Casual Firewall / VPN benchmarking
Wednesday, 08. 12. 2009 – Category: vague
Two datacentres, each with a pair of 2.5GHz Xeon firewalls running OpenBSD. Benching with iperf yielded the following:
- Between firewall pair, LAN
[ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
[ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
[ 3] 0.0-10.0 sec 1017 MBytes 853 Mbits/sec -
Firewall to firewall between DCs, outside VPN, no PF
[ 3] 0.0-10.0 sec 1.02 GBytes 873 Mbits/sec
[ 3] 0.0-10.0 sec 992 MBytes 832 Mbits/sec
[ 3] 0.0-10.0 sec 986 MBytes 827 Mbits/sec -
Firewall to remote internal host, outside VPN, through PF NAT (rdr)
[ 3] 0.0-10.0 sec 260 MBytes 218 Mbits/sec
[ 3] 0.0-10.0 sec 202 MBytes 170 Mbits/sec
[ 3] 0.0-12.3 sec 333 MBytes 228 Mbits/sec - Internal host to internal host, over IPsec VPN (ESP), through PF
[ 3] 0.0-10.1 sec 43.9 MBytes 36.4 Mbits/sec
[ 3] 0.0-10.1 sec 26.2 MBytes 21.8 Mbits/sec
[ 3] 0.0-11.3 sec 28.0 MBytes 20.8 Mbits/sec - Internal host to internal host, over OpenVPN, through PF
[ 3] 0.0-10.0 sec 161 MBytes 134 Mbits/sec
[ 3] 0.0-10.0 sec 144 MBytes 121 Mbits/sec
[ 3] 0.0-10.0 sec 145 MBytes 121 Mbits/sec
Care was taken to use optimal ciphers, appropriate MTU / MSS and the TCP stack was tuned throughout.
- IPsec really hurts without hardware acceleration
- There’s a surprisingly large hit for just NAT
- Neither VPN technologies can benefit from the multiple cores available to them
- OpenVPN’s speed is appealing, but it lacks the smooth route to high availability of CARP + pfsync + sasync of IPsec on OpenBSD
Firefox extensions for Amazon Web Services
Wednesday, 08. 12. 2009 – Category: vague
These two Firefox extensions are soothing the pain between the CLI and the AJAX-with-treacle web interface:
There’s bound to be something that draws together all the foregin keys – AMI, volume, instance, reservation etc – but I’ve yet to find that. Been putting off writing it for a while…
iLO port forwards
Wednesday, 08. 5. 2009 – Category: stash
(woah, neglected blog)
HPaq’s iLO is a strange beast, its functionality seems split between the SSH CLI and the web interface. Depending on your particular mission, some goals are only achievable using the whole ActiveX / Java remote console in IE. Sigh.
To get this flying from virtualised VMware, here’s the full SSH mutter to forward the ports via an access host. I’m always forgetting it, thus this post.
sudo ssh -g -L 80:${IP}:80 -L 3389:${IP}:3389 -L 443:${IP}:443 -L 17988:${IP}:17988 -L 17990:${IP}:17990 -L 23:${IP}:23 access005.example.com
IP is the iLO’s address. -g allows the port forwards to be reachable via other LAN hosts (eg: the VMware guest). The sudo sorts the forwards for those super-privileged < 1024 ports.
Yes, that really is port 23 – telnet.
Recent articles
- cron
(Wednesday, 02. 24. 2010 – 6 Comments) - SOAP in unexpected “actually, quite easy” incident.
(Wednesday, 09. 30. 2009 – No Comments) - ipmitool for OSX
(Tuesday, 09. 29. 2009 – No Comments) - vxargs – visual parallel xargs
(Friday, 09. 18. 2009 – 1 Comment)
Archives
- February 2010
- September 2009
- August 2009
- January 2009
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- February 2008
- January 2008
- November 2007
- October 2007
- September 2007
- August 2007
- December 2006
- November 2006
- August 2006
- June 2006
- May 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005