FreeBSD PF firewall
danishenglishPDF-icon
Security6.net logo

FreeBSD PF firewall using gigabit Ethernet

Building a firewall using cheap Amd64 and Intel Gigabit Ethernet!

The purpose of this page is

  • to document a real life experiment done using FreeBSD and Gigabit equipment
I did this experiment while building and finishing a firewall for DKUUG, the Danish Unix User Group.

Equipment used

  • IBM Thinkpad model X31 named Timon
  • Apple Powerbook G4 1,25GHz named Bigfoot
  • Amd64 based PC with 3 Intel Gigabit Ethernet, only two used named Sobek
  • Asus GigaX 1108 8-port Gigabit switch
  • Cat 5E 1 meter cables

Software used

  • OpenBSD 3.9-beta
  • FreeBSD 6.0 with PF filtering
  • Mac OS X 10.4
  • NetStrain 3.0  (c) 2002 Christoph Pfisterer

Method used - not very scientific, but fun nonetheless :-)

  1. connect two laptops directly with 1 meter cables - measure maximum throughput
  2. connect two laptops with a FreeBSD PF firewall, firewall disabled - maximum througput routing
  3. connect two laptops with a FreeBSD PF firewall, firewall enabled - maximum throughput filtering firewall

Measurements done

All measurements are done using Netstrain which is a nice and simple tool - some may find it too simple.
When you use netstrain you start a netstraind daemon at one end and then run the netstrain client at the other. The client is then run in either send, recv or both mode.

Sample run from bigfoot with netstraind started at Timon on IP address 10.3.4.100: 
bigfoot# netstrain -4 10.3.4.100 12345 send 
NetStrain 3.0  (c) 2002 Christoph Pfisterer 
Looking up hostname 10.3.4.100...
Connecting to 10.3.4.100 port 12345 using IPv4...
Connected
sent:       540M,   28332.1K/s total,   29553.7K/s current
recv'd:       0B,         0B/s total,         0B/s current
^C
Since this method is very dynamic - you can see the numbers being updated I needed to find a way to write down results using a fixed set of rules to get results that I could trust.
The rules I used were:
  • netstraind is run at Timon as root with port 12345 listening
  • netstrain is run at Bigfoot as root
  • run 3 times for each send, recv and both settings and each time for at least 15-20 seconds
  • note down the result shown when doing a control-c and breaking the run

Results

Several scenarios were tested from the most simple connection to the real life firewall setup - with only one server and one client.
The documented setups are:
  1. Two laptops Bigfoot and Timon directly connected  with 1 meter Cat 5E cable
  2. Two laptops Bigfoot and Timon connected with 1 meter Cat 5E cables to Asus switch port 1 and 8
  3. Two laptops Bigfoot and Timon connected with cables/switch and Sobek Firewall

Results

These results presented are from above experiments with the three setups:
Setup
 send recv both Comments
1
 52794.4
52608.8
52856.3
 58682.9
58348.4
58715.9
 39659.4 / 34632.1
39683.5 / 34695.9
39687.3 / 34713.8
  
2 49478.6
49927.7
49316.6
 55902.9
56253.6
55852.5
 39022.8 / 34236.2
38773.1 / 34064.0
38259.9 / 33533.6
  
3a 28130.0
28031.0
28135.5
27274.5
28296.1
28064.6
16740.2 / 15586.4
16531.0 / 15387.1
16535.4 / 15397.6
 Filtering disabled pfctl -d
nice top running on firewall
about 55-60% interrupt
about 40% idle
3b 28002.9
28913.8
28161.3
 26571.0
26243.2
26847.5
 17271.8 / 16036.1
17253.4 / 16032.4
17149.4 / 15944.7
 Filtering enabled using ruleset1
nice top running on firewall
about 60-64% interrupt
about 37% idle

All results are K/s as reported by Netstrain program when ctrl-c breaking the test after at least 15-20 seconds of runtime.

Production use

Now the firewall is put into production on a connection at ISP TDC and the results I get from another administrator is about 7.9 MB/s from a FTP server behind the firewall to a server on the core of the ISP Cybercity. This is much better than the old firewall performance so we are pretty happy.
BTW we use ftpsesame for this firewall from the ports collection on FreeBSD - works nicely with our servers.

Detailed information

Notes

  1. I seem to remember getting something like 60-70.000 at most when doing a similar experiment from Bigfoot to Fluffy which is another Amd64 based server
  2. I tested all the cables in the Bigfoot-Timon direct connect experiment, to make sure they were all in working condition
  3. I saw very stable numbers in the first experiments and more irregular numbers when doing the firewall tests
  4. I would have liked to do the experiment with IPv6 but had various problems that prevented that :-(
  5. I would have liked to do the experiments using jumbo-frames of 9000 bytes, but didn't find out how to enable it on my Mac OS X :-(
There are multiple ways to redo this experiment and test jumboframes and IPv6 - I will do that when I find the time.