Masquarade question.

Hi,

At work I'm about to setup a group of machines behind a Linux masquaraded
gateway, these will be machines that we don't need to have direct access to
the internet (e.g. terminal server clients). I have set up a test using SuSE
9.0 which seems to work ok. Question is what sort of spec machine would I
need to do this. We will only have one class c behind the masquarade, but
initially we are talking about 20-30 machines. Currently the machine we
are planning on using is a P3 1GHz, with 2x 100Mb network cards in though
we have a gigabit capable network if needed. Is this setup likley to provide
an acceptabe service ?

Thanks.

Phill.

Hi Phill,

> At work I'm about to setup a group of machines behind a Linux masquaraded
> gateway, these will be machines that we don't need to have direct access to
> the internet (e.g. terminal server clients). I have set up a test using SuSE
> 9.0 which seems to work ok. Question is what sort of spec machine would I
> need to do this. We will only have one class c behind the masquarade, but
> initially we are talking about 20-30 machines. Currently the machine we
> are planning on using is a P3 1GHz, with 2x 100Mb network cards in though
> we have a gigabit capable network if needed. Is this setup likley to provide
> an acceptabe service ?

This question is not easy to answer. But i have a strong idea on that.
Ok, if you just plan to use this PC as a Gateway/DHCP/DNS-Server,
it should have far enough power.
Ok, this also depends on your internet connection. If you have a broadband
connection with lots of bandwidth, it _may_ not be enough.
But this applies only for real fast connection.
To give you a glue, i can tell you what i have at home:

486DX-2, 66MHz, 32MB PS/2-RAM, 2x10MBit NIC ->Gateway, DHCP,DNS
aDSL internet connection, 2MBit/s downstream, 192KBit/upstream
connected to a 100 MBit-LAN with up to 5 client machines

Ok, in most cases, only 2-3 clients are using the gateway at a time.
At your place the load will be much higher, because it is a productive
environment. The only thing i can say is, that my small gateway box serves
my LAN very well....when i download files, i get full speed without
any problems and response times seem ok, too.
To be honest i've never done any real benchmarks, but i've been very
satisfied until now.

The machine you plan to use is way faster so i would try to use it.
If it turns out to be too week, you can easily upgrade later....

HTH

Ralf

The Masquerade system doesn't need a special spec. Only NIC is important.
It's because that Linux's operation for the Masquerade uses a little cpu
resource and memory.

In my office, The firewall sytem's spec is only Pentim III that is even a
second-hand PC and 30 PCs use Internat through this firewall. If you want
more stable system, the system is enough to be added Dual Power.





"Phill Harvey-Smith" <(E-Mail Removed)> wrote in message
news:Xns94F5A33E02A69philldnawarwickacuk@137.205.1 28.11...
> Hi,
>
> At work I'm about to setup a group of machines behind a Linux masquaraded
> gateway, these will be machines that we don't need to have direct access
to
> the internet (e.g. terminal server clients). I have set up a test using
SuSE
> 9.0 which seems to work ok. Question is what sort of spec machine would I
> need to do this. We will only have one class c behind the masquarade, but
> initially we are talking about 20-30 machines. Currently the machine we
> are planning on using is a P3 1GHz, with 2x 100Mb network cards in though
> we have a gigabit capable network if needed. Is this setup likley to
provide
> an acceptabe service ?
>
> Thanks.
>
> Phill.

yes, you are perfectly all right. A p III would be just fine for 20-30
pcs. Basically, ip-masq doesn't use much of cpu time, unless should
you are in clamp-mss, specially with pppoE or vpn. Well, you might
have to think on investing gigabit ethernet, what's your connection
speed to the internet gateway? If you are using only internet,
probably 100 mbps will do the work for you. You might use squid as
cache server, for faster access. Then alocate a separate memory space
for squid too.

hth

raqueeb hassan
congo (drc)

Phill Harvey-Smith <(E-Mail Removed)> wrote:

> At work I'm about to setup a group of machines behind a Linux
> masquaraded gateway, these will be machines that we don't need to have
> direct access to the internet (e.g. terminal server clients).

> Question is what sort of spec machine would I need to do this. We will
> only have one class c behind the masquarade, but initially we are
> talking about 20-30 machines.

The machine you are thinking of using a quite frankly overkill. The
routing and NAT functionality doesn't need much in the way of resources.
A lowly PII would be heaps. It's the associated services that drive up
the resource requirements (services such as proxying, NIDS, etc).

You mentioned that you are dealing with terminal server clients. If the
data for these is crossing the router (which btw, would be suboptimal),
then you should take care to measure the PPS (packets per second) rate,
to avoid dropping packets due to full queues. This can _really_ make
interactive protocols so slow as to be unusable (this effects X11 a lot,
as it uses TCP, so when a packet gets lost, there is quite a bit of
waiting involved).

> Currently the machine we are planning on using is a P3 1GHz, with 2x
> 100Mb network cards in though we have a gigabit capable network if
> needed.

If you're planning on routing to gigabit speeds, you should _really_ be
looking at a hardware router, such as a Cisco or Juniper etc.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

(E-Mail Removed) (Raqueeb Hassan) wrote in
news:(E-Mail Removed) om:

> yes, you are perfectly all right. A p III would be just fine for 20-30
> pcs. Basically, ip-masq doesn't use much of cpu time, unless should
> you are in clamp-mss, specially with pppoE or vpn. Well, you might
> have to think on investing gigabit ethernet, what's your connection
> speed to the internet gateway? If you are using only internet,
> probably 100 mbps will do the work for you. You might use squid as
> cache server, for faster access. Then alocate a separate memory space
> for squid too.

Basically we are doing this to isolate some vunarable machines (machines
driving pieces of equipment that need to be networked but where the
equipment manufacturers will not support anything above windows x sp y,
where X=NT for example and Y=<6) from the internet in general, as we have
had a couple that have been remotely compromised. The masquarade box will
have 2x 10/100 cards in it, though as people have said if this gets too
slow then we can probably go to gigabit, as our new network has all sockets
gig capable.

Thanks for the repplies people, I suspected it would be enough as I used to
run my home gateway on a P120, but that was onlyt on a modem, current
gateway is an athlon XP-2000 on DSL, so I couldn't really use that to judge


Phill.