On 09.11.2014 01:49, Yucong Sun wrote: > Dennis Jacobfeuerborn <dennisml@xxxxxxxxxxxx> > > The EdgeRouter 's asic couldn't handle all use cases , Having some > special rule will make it go to "offload" disabled mode. You should > research if that's the problem. Yes that seems to be the problem. Unfortunately the only things we use are vlan's and iptables+conntrack which I consider the be fairly standard features required for basic firewalling. I the system cannot handle traffic at a decent rate with these features than its hardware seems to be ill-spec'ed for its purpose. Things got better when I was able to enable vlan offloading...until the cpu stalled and the system rebooted itself. Apparently the offloading is unstable. None of this inspires confidence in a Product that is specifically advertised as a router/firewall that is sold with 8 Gbit ports and promises to handle 2 Mio+ pps. > As for Linux as a router, the key thing you want to test for is PPS, > not BPS. Commodity hardware should be able to handle up to 1Mpps. Buy > the best Xeon within your budget. Don't bother look at anything else. > (if your project is serious and need to survive a ddos attack) For now I have chosen a 2 quad-core cpu Xeon system I already have here and that has multiqueue capable Intel nics and have configured the appropriate irq affinity and XPS so each queue is handled by a dedicated core. I think this should provide relatively decent performance. Regards, Dennis -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
