Re: high-end firewall

To: Blars Blarson <blarson@blars.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: high-end firewall
From: "Vince Mulhollon" <vlm@norlight.com>
Date: Mon, 27 Aug 2001 08:57:18 -0500
Message-id: <[🔎] OF5D3666A8.12FED4A4-ON86256AB5.004A150C@norlight.com>

On 08/24/2001 07:24:28 PM Blars Blarson wrote:

>> Since I havn't found a pre-packaged solution that fits our needs,
>> I'm looking into using a linux box as a router.

This is totally offtopic, and I'm not even remotely trying to plug a
product, but are you saying that your Cisco rep said "Can't help ya, please
go away" ?  I find that very hard to believe.  Tell your rep to try harder.

>> We have a /24 with around 150 systems on it, and growing.  The
>> incoming feed is 100baseFX full duplex, with a T3 bottleneck upstream.
>> We have 10 managed 24-port Fast ethernet switches (in four locations)
>> connected together with 1000baseSX.  Our users are in several
>> different departments, and it would be best to group them.  (The
>> switches can do VLANs.)

>> Would a gigahertz Pentium 3 be able to handle the load of routing
>> between several 100baseTX cards without being a bottleneck?

At the low end, CPU power is the limitation.

For my example, my 486-25 needs about 10% CPU to push a measured half a
megabit thru my DSL.  This is kernel 2.4 with very simplistic iptables
config, etc.  If I went crazy with access control lists or similar I could
"probably" max it out.  I've never heard of anyone in a non-bug,
non-admin-screwup situation maxing out a pure firewall box, although it's
possible.  Of course someone or something that screws up a 386-16 will
screw up a gig pentium, just sixty times faster.

For your example, pushing a T3 will require (45 / .5) = about 90 times the
bandwidth, but CPU power (1ghz / 25 Mhz) = about 40 times faster.  So
expect maybe 20% utilization for your box on a full T3, assuming perfect
linear scaling (which is probably a dumb assumption).  In summary, it'll
almost certainly work, although I've never tried something like that.

At higher end, bus capacity is the limitation.

For your example, lets say you install qty 3 fourport 10/100 cards.  That's
12 * 100 = 1200 megabits of traffic (peak), which will not fit on a PCI
bus.  That's why people pay $100 for a sixport 10/100 switch at CompUSA
instead of trying to stick six 10/100's in a linux box running bridging,
even if you have the hardware laying around unused.

I have not considered the memory requirements of "ip NAT / ip masquerade"
nor how that scales.  Lets see, 45 megs, feeding 56K end users, each of
which using 10 active connections, and oversubscribe the works by a factor
of 10, hmm thats 80358 NAT'ted connections.  That will require at least two
IP addresses to hold the ports if nothing else.

Probably the single best thing anyone trying to learn networking can do, is
get about half a dozen old 486/386 and a bunch of LAN cards and install a
stripped down Debian on each.  Then wire it all up.  Just installing Zebra
and playing with BGP is worth it alone.  Then you play with access control
lists, etc.  Very educational.

Reply to:

Follow-Ups:
- Re: high-end firewall
  - From: greg <buchanan6870@home.com>

Prev by Date: Re: high-end firewall
Next by Date: Re: high-end firewall
Previous by thread: Re: high-end firewall
Next by thread: Re: high-end firewall
Index(es):
- Date
- Thread