On Tue, 16 Aug 2005 11:38:06 -0500 "Taylor, Grant" <gtaylor@xxxxxxxxxxxxxxxxx> wrote: >I ended up >+allocating 1 GB of RAM to just connection tracking. In fact you need 1 GB (or >+very close to) to be able to track 65535 connections. You don't. Maybe that's conntrack's default, but you can set it to a higher number manually. The required memory is approx 400b per connection (depends on iptables/kernel compile time options). The rather conservative default (hashsize = 1/16384th of RAM) is for a generic system. For more info look at ip_conntrack_core.c 65535 connections need about 25MB in RAM, so before starting iptables, do modprobe ip_conntrack hashsize=8192 (contrack_max is auto-set to 8*hashsize, this is the recommended relation). In fact my distro Shurdix automatically sets up larger hashsize than the default, depending on system memory. You can change conntrack_max while the module is loaded (sysctl net.ipv4.netfilter.ip_conntrack_max), but you can't change the hashsize this way. If the relation is other than 1:8, you might experience performance problems (I don't know details, this is recommended on various places on the net). >Another problem that you may run in to will be filling your ARP table. The >+kernel space ARP table is not very large at all, only like 64 or maybe up to 255 >+IP MAC pairs. This is also tunable, per sysctl, somewhere like net.ipv4.neigh.default.gc_thresh[123]. Unfortunately poorly documented, I had to look at the source to realize this, and I don't remember what means what. >In short get memory and a lower end proc to save the money for a 2nd identical >router. While a redundant system is indeed a good idea, I recommend making sure the router is rock stable. This doesn't necessarily require high-end / fast hardware, it is recommended to stress test it before going live (memtest/cpuburn/whatever). My tip is not to use "primitive" network cards like those based on rtl8139 which you require high bandwidth. This has the most noticeable impact on performance. I have ok experience with 3com's, I've heard intels are even better. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
