Using Netfilter with high bandwidth

Julien Vehent <julien@xxxxxxxxxxxxxx> · Fri, 31 Aug 2012 15:38:47 -0400

Hi All,

At work, we're building a new office, and we are considering building our 
own edge firewalls instead of giving bucket loads of money to the big guys. 
We're a Linux shop, so it makes sense to build those new firewall/vpn boxes 
using Linux. But we are concerned about performances and complexity. I make a 
simple diagram of what we want below. We would have a point to point WAN 
connection between the two networks, and then an uplink on each side.

So I figured I would ask the Netfilter heavy users:
 * How much traffic can we expect to route to a decently configured Firewall 
? Can we target 10GBPS with good NICs/CPUs and proper kernel tuning, or is 
that completely out of range ?
 * If I recall correctly, some ISPs are using Linux/Netfilter boxes on their 
network. Do we know the limits of such systems ?
 * Can we consider conntrack and conntrack synchronization between master 
and slave ?
 * What type of network cards will handle 1GBPS and 10GBPS (eventually) ? 
Any recommendation on the hardware ?
 * We are considering starting with a base ubuntu setup and then tuning the 
kernel/system to fit our needs. Some distros are more network oriented than 
others, is there anything that would stand out for our setup ?

Any pointer to tuning/recommendations is more than welcome. If you have 
experience with such a setup but don't want to share publicly, feel free to 
contact me directly.

                         ........... ...... ..........
                      ...      I N T E R N E T       ...
            +--------+..                               .+---------+
       500 MBPS          .............................            |500 MBPS
       UPLINK                                                     |UPLINK
            |                                                     |
       +----+-----------+             1 GBPS WAN        +---------+------+
       |                +------------------------------->                |
       | LAN FIREWALL   |---+                           | DATACENTER FW  
|---+
       +---^+-----------+   |                           +---^+-----------+   
|
           || +-------------+                               || 
+-------------+
           ||                                               ||
           ||                                               ||
           ||1 GBPS LAN                                     ||1 GBPS LAN
           ||                                               ||
           ||                                               ||
         ..+v....                                           |v......
       ..         ..                                       ..        ..
      ..   L A N   ..                                     .. Datacenter.
       .............                                       ...........

Thanks a lot everyone :)

Julien

--
Julien Vehent - http://jve.linuxwal.info
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html