With the current discuss of "Performance of CentOS as a NAT gateway", I am curious how many people out there are using CentOS as a Router/Firewall in an enterprise or service provider environment. For myself I am not really concerned about NAT just a stateful firewall.
The other half of my questions is about performance. I have read many articles and posts on the net about performance tuning but they all seem to be about tuning a single host, not a router. Does any have any tips in this area? Is tuning even required.
For the sake of the conversation lets assume I am referring to CentOS 5.
Graham Johnston Manager, Network Services Westman Communications Group 204.571.7225 johnstong@westmancom.com
Graham Johnston wrote:
With the current discuss of "Performance of CentOS as a NAT gateway", I am curious how many people out there are using CentOS as a Router/Firewall in an enterprise or service provider environment. For myself I am not really concerned about NAT just a stateful firewall.
The other half of my questions is about performance. I have read many articles and posts on the net about performance tuning but they all seem to be about tuning a single host, not a router. Does any have any tips in this area? Is tuning even required.
For the sake of the conversation lets assume I am referring to CentOS 5.
My best tip for tuning performance:
Don't until performance becomes an issue otherwise you have no basis of determining whether performance has improved.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Ross S. W. Walker wrote:
Graham Johnston wrote:
With the current discuss of "Performance of CentOS as a NAT gateway", I am curious how many people out there are using CentOS as a Router/Firewall in an enterprise or service provider environment. For myself I am not really concerned about NAT just a stateful firewall.
The other half of my questions is about performance. I have read many articles and posts on the net about performance tuning but they all seem to be about tuning a single host, not a router. Does any have any tips in this area? Is tuning even required.
For the sake of the conversation lets assume I am referring to CentOS 5.
My best tip for tuning performance:
Don't until performance becomes an issue otherwise you have no basis of determining whether performance has improved.
Let me add a second tip:
Don't tune a parameter unless you know what is does.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
My best tip for tuning performance:
Don't until performance becomes an issue otherwise you have no basis of determining whether performance has improved.
Let me add a second tip:
Don't tune a parameter unless you know what is does.
While probably not popular, those are very good tips.
I can give you some comparative performance info using CentOS3 and CentOS4. CentOS5 will probably give equal or slightly better performance depending on specific configurations.
Harware: 4 Dell PowerEdge 350's (2 routers, 2 NAT firewalls) PIII-850 512 Mb RAM
Bandwidth: Average 25-35Mbps Peak 80Mbps sustained for 1-2 hours 10k-25k connections
NAT Firewall: CPU usage approx 2-8%
Router: CPU usage approx 2-4%
With the above specs, I was approaching the connection threshold with 512Mb RAM (32768 = theoretical max) and beginning to drop connections. This was quickly fixed by adding an additional 512Mb RAM and adjusting the CONNTRACK_MAX accordingly.
Hope this helps. All boxes were running Keepalived for failover. Fairly straight forward routing so no software used except routing tables, IP, and IP forwarding.
Hope this helps! -Ken
On Tue, 2007-09-11 at 13:43 -0400, Ken Price wrote:
My best tip for tuning performance:
Don't until performance becomes an issue otherwise you have no basis of determining whether performance has improved.
Let me add a second tip:
Don't tune a parameter unless you know what is does.
While probably not popular, those are very good tips.
I can give you some comparative performance info using CentOS3 and CentOS4. CentOS5 will probably give equal or slightly better performance depending on specific configurations.
Harware: 4 Dell PowerEdge 350's (2 routers, 2 NAT firewalls) PIII-850 512 Mb RAM
Bandwidth: Average 25-35Mbps Peak 80Mbps sustained for 1-2 hours 10k-25k connections
NAT Firewall: CPU usage approx 2-8%
Router: CPU usage approx 2-4%
With the above specs, I was approaching the connection threshold with 512Mb RAM (32768 = theoretical max) and beginning to drop connections. This was quickly fixed by adding an additional 512Mb RAM and adjusting the CONNTRACK_MAX accordingly.
Hope this helps. All boxes were running Keepalived for failover. Fairly straight forward routing so no software used except routing tables, IP, and IP forwarding.
Hope this helps! -Ken
Ken,
In your configuration did you tune any sysctl settings or leave with defaults?
Graham Johnston Manager, Network Services Westman Communications Group 204.571.7225 johnstong@westmancom.com
I pretty much left them at the defaults. I tuned a couple tcp settings based on RHEL's best practices guide, but there wasn't any noticeable performance impact.
In your configuration did you tune any sysctl settings or leave with defaults?
Graham Johnston Manager, Network Services Westman Communications Group 204.571.7225 johnstong@westmancom.com
Graham Johnston wrote:
With the current discuss of "Performance of CentOS as a NAT gateway", I am curious how many people out there are using CentOS as a Router/Firewall in an enterprise or service provider environment. For myself I am not really concerned about NAT just a stateful firewall.
For stateful firewalls, one should use OpenBSD and pf if .
netfilter has caught up on the stateful side with tcp window tracking but I do not think that support is in Centos 4 and below. Centos 5 should have it.
The other half of my questions is about performance. I have read many articles and posts on the net about performance tuning but they all seem to be about tuning a single host, not a router. Does any have any tips in this area? Is tuning even required.
If it is a natting firewall, forget about performance. There is a maximum to natting support beyond configuring the maximum number of connections being tracked.
Bridging stateful firewalls will find OpenBSD both more stable and better performing. Non-natting stateful firewalls no comment sorry.
For the sake of the conversation lets assume I am referring to CentOS 5.
For full stateful support, we would have to. All previous Centos only offer connection tracking.
Graham Johnston wrote:
With the current discuss of "Performance of CentOS as a NAT gateway", I am curious how many people out there are using CentOS as a Router/Firewall in an enterprise or service provider environment. For myself I am not really concerned about NAT just a stateful firewall.
Our firewall runs on CentOS 5, x86_64.
It runs on a HP Workstation with dual core Xeon 5140 2.33 GHz.
Intel dual 82571EB NIC, one NIC for the external (we have 1 Gbit internet connection), and one NIC for the internal connections (two VLANs, one with DMZ other with ~250 machines). No NAT.
This is of course not a big setup, but the CentOS/Fedora mirror in the DMZ does give some traffic.
The iptables setup has 119 rules.
No problems whatsoever with performance.
I've made a kickstart configuration for the firewall. If we get a hardware crash on the fw, we can take another machine and get it up running as a new firewill within a few minutes (the most timeconsuming is formatting the root partition). This is quite a nice setup.
Mogens
-
Feizhou -
Graham Johnston -
Ken Price -
Mogens Kjaer -
Ross S. W. Walker