Poszukuj
Poszukuję rozwiązania podziału łącza
Poszukuję rozwiąznia QoS dla ok 4k uzytkowników i pasma 600Mbit, obecny HTB nie daje rady lub jest żle napisany. Jako, że muszę coś zastosować, może znacie jakieś lepsze rozwiązanie.
openbsd + pf
http://openbsd.org/faq/
http://openbsd.org/faq/pf
Dodane:
pfsence
http://www.pfsense.org/
Nie pamiętam dobrze ale przy jakiejś ilości równocześnie nawiązanych sesji w jednostce czasu, jądro Linuksa pada przy nat, a jądro bsd działa dalej. Natomiast tak wielu rzeczy jak pod Linuksem nie da się tutaj skonfigurować. Ot co mi się przypomniało w rozmowie z pewnym adminem. Linkami nie potwierdzę i tego co napisałem na 100% też. To już tezy naukowe.
http://openbsd.org/faq/pf/perf.html"How much bandwidth can PF handle?"
"How much computer do I need to handle my Internet connection?"
There are no easy answers to those questions. For some applications, a 486/66 with a pair of good ISA NICs could filter and NAT close to 5Mbps, but for other applications a much faster machine with much more efficient PCI NICs might end up being insufficient. The real question is not the number of bits per second but rather the number of packets per second and the complexity of the ruleset.
PF performance is determined by several variables:
Number of packets per second. Almost the same amount of processing needs to be done on a packet with 1500 byte payload as for a packet with a one byte payload. The number of packets per second determines the number of times the state table and, in case of no match there, filter rules have to be evaluated every second, determining the effective demand on the system.
Performance of your system bus. The ISA bus has a maximum bandwidth of 8MB/sec, and when the processor is accessing it, it has to slow itself to the effective speed of a 80286 running at 8MHz, no matter how fast the processor really is. The PCI bus has a much greater effective bandwidth, and has less impact on the processor.
Efficiency of your network card. Some network adapters are just more efficient than others. Older rl(4) Realtek 8139 based cards tend to be relatively poor performers (newer re(4)-based Realtek cards are much better), while Intel 21143 (dc(4)) based cards tend to perform very well. For maximum performance, consider using gigabit Ethernet cards, even if not connecting to gigabit networks, as they have much more advanced buffering.
Complexity and design of your ruleset. The more complex your ruleset, the slower it is. The more packets that are filtered by keep state and quick rules, the better the performance. The more lines that have to be evaluated for each packet, the lower the performance.
Barely worth mentioning: CPU and RAM. As PF is a kernel-based process, it will not use swap space. So, if you have enough RAM, it runs, if not, it panics due to pool(9) exhaustion. Huge amounts of RAM are not needed -- 32MB should be plenty for close to 30,000 states, which is a lot of states for a small office or home application. Most users will find a "recycled" computer more than enough for a PF system -- a 300MHz system will move a large number of packets rapidly, at least if backed up with good NICs and a good ruleset.
http://openbsd.org/faq/
http://openbsd.org/faq/pf
Dodane:
pfsence
http://www.pfsense.org/
Dodane:pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus.
Nie pamiętam dobrze ale przy jakiejś ilości równocześnie nawiązanych sesji w jednostce czasu, jądro Linuksa pada przy nat, a jądro bsd działa dalej. Natomiast tak wielu rzeczy jak pod Linuksem nie da się tutaj skonfigurować. Ot co mi się przypomniało w rozmowie z pewnym adminem. Linkami nie potwierdzę i tego co napisałem na 100% też. To już tezy naukowe.
