[ previous ] [ next ] [ threads ]
 
 From:  Alex Neuman van der Hans <alex at nkpanama dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0 scenario
 Date:  Sun, 29 Apr 2007 19:22:31 -0500 
Chris Buechler wrote:
> On 4/28/07, Alex Neuman van der Hans <alex at nkpanama dot com> wrote:
>> Dear list,
>>
>> Don't see why not, but just in case, let me know if you see any obstacle
>> for something like the following to work:
>>
>
>
> Aside from what krt said, my primary concerns would be:
> 1) can any PC-based firewall solution provide adequate performance?
> You're talking about allowing CIFS, though didn't specifically mention
> file server. Depending on the amount of traffic you're wanting to
> push, a PC-based solution just may not be fast enough (may be L3
> switch or ASIC firewall territory). If you're looking for wire speed
> gig throughput on 9 ports simultaneously, you can forget about using
> any PC-based solution. If aggregate of a gig or so is adequate, you'll
> be fine with PC hardware.
>
I'm not looking to push wire-speed, since the only "true" 100mbps link 
would be the main network. The other 7 would be remote offices that are 
accessible by a point-to-point link that ends up in the server room as 
an RJ45 ethernet connection (so I don't have to care what the "two tin 
cans and a piece of string" look like on the service provider's side) - 
and the top speed on any one of them is 2mbps.

Since I'd have to push voice, "internet" (phb-speak for web+im), 
pop/imap/smtp, and CIFS between the main server in the main network and 
the remote offices, I thought it would be best to manage the traffic so 
that:

1. Voice gets priority (most of the ATA's and phones speak SIP and not 
IAX - for now)
2. CIFS gets next priority level
3. POP3/SMTP/IMAP next (from clients to server, not from the outside, so 
spam isn't that much of a concern - rogue smtp-capable worms maybe)
4. Web pages (but only on squid's port since I'm forcing people to go 
through the proxy)
5. Everything else gets the least priority
> 2) adequate hardware sizing for desired throughput, if PC-based
> solution is adequate
>
Should be adequate since only one interface in 9 is wire speed, the 
others are capped at 2mbps
> 3) getting 9 physical NIC's detected
> sometimes FreeBSD gets unhappy with NIC's sharing IRQ's with other
> hardware, which would be inevitable with that many NIC's. VLAN's may
> be an easier solution, or possibly the only workable solution.
>
What good 4-port nics would be recommendable?
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch