LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] [OT] High Performance Linux Firewall / VPN Device?

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] [OT] High Performance Linux Firewall / VPN Device?
Cc: "Robinson, Eric" <eric.robinson@xxxxxxxxx>
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Thu, 6 Oct 2011 17:27:02 -0700 (PDT)
On Wed, 17 Aug 2011, Robinson, Eric wrote:

I remember you were talking about upgrading your Juniper
gear if you couldn't find an open source solution.

I assume you've already found your solution to this problem, 
but better late than never...

I was at a computer bash tonight where I happened to be 
talking to the local F5 Field Systems Engineer.

The F5 guy said that their VPN was cheaper than Juniper's 
for better performance (I have no idea myself, this is just 
FYI).

Other things I didn't know about F5

o they run CentOS with their own F5 tcpip stack (they used 
to be FreeBSD but rewrote it for CentOS)

o they have their own hardware (well Mobo anyhow, the FSE 
doesn't know if they have their own NICs). (Some other 
company who I've forgotten just used commodity hardware all 
around.)

o you can download the F5 VM for free and run it in VMWare. 
You won't get the peformance you get on the F5 hardware, but 
you will get to test the management of it.

o they reply route on the MAC address of the incoming 
packet, so the reply packet doesn't go through a routing 
table.

The FSE says you don't get much performance if you're doing 
SSL offload in software on a standard CPU in something like 
OpenVPN. You need a hardware accelerator card to get 
anywhere.

Joe

>> openVPN Access Server is super easy to install and fairly
>> easy to configure.
>>
>> I deployed it at work and it's been working quite well for
>> us. However, we currently don't have more than about 10
>> people using it at the same time.
>>
>
> We would have a couple thousand people using it, with hundreds of
> tunnels. :-/
>
>
>> Since it's SSL, it's CPU bound.  Just throw RAM and more CPU
>
> That shoots it down for us. We need IPSEC. :-(
>
> --Eric
>
>
>
> Disclaimer - August 17, 2011
> This email and any files transmitted with it are confidential and intended 
> solely for LinuxVirtualServer.org users mailing list.. If you are not the 
> named addressee you should not disseminate, distribute, copy or alter this 
> email. Any views or opinions presented in this email are solely those of the 
> author and might not represent those of Physicians' Managed Care or Physician 
> Select Management. Warning: Although Physicians' Managed Care or Physician 
> Select Management has taken reasonable precautions to ensure no viruses are 
> present in this email, the company cannot accept responsibility for any loss 
> or damage arising from the use of this email or attachments.
> This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>