10Gb/s Forwarding
-
Looking forward to see test results….:)
-
So, this is the reply I got from the FreeBSD firewall forums:
"You're completely nuts to be putting 16 cores into a firewall box.
Most of the code pathways in PF and IPFW are serialised, so you won't be able to use more than a couple CPU cores in a packet filtering firewall.
And you really don't need 24 GB of RAM in a firewall box. Our gigabit fibre routers only have 2 GB, and they rarely use more than 512 MB of RAM.
Find the fastest dual-core CPU you can. Give it 2-4 GB of the fastest RAM it can handle. And give it PCIe NICs with as much offloading capability as you can.
And be sure to use the latest version of FreeBSD, as network throughput, packet filtering, and forwarding have greatly improved in 8.x over 7.x. Plus, you get the latest drivers for the fastest NICs."So - does pfSense use PF and/or IPFW as the firewalling base code (is the "PF" the same "PF" in "pfSense"?) Or it is a more proprietary code that works differently? If I am to believe that guy, I should not care about how many cores I have, but rather how fast each core is and have fewer cores. But, if pfSense uses a more CPU-parallel code base that is not PF/IPFW based, it may change things…?
-
pfSense uses both pf and IPFW. (It doesn't use much of IPFW though, it gets used only for Captive Portal, Scheduling, and some other things)
-
Rum it in a virtual machine and loadbalance it…..
-
But then the issue becomes having something fast enough to do the load balancing, which could be just as much of a CPU load.
-
Dont you think 16 cores are enough??
@Efonne:
But then the issue becomes having something fast enough to do the load balancing, which could be just as much of a CPU load.
-
Depends on whether it uses them for doing the processing. At least in pfSense it is doing the load balancing through PF, so the multiple cores still won't make a difference.
-
Running ESXi and 5 instances of pFsense in a loadbalancing scheme would be an easy setup I guess.
But geez, 16 cores and 24GB RAM ? Only customers I have that buy that kind of hardware use it for virtualization, and then we are talking about 50+ VMs of low\medium size.
-
After a long while, we finally put our test case together.
We have a Dell R610 with 3.47GHz Xeon X5677 Processor (Quad-Core)
12GB RAM, 1333MHz speed
Myricom 10G-PCIE2-8B2-2S NIC, with two 10G ports on it
pfSense 2.0-BETA4 (amd64) Built on August 22As a control case, we downloaded data in our datacenter in Santa Cruz, CA all the way from Maryland at a partner site, and were able to achieve 2Gb/s sustained. No firewall in between.
Then we put our download server behind the new pfSense box and configured some filtering rules just for fun, and got the same 2Gb/s when downloading. Which indicates the pfSense box was not a bottleneck. We watched the pfSense box for load and saw very little. No dropped packets, CPU was working at less than 2% and the "Interrupt" metric as reported by top was at 7%. Most of the packets were UDP, transferring about 150 million packets per second with ~30 open states.
Given that the load was so low, I bet we could filter 5-7Gb/s through this box with little trouble. Which I intend to do in a few months. ;)
Random note, I noticed the default MTU for both WAN and LAN interfaces was 9000 bytes, even though the web interface has a note that says it should default to 1500 bytes by default on all interfaces. I had to manually set 1500 bytes in the web interface, since I am not able to use jumbo frames at this time. Perhaps that is a small bug in this version of the beta release.
-
OK… The 10G NIC will definitely be on a PCI-E bus that can handle 8Gb/s. So right there I am limited to 8Gb/s on the PCI-E bus. But My "CPU" is only 2.4GHz, does that mean that I won't even be able to push 500Mb/s through the server?
The Myricom is a PCIe 2.0 8 lane card. The bandwidth allowed on such an interface is 4GBytes/s (32Gbits/s) in each direction simultaneously. If the slot is only capable of Gen. 1 PCIe, then this would be 2Gbytes/s (16Gbits/s).
However, as seeing that you're running on the R610 with the Tylersburg chipset, all the PCIe slots (32 lanes total) are capable of Gen. 2 speeds. i.e. Your card is not being crippled by the slot bandwidth.