Re: Debain as gigabit router?

To: debian-user@lists.debian.org
Subject: Re: Debain as gigabit router?
From: Erik Persson <erik-maillist@djingis.se>
Date: Sun, 27 Aug 2006 00:15:37 +0200
Message-id: <[🔎] 44F0C809.5080606@djingis.se>
In-reply-to: <[🔎] 200608261748.58400.alan@chandlerfamily.org.uk>
References: <[🔎] 44F05E76.5020905@djingis.se> <[🔎] 200608261748.58400.alan@chandlerfamily.org.uk>

Alan Chandler wrote:

On Saturday 26 August 2006 15:45, Erik Persson wrote:
I can't answer your question directly, but I can give you a point in theground.
I run a debian (was sarge - just updated to etch) server with two 100Mbethernet cards in to act as a router/firewall AND web server, tomcatapplications server, mail server, fileserver, print server, name server, dhcpserver etc etc.
CPU load rarely gets above 3% except when people are accessing the web site(thats the java machines in topcat). That is with a 1.7Gh Celeron


Thanks!

We are running an Athlon 64 3200+ with 3 100Mbit/s nics with and arather large set of iptables rules. The maximum number of clientcomputers running at the same time in our internal net is probablyaround a couple of hundred (some of the client computers, the actualnumbers are unknown to us, are however behind nat-ing routers.) Thisworks without any problems. However the external if is only 50mbit/s,and the number of computers *running at the same time* is thus not veryhigh. On this computer the load rarely gets above 1% (I can't evenremember having seen it reaching 1%).Before the computer above we had a PIII 900Mhz which fullfilled the sametask also without any problems.From this perspective one would guess that there really shouldn't beany problems with 1 gb/s. But I think there's more to it.Just to get a feeling of the speed, an ordinary PCI 32 bit 33MHz has apeak transfer rate of about 1000 mbit/s "half duplex".

I have however seen some tests of iptables and routing on double 1gb/snics and it seems that iptables don't really scale that well. There arehowever other packet filtering options that does a better job. Routingcould be a problem as well, but the packet filtering seems to be thereal bottleneck.1 gb/s is a large amount of data and the pps would be very high. Let'sfor the sake of argument say that the average packet size is 100 bytesand that there's no overhead at all on the 1 gb/s. That would yield 1,25million pps. This is a huge amount of packages.From the link below you can see that a dual opteron 2,2 GHz managedabout 700 000 pps, but there are other factors in this as well (as the55 000 new connections per sec in the test). This is only routing, and Iguess the gb-link was saturated.When using firewalling the pps fell rather dramatically to about 250 000pps (and 25000 new connections per sec). That is *not* saturating thelink and is about 1/3 of the pps reached when doing only routing.I don't think we ever will reach that number of new connections persecond, and this will probably relieve the router/firewall of some burden.


On debian-isp I was adviced to read the following link:
http://www.hipac.org/
Iptables, nf-hipac (etc) and router performance:
http://people.netfilter.org/kadlec/nftest.pdf

I have heard some people saying it is possible to run linux as agb-router on pc-hardware and some have actually tested it, but it wouldbe very nice to hear from some more people who have tried it!

Nothing beats the real world.

/erik persson

Reply to:

Follow-Ups:
- Re: Debain as gigabit router?
  - From: Erik Persson <erik-maillist@djingis.se>

References:
- Debain as gigabit router?
  - From: Erik Persson <erik-maillist@djingis.se>
- Re: Debain as gigabit router?
  - From: Alan Chandler <alan@chandlerfamily.org.uk>

Prev by Date: colloquial
Next by Date: cotman
Previous by thread: Re: Debain as gigabit router?
Next by thread: Re: Debain as gigabit router?
Index(es):
- Date
- Thread