Hi,
The hardware is : Xeon 3,4Ghz 1Go of RAM Intel Giga cards for public an private network (e1000 driver) 2 SCSI U320 Raid 1 hard drives
The system is : Debian Sarge Kernel 2.6.8 iptables 1.2.11
Thanks a lot.
-- Christophe
Le 13 mai 05 à 02:03, Taylor, Grant a écrit :
Christophe SUIRE wrote:
Hi,
I have done some tests, and i'm surprise with the poor result with NAT.
I have a linux firewall, 2.6.8 kernel, one card for public network, and one card for the lan.
All cards are giga bit cards.
I have 10 PC which are each in a VLAN, and with a gateway which is the virtual VLAN interface under the firewall link with the lan card.
I have 5 switch with a 100Mbit/s uplink to the firewall (with a giga bit backbone switch). I have 2PC under each switch. So in theory each PC have 50Mbit/s of bandwidth.
Each PC have 10 alias ip, so i have 10 networks with 10 virtuals clients under each network.
So each virtual client (100) have 5Mbit/s of bandwidth.
On the firewall each vlan network is SNAT to go out to the internet.
My bandwidth test is done with TPTEST, and a TPTEST server under the public network of the firewall.
My procedure is : tcp-receive of 50Mo
launch the test for 1 virtual client and get the time
launch the test for 2 virtuals clients together and get the time for each
....
launch the test for 100 virtuals ...
When i do my test without NAT, just routing, the total bandwidth used is near to 500Mbit/s, which is great !
But when i do my test with NAT, the total bandwidth used is near to 170Mbit/s !!! So i have an import drop of the performance !
And this bandwidth is the same from 20 virtuals clients to 100 virtuals clients.
So i understand that NAT need to rewrite all packets .. but here the performance is very poor.
If someone can explain me why ??
What are the specs on the system you are using as the firewall?
Grant. . . .