NS performance and system requirments

hardware

(Zimny) #1

Any one can give an idea of performance in NS
What I mean:

  1. Router -> how many entries can handle
  2. VPN performance
  3. Firewall throughput

I got an issue when bypass i2p notwork through NS gateway
In my scenario with high capacity i2p router in LAN with port forwarding to it I get low performance on NS gateway.
Surly with port forwarding I could not get any impact on NS gateway but seems is not that way.
Regardless port forwarding I have created firewall rules to accept all traffic from i2p service which I defined in services tab.

I think this is regard performance of NS routing capabilities.

Any one can have some advise or experience.


How to use NS to connect DarkNet and don't overkill NS in the same time
How to use NS to connect DarkNet and don't overkill NS in the same time
(Stefano Zamboni) #2

Your question has no answer
The only one can be “it depends”
CPU, ram, nic’s type and driver, infrastructure…


(Zimny) #3

Are you sure about router/gateway functionality?
You think that this depends noware?
Router pages/performance
This is not hardware dependent only software
The question was to CentOS developers


(Zimny) #4

So guys you like to develop this software without any responsibility to improve?
Jest connect few peace of software without any conciderations about it?
I know you can consider me like a trol in forum but if anyone has a bools to answer it?


(Stefano Zamboni) #5

So your best bet is to search for info about centos 7 as router/firewall elsewhere (centos’ related ml and forums for example)
BTW, without knowing which kind of connection you have (1Mbit is quite different from 1Gbit) it’s impossible to answer you
And the hw part is relevant too, because a RTL nic can be a bottleneck where an Intel one is not


(James Nesbitt) #6

You’re being rather unfair to Nethserver and those to work hard to improve it.

A 3+Ghz CPU with 64+Gb RAM with high speed SSD HDD and a 1GB NIC and 100Mb Internet connection will outperform a 1.5Ghz CPU with 2Ghz RAM with a mechanical HDD and 100 NIC and 5Mb Internet connection.

The software will only perform as good as the hardware it is running on allows it to.

Some more details on your hardware specs and the number of firewall and port forwarding rules would help people better frame the answer. Otherwise any answer given is just a guess.


(Zimny) #7

You guys can really surprise sometimes
So your meaning of router is it is just hardware based?
Did you ever heard about concurrent connection or router table?
You believe that this is defined by hardware?
Give me break and please can I ask people who know what they are talking about to be involved in that thread


(Zimny) #8

Love part about 1Mbit against 1Gig
Thank you
Regardless meaning nothing I can see no experience in working environment at all.
But thanks anyway for info about NICs


(Zimny) #9

When you are buying router for big capacity network what is your firs question regardless futures?
How many entries can handle
NS is software distro so must have defined somewhere this isn’n it?
Then we can have a lot of arguments how to adjust this parameters agains your hardware.
So again. Anyone have dealing with this already or we can aspect answers from people who google the subject


(James Nesbitt) #10

NS is based on CentOOS based so any such information would also be on the CentOS websites.

When you say large capacity network, what do you mean? Does it have 20 or 100 or 5000 or 100,000 users? Large capacity can mean different things to different people.

The CPU and memory resources required to process the firewall rules and other services for 10-100 users will be different for 5000 or 100,000 users.

Any sysadmin who has sourced firewalls clearly understand this and worth his salt would provide some basic information requiring their requirements / infrastructure in order to gain a clear and accurate answer from the vendors when asking for recommendations.


(Stéphane de Labrusse) #11

The bigger system I know is/was a NS in a romania university, @GG_jr could add answer here, around 4000 users IIRC

At the end I’m not sure NS is designed to replace the google infrastructure even if it could do the trick.


(Gabriel GHEORGHIU) #12

Hi Stephane,

To my shame, I do not know!

But as has been said so far, it depends very much on what it does.
The more it is used for more functions at the same time, the more it needs more processing power.
If it’s used for presentation websites, it’s one, for ecommerce sites, it’s different.
Differently is when using it as an email server.
If it is used as a router (Proxy), it is the problem of the number of LAN users. If we add any VPN connections …
If we use it as AiO Server (Proxy, Web Server, Mail Server, FTP Server, VPN Server, DC / AD Server, File Server, Print Server, PBX, Nextcloud, … with all protection systems enabled) we need more processing power (CPU and RAM) and fast hard drives. Let’s not forget about the quality of the used network cards.
The quality of the hardware is as important as the quality of the software.
I have seen many specifications for different UTM Appliances.
Common points are motherboards, network cards and operating system.
Depending on the number of LAN users, the differences, for the same manufacturer, are given by CPU, RAM, and HDD capacity. All of this has an impact on how it works.


(Rob Bosch) #13

It has been mentioned before, but maybe we could make a list of testcases and measure the performance.
Then document this so we can use it for future needs.
Anyone willing/able to do so?


(Zimny) #14

Good

First at all I like this idea. This can contribute when we are talking about implementation of NS in different scenarios.

Of course and this is not a subject in this lab.
Surly all modern gateway/firewall appliances can handle a lot of traffic with simple 2 core processor.
This is because this devices are not design just because of implemented hardware.
Not sure what kind of environment you get access to it already but I can see a leek of understanding the gateway meaning/performing and how this operate on the hardware.
For first you need understand that this devices have software (operating system) with predefined futures and restrictions on it.
What you miss in this topic is exactly differences in environment which can be consider on the user basis or general performance of the unit which again can be hardware or OS dependent.
This is why you think this is just depending on the hardware and finally end up in completely misunderstanding the topic.

How I get to the question in this topic?
Scenario:
4core 3.4Ghz machine with 16G of RAM and SSD.

will not comment here “mechanical HDD” because I know what are the differences in SSD and HDD standard already.

Setting up port forwarding on one port for the LAN based another router who is dealing very specific with in my scenario I2P gateway.

NS (4cores,16G RAM, etc like described) This machine have already hardware performance to deal with hundreds of firewall checks per second.
So if you stuck with router table performance issue you will not see the impact on your processor etc simply because this is not the issue. The issue here is router/nat table which can handle exac amount of entries defined in the config.
So what you can reproduce in your tests is when you overload NS gateway on the one port with to many entries this will have impact for all NS gateway not just an port forwarded and finally you will be not able to check through your NS processor overload all any other hardware component because this is not related.

That was the idea of this topic.
I believe (still even after this DKIM issues already given up by NS coders) that NS is a great peace of software and because it’s modularity can be use for a lot of implementations.

You have been already like a great documented project from which one I follow.
Why don’t think about this kind of section in your how to/faq/documentation book.


(Zimny) #15

http://datatag.web.cern.ch/datatag/howto/tcp.html
Very good reference how to tuneup your linux router to achieve high throughput.