Gigabit redundant firewall questions (hardware and software)

Discussion in 'Linux Networking' started by David Schwartz, Nov 2, 2004.

  1. I'm trying to set up a redundant firewall configuration. We have two GE
    links that redundantly (though both active) feed an array of servers. I'd
    like to interrupt each GE link with a PC acting as a firewall.

    First of all, we can't easily do any stateful firewalling because
    packets can take either link, and thus pass through either PC. That's fine.
    Mostly what we want is to get detailed traffic statistics in as near real
    time as possible and apply packet filters. They can be as coarse as 'block
    this IP'.

    I have a lot of questions:

    1) I've heard that the Intel GE cards work the best with Linux because
    of their NAPI support. Is this true? There are a lot of different Intel GE
    cards with vastly different prices, do they perform much differently?

    2) I've heard that there are issues with SMP in high-speed packet
    filters and we should prefer a fast single CPU machine. Is this true, or

    3) Are there any good software firewall packages that will allow us to
    see the traffic statistics on the inbound GEs in real time? A web interface
    that could show us which IPs are generating/receiving the most traffic, for
    example. Something to synchronize the config on the two boxes would be nice
    too (though we can hack that up ourselves easily enough.)

    4) We'd like to be able to handle at least 500Mbps total (25% line
    rate). (The line rate would be 4Gbps, 1Gbps in on each of the two ports,
    1Gbps out on each of the two ports.) Is this realistic?

    5) I can't use GE ports built into motherboards because I need to
    support fiber in the future. Will this hurt me a lot because I can't use
    that new Intel thing where the GigE port connects directly to the MCH? Do I
    need to look for motherboards with dual independent PCI-X busses? Do these
    even exist?

    6) Any dual-GigE Linux success stories? What motherboards, processors,
    and Ethernet cards did you use? How much bandwidth could you handle at what
    kind of CPU load? How much were you able to do to the packets without
    melting down? Any special kernel versions/options?

    In the past, we tried a dual-FE setup and had dismal results. Interrupt
    storms slowed the system to a crawl at 200Mbps total or so. We expected full
    line rate (400Mbps) to work. So we're asking a lot more questions this time.

    David Schwartz, Nov 2, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.