[geeks] Routing problem: solution in progress
phil.stracchino at speakeasy.net
Tue Dec 26 06:15:12 CST 2006
Michael-John Turner wrote:
> On Sat, Dec 23, 2006 at 10:52:42AM -0500, Charles Shannon Hendrix wrote:
>> Of course, I have no complex firewall rules yet, and right now ipfilter
>> setup is minimal, and I'm not running a snooper yet.
> You should take a look at pf - I switched from IPFilter to pf a few years
> back and I'm very happy. NetBSD 3.1 supports it, but not in the GENERIC
> kernel - you'll either need to load the lkm or build a custom kernel with
> pf support.
pf was, in fact, one of the two reasons I specifically selected
OpenBSD for my firewall (along with OpenBSD's security record). I'm
not running a snooper either though.
>> I've read that you generally want 200MHz of USII CPU power per interface
>> pair on Sun systems, but that might be assuming a certain level of
>> packet processing.
> Yep, I've heard something similar. And I think 500Mhz of US-II for each
> GigE interface.
yama, with three active 10/100 interfaces (plus the onboard hme unused),
seems to run just fine on a USII-333.
> Thanks. I think the biggest concern for me is LAN routing performance -
> whether the U1 will be able to achieve close to wire speed with 100Mbps
> interfaces. What's the max rate you've been able to achieve on the LAN
Well, really, the only traffic that goes through the router is to and
from my DSL link, so it's 1.5Mbit max anyway. (Plus of course Bacula
backup traffic directly *from* the router, which generally peaks - from
yama - at about 2Mbyte/second sustained throughput). The gating factor
on LAN traffic is my switch and the 10/100 NICs on everything but vorlon
(which has dual gigabit interfaces) and the Macs; in past testing, I can
sustain about 97-98Mbit/second between minbar's 12-way striped array
and, say, babylon5 across my Netgear FS516 switch.
> I sometimes think it may be better to just put my (currently unused) U5/360
> into use as a firewall/router - it has PCI, which will make it easier to
> add GigE support when I upgrade my LAN. The only problem is that I have no
> quad FastE PCI cards, whereas I have a plethora of quad hme SBus cards
> lying unused. Argh, choices, choices.
I don't have any quads, to my knowledge, but I think I may still have a
couple more dual EEPro100s lying around.
Same geek, same site, new location
Phil Stracchino Landline: 603-429-0220
phil.stracchino at speakeasy.net Mobile: 603-216-7037
Renaissance Man, Unix generalist, Perl hacker, Free Stater
More information about the geeks