Announcement

Collapse
No announcement yet.

Building a power efficient Firewall /w 100mbps throughput

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Building a power efficient Firewall /w 100mbps throughput

    I've been wanting for a long time to build a really really power efficient firewall that can offer 100mbps throughput, I've been looking at the VIA EPIA mainboards and there are some really good choices, like this one.

    However I am unsure if a 33Mhz PCI solution will be able to offer 100mbps throughput, I think not, I think atleast one of the NIC, prefferably both, must be connected directly into the northbridge, thus avoiding the PCI bus max bandwidth limit of 133mbps throughput...

    So I stumbled across Silent PC Reviews latest CPU power efficiency article, and there are some really good choices if you are into underclocking and undervolting the CPU nowdays...

    I at first had the opinion that only the VIA CPU's could offer what I want but I mean a Intel Dothan at 14w or a AMD Turion at 18w is quite impressive to me... Of course the Athlon64 at 20w is probably an even better choice, since it should be cheaper and I can still lower it's clockspeed to reduce the power consumption even more...

    But there is of course also the possibility of building a Socket 370 system with a Intel Tualatin CPU, or a VIA but then I really think the Mini ITX route is better though, if a "proper" NIC layout is found that is...

    So, as you can see I am pretty open to the CPU choice, but what I want now is a nice mainboard to team this system up with, perhaps Tyan has something nice to offer? I don't know that is why I am asking... I have no problems buying second hand items off eBay or anywhere else either...

    Preferrably the 2x NIC's should be integrated on the mainboard, both to reduce cost but also power consumption... But I guess a board with a NIC that interfaces with the northbridge directly and then a PCI 66Mhz slot for a second NIC would be a really nice solution too...

    It would also be cool to build this into either a Mini ITX chassi or a 1U rackmount chassi, but that is mostly secondary, just for the coolness factor... But in other words if the mobo has a 1U layout that would be simply great!
    "The one who says it cannot be done should never interrupt the one who is doing it."
    Tags: None
    #2
    Re: Building a power efficient Firewall /w 100mbps throughput

    1) There are stock mATX boards that will fit comfortably in 1U mATX cases - I use a stock i810e with a Tualeron, along with a 1U PCI riser and a 4-port 10/100 to make a very nice general-purpose infrastructure appliance - could be storage, router, firewall, webserver, whatever. The most expensive component is usually the 1U PSU, which usually runs over $75 each.

    2) 33 Mhz PCI actually supports just short of 1 Gbps (burst). So you can't use it for a router that aggregates, say, 4 x 10/100 into 1 x 1000 back-haul - it can't manage line-speed on all interfaces. However, if all you're doing is 10/100, you can comfortably run 2, 4 or even 8 interfaces with a Linux 2.6 kernel.

    3) Tualerons or even the lowly Mendocino or Via C3 are very reliable CPU choices for 1U boxes. One recent alternative is the S754 Sempron-64 - the main catch is the cost of a low-profile heatsink. They're not that easy to find for S754.

    4) There are a number of even smaller boards using non-standard specialty form-factors and embedded x86 CPUs like the Geode or Via Eden - for instance, check out Soekris engineering and GCT-Allwell:

    http://www.soekris.com/
    http://www.gctglobal.com/

    Comment

      #3
      Re: Building a power efficient Firewall /w 100mbps throughput

      Hmm, I did not know that, however I did some tests...

      I created a new vlan in my switch and connected my ADSL modem, firewall and one workstation to it... I gave the workstation a "real" internet IP...

      This way I could from my workstations on the "secure" side of the firewall access the workstation that was on the "insecure" side of the firewall...

      The Firewall is a Proliant 800 Server with dual PPro 200Mhz processors and 196MB RAM, running the linux based firewall distribution IPCOP. I ofcourse had the IDS system deactivated during these tests... The NIC's are two 3com 3c905 33mhz PCI NIC's...

      Transferring a big file through the firewall, both ways tested, gave ca 65mbps thoughput and 50% CPU load on the Firewall, if I simultaneously transferred files between both workstations through the firewall the throughtput was ca 20mbps both ways, i.e. 40mbps total. The CPU load on the server was only 30% now...

      A bit disappointed but not suprised I took the workstation that was on the internet side and moved it from it's vlan into the "big" vlan where all my other machines are. Ofcourse this also placed it before the firewall, transferring files now I got ca 80mbps throughput either way. But yet again only 20mbps when I transferred files both ways...

      So go figure... 80mbps is pretty close to the theoretical 100mbps, counting in the overhead for the TCP checksum packets, however I used DU Meter to measure the bandwidth and I thought it calculated in that data also but guess not?

      The reason I am doing these tests is because I someday hope to move somewhere where 100mbps internet is available, and I don't wanna be handicapped by my hardware then
      Also of note is that the connection will then be 100mbps both ways, so I really want to build a firewall which can manage all that traffic...
      "The one who says it cannot be done should never interrupt the one who is doing it."

      Comment

        #4
        Re: Building a power efficient Firewall /w 100mbps throughput

        The actual throughput that you get depends on many things:

        1) How complex the default iptables/netfilter rules are on IPCop. Obviously, if it has got a complex rules table, it's going to take time running running each packet through the filter.

        2) The quality of NIC card and its driver. There are very well-architected cards, like the old DEC Tulip, that can give close to the theoretical line speed with minimal CPU overhead on ISRs and so on. There are lousy cards as well, including first-generation Realteks and el-cheapo Tulip clones.

        3) The kernel version. Generally, the network stack on 2.6 is far more efficient than the one on 2.4.

        4) Userland. What sort of services are running on the firewall? A minimal firewall distro like routerlinux is very efficient out of the box and doesn't run much by way of unnecessary stuff on the firewall box:

        http://www.routerlinux.com

        5) What kind of toolchain was used to compile everything. Other things being equal, a kernel compiled with gcc4 and register optimizations is more efficient than one compiled with gcc2 or gcc3 without register optimizations.

        Comment

          #5
          Re: Building a power efficient Firewall /w 100mbps throughput

          1: I've got 12 active portforwards

          2: 3Com 3C905-TX, a very good NIC that has checksum offload features etc... However my IPCOP seems to disable it, why could that be?
          Code:
          01:08.0: 3Com PCI 3c905 Boomerang 100baseTx at 0x7400. Vers LK1.1.18
eth1: Dropping NETIF_F_SG since no checksum feature.
          3: The latest stable IPCOP version is running on 2.4.31, not much I can do about this because I don't wanna recompile it...

          4: It is a dedicated firewall so a minimal numer of services are running, though I'm running some logging, DHCP etc etc but as I said the CPU load is no where near 100% ever so it's atleast not affected by that anyway, even though 50% CPU for 75mbps seems way too high for me...

          5: No idea
          "The one who says it cannot be done should never interrupt the one who is doing it."

          Comment

          Previous template Next
          Working...
          X