|
On Sun, Jan 28, 2001 at 12:38:36AM +0100, Alois Treindl wrote:
> Hi
>
> I will be setting up a LVS with one directore, 100 mbit Internet
> connection, and four web servers.
>
> I want to use the director also as a packet filtering firewall, with two
> interfaces. I have not enough funds and see no real need for an extra
> "real" firewall.
>
> As far as I understand it, DR would not have a performance advantage in
> that case over NAT, because all outgoing packets of from the realservers
> stil have to pass the director/firewall.
[snip]
My (informed) oppinion is that the main performance advantage of using DR
over NAT is derived from return traffic not having to return through the
box. If you are using 100Mb/s networking then NAT sould easily be
able to cope with this. You will probably incur a _slight_ latency penalty
but I doubt that this will be a problem. If I was you I would use
NAT as it is going to be a lot easier to set up and should run more
than fast enough for your needs.
If you are really worried about performance you should look into:
* Gigabit NICs
* Using 64bit/66MHz PCI bus (instead of 32bit/33MHz)
* Using the 2.4 kernel instead of 2.2
However, you won't see any real performance gains unless you are worried
about more than 100Mb/s of _sustained_ traffic.
DR is a nice way to get more than 100Mb/s of traffic on a network that is
only 100Mb/s but has more external bandwidth than that. If all your traffic
is going through a firewall with 2 100Mb/s NICs then this doesn't apply to
your configuration. Hence, you are better off using NAT.
--
Horms
|
