General performance feedback on the sys. reqs

OutThere

:o
These requirements are quite a jump from what I was used with LRP/Bering. Bering router scaled nicely up to 2 people running 3 or 4 different p2p clients on 2 segments. And this was on a P100/24 machine.

I will try to upgrade to PII266/64 with pfSense, but judging by the above requirements, it will not run. I might swhitch back to LRP/Bering, as the speed/ram boost would probbably solve the NAT overload problem I was getting.

I still love pfSense's powerful features and will be using it when a better machine hits my junkyard.

hoba

Sorry, but pfSense was not made for the junkyard  ;D , and as you mentioned it has a lot of features. You can still strip it down to meet rather low requirements like embedded platforms. Some developers run it even on soekris 4501 (133MHz CPU, 64 MB RAM) without issues. It mainly depends on the load you put on the system and which features you use.

OutThere

I expect any machine would kneel down given an overload. I have heard of ciscos knealing down before a humble donkey  ;D
I hope my expectations (NAT/PAT with many connections from outside) will be served by PII266/64. If not, I might consider some other HW. There is tons of it lying arround for free. I am just too lazy (and busy) to sniff arround other ppls junkyards :)

But it goes against my philosophy to spend good money on something I can have in exchange for a few brain wave cycles… I think we all are like that... Providing we have a brain  :D ;)

cmb

@OutThere:

I will try to upgrade to PII266/64 with pfSense, but judging by the above requirements, it will not run.

With quality NIC's (read Intel, not anything like Realtek), a PII 266 should be able to push at least 20-25 Mb even with heavy P2P load.  The hardware upgrade the original poster in this thread stated was necessary almost certainly wasn't due to a lack of resources.

On slower boxes, the webGUI used to be pretty sluggish, but some changes in the upcoming beta 2 have drastically reduced page load times so that's much less of an issue (down from 10-20 seconds on a 133 MHz for many pages, to around 3 seconds now).

FreeBSD 6.0 performs about equal to Linux 2.4 kernel under most circumstances with most hardware, for firewalling purposes.  It's quite a bit faster than Linux 2.6 kernel.  FreeBSD 4.x, what m0n0wall is still based on, is still roughly twice as fast as FreeBSD 6 though.  This all is only true for single processor systems though, changes in recent FreeBSD and Linux systems make SMP systems perform much better than their older versions.  With multiple core processors and multiple CPU systems becoming the standard, this is the direction these OS's needed to go.

OutThere

I know BSD is superior in networking, but the drastic differences innetworking IO you are qoting must be a bit of an urban myth… If BSD4 is double the speed of BSD6 and BSD6 is faster than Lin 2.6, that must make Linux a dead slug. I still get the speeds of about 8Mb/s using scp on lin/lin transfer and that is using cheapest lowend realtek hardware on 1GHz machinery... No special tuning whatsoever...

I will surely test all this live and I am looking forward to pfSense. It looks dashing.

cmb

@OutThere:

I know BSD is superior in networking, but the drastic differences innetworking IO you are qoting must be a bit of an urban myth… If BSD4 is double the speed of BSD6 and BSD6 is faster than Lin 2.6, that must make Linux a dead slug.

You really shouldn't question those who have done more firewall performance testing than you've ever even thought about.  :D

In firewalling, Linux 2.6 is an absolute dead slug in comparison.  Granted the only test numbers I've seen, and only tests I've done, are on embedded platforms (Soekris/WRAP).  There's a big difference between firewalling and general networking.  When packets have to be firewalled and NAT'ed, generally they have to be processed by the kernel several times.  Changes in newer kernels that improve speed for other operations really cause a hit on these things.  It's absolutely not a myth.  The numbers are, roughly, for a Soekris 4801 or WRAP (266 MHz), about 15 Mb through Linux 2.6, 20-25 Mb through FreeBSD 6.0 or Linux 2.4, and 40-45 Mb through FreeBSD 4.x.  FreeBSD 5.3 would do about 20 Mb until you loaded it up with a high pps load, at which point it would crawl down to around 10 Mb or less.

On my 4501 (133 MHz), I couldn't get more than 3.5-4 Mb through 5.3 under a higher pps load, where 4.x can do 17 Mb, and 6.0 about 10 Mb. 
some proof in graphs for this particular testing:  http://chrisbuechler.com/4vs5/

Do the tests yourself and you'll see.

FreeBSD 4.x has probably the fastest general purpose full featured TCP/IP stack ever written.

8 Mb through a 1 GHz is absolutely nothing.  Your first bottleneck on a firewall is generally the CPU.  1 GHz is enough CPU that firewall throughput isn't an issue with any OS until you get way over 8 Mb.  You can't see any difference between any of them until you're using slower hardware and higher loads.

OutThere

Shish. I have a dead slug infestation arround here  :o
Time to BSD I guess. At least servers and relay machines…

ZGamer

@cmb:

8 Mb through a 1 GHz is absolutely nothing.  Your first bottleneck on a firewall is generally the CPU.  1 GHz is enough CPU that firewall throughput isn't an issue with any OS until you get way over 8 Mb.  You can't see any difference between any of them until you're using slower hardware and higher loads.

Heck even the commercial nokia firewalls are P3 933mhz w/256megs ram(IP380), upgrading it to 1gig of ram and it has no problem holding up a college campus with voip, vpn (clients connecting) site-to-site vpn tunnels, ect.

cmb

@OutThere:

Shish. I have a dead slug infestation arround here  :o
Time to BSD I guess. At least servers and relay machines…

Servers are a different situation than firewalls.  Certain applications and uses are probably faster on Linux, others faster on BSD.  I doubt if you're running any 200 MHz servers (or anything sub-1 GHz for that matter) that need to pump out 100 Mb on the network, so the difference in networking performance between OS's is of little concern.

For most situations, with servers, what it comes down to is use what you're comfortable with.  A good Linux admin will run the most reliable and secure servers when using Linux.  A good BSD admin with BSD.  A good Windows admin with Windows.  An incompetent sysadmin will run insecure and unreliable servers no matter what's running on them.

The whole "X is more secure and reliable than Y" argument is quite a bit of BS when it comes down to it.  The security and reliability of any server is 99% in correlation with the competency of its administrator.

ZGamer

@cmb:

An incompetent sysadmin will run insecure and unreliable servers no matter what's running on them.

The whole "X is more secure and reliable than Y" argument is quite a bit of BS when it comes down to it.  The security and reliability of any server is 99% in correlation with the competency of its administrator.

ROTFL.

It is very true though.

I would say as long as the system is stable when you are running it, good performance for you, and lastly supports the functionality you require then it is ok. If multiple OS's offer this then whatever your personal preference is.

OutThere

Very true.
I have obviously mistakenly assumed networking == routing.
:)