewall and dns etc etc for my startup company! Anyone doing this? Share experiences?
 
I read that openBSD and i am sure FreeBSD (n linux opensolaris..)
can replace cisco routers by confiuring a mchine with trunked NICS or just fast nics.

How feasable is this? For production?
Just because you can, doesn't mean you should.
 
what Jim fails to mention is that JunoOS Juniper networks OS is essentially highly customised FreeBSD 4.xxx.
But still the core statement of his posting is also true for Juniper devices: A LOT of the heavy lifting is done in silicon to provide switching and routing at line speeds.

With modern Hardware, one might achieve line-speed switching/routing for a few GBit interfaces, but even with relatively common 10GBit networks this starts to become a challenge. It could be done, but it's quite some work and you have to throw some decent hardware at this problem; so a proper switch is mostly the cheaper (and still faster) option.

I use FreeBSD routers, gateways and firewalls everywhere in our infrastructure (and at home), but where I really need maximum throughput or resiliency, I delegate the routing to our cisco catalyst switches. E.g. from the management- or the backup-VLAN to the DMZ, so I can *always* access servers in the DMZ even if the router dies and to not make the router a single point of failure or a bottleneck when backups are collected from the servers in the DMZ at night.

Bridging together some NICs to act as a switch is very common - all of those cheap plastic home routers do this just because it is cheaper than a real switch. So it is "working" and well tested. But no one in their right mind would ever put one of these things in a production network, because these toys are horribly slow and choke easily on a fraction of the pps (packets per second) even a cheap "dumb" switch could easily manage.
 
Bridging together some NICs to act as a switch is very common - all of those cheap plastic home routers do this just because it is cheaper than a real switch. So it is "working" and well tested. But no one in their right mind would ever put one of these things in a production network, because these toys are horribly slow and choke easily on a fraction of the pps (packets per second) even a cheap "dumb" switch could easily manage.
What a lot of people don't seem to realize is that proper hardware switches have a backplane that's capable of pushing multiples of the max. speed of a single port. For a 1Gbps switch the backplane is usually capable of pushing 40Gbps or more. Those cheap (SOHO) switches are typically barely capable of pushing 1Gbps on their backplane. That's what makes them slow. It's fine if you have two machines talking to each other but as soon as more ports are used the backplane simply won't be able to sustain all of them at 1Gbps concurrently.
 
But still the core statement of his posting is also true for Juniper devices: A LOT of the heavy lifting is done in silicon to provide switching and routing at line speeds.

I couldn't agree more. My point was that there is nothing magical about Cisco OS. It is the sillicone that makes all the difference. I would dare to say that for sustained speeds of 1Gigabit/s OpenBSD is Ok FreeBSD perhaps upto 10Gigabit/s. Anything beyond that you are looking at Cisco or Juniper equipment. Buyer be aware.
 
There are plenty of blog posts and mailing list threads that show people using FreeBSD to route 10 Gbps and 40 Gbps of traffic through a single box. Mostly using netmap with lots of tuning to the kernel, drivers, network stack, etc. Throughput drops a lot once you add packet filtering into the mix, but I believe it's still doable at 1 Gbps speeds for sure, if not faster.

Netflix is now pushing just shy of 100 Gbps of TCP traffic through their FreeBSD OpenConnect CDN servers. Required some kernel tuning, network stack tuning, driver tuning, etc, but they've shown it's doable. Granted, this doesn't involved routing or packet filtering, but it's still impressive to see what can be done with FreeBSD and the right hardware. :)

Edit: granted, the above is using "large packets" to get better throughput using fewer resources, and won't be showing "line-rate" PPS results. But, it's still impressive to see that much data flowing through a single box. :D
 
What a lot of people don't seem to realize is that proper hardware switches have a backplane that's capable of pushing multiples of the max. speed of a single port. For a 1Gbps switch the backplane is usually capable of pushing 40Gbps or more. Those cheap (SOHO) switches are typically barely capable of pushing 1Gbps on their backplane. That's what makes them slow. It's fine if you have two machines talking to each other but as soon as more ports are used the backplane simply won't be able to sustain all of them at 1Gbps concurrently.

Can you get a server with a fast backplane to fight fire with fire?
Routers are insanely expensive in my experience esp when you add the support contract.
 
But still the core statement of his posting is also true for Juniper devices: A LOT of the heavy lifting is done in silicon to provide switching and routing at line speeds.
Definitely agree.
With modern Hardware, one might achieve line-speed switching/routing for a few GBit interfaces, but even with relatively common 10GBit networks this starts to become a challenge. It could be done, but it's quite some work and you have to throw some decent hardware at this problem; so a proper switch is mostly the cheaper (and still faster) option.
For anyone thinking about doing this, run benchmarks/iperf as a server on the loopback address: iperf -B 127.0.0.1 -s and test in another terminal window with: iperf -c 127.0.0.1. That'll give you a rough idea of the maximum speed that hardware can route without doing a lot of tuning and customization.
Bridging together some NICs to act as a switch is very common - all of those cheap plastic home routers do this just because it is cheaper than a real switch. So it is "working" and well tested. But no one in their right mind would ever put one of these things in a production network, because these toys are horribly slow and choke easily on a fraction of the pps (packets per second) even a cheap "dumb" switch could easily manage.
A lot of that is probably due to under-spec'd hardware (lowest cost to manufacture) along with rushed firmware, then it is on to the next product and no more updates for existing ones. There are a lot of SoC (System on a Chip) router implementations that combine a switch with a CPU core that does the routing. LAN-to-LAN performance on those should run at wire speed. LAN-to-WAN or VLAN performance goes through the CPU core and is slower. It is certainly possible to build a wire-speed router out of commodity parts - look what Ubiquiti has done, for example.
 
Can you get a server with a fast backplane to fight fire with fire?
No, routers and switches contain specialized hardware that does this. The "OS" of a router/switch is really only there to configure the hardware.
 
This subject made me wonder if there are also advantages between UTMs like PfSense/OPNsense and commercial ones like Juniper SRX/ Sophos UTM/XG.

I mean security-wise, not just at hardware side, since most of the commercial ones are also available as VM.
 
Back
Top