Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
The Internet Software Hardware Linux

x86 Commodity-Hardware Router? 102

Posted by Cliff from the pushing-the-limts dept.
neomage86 asks: "I recently had to set up a router for a small company, only five users at any given time, and the needed VPN capabilities are built in. So, instead of using a Cisco or other embedded router, I decided to just install Linux and IPTables on an old 200 MHz PII I had lying around. It's been working fine, and I'm thinking about doing something like this for a much larger network (3000+ users). Does anyone have suggestions on how much I will have to beef up the hardware to provide IP Masquerading for about 1000 users on a T3; provide network-layer filtering of the transmission; and route between 4-5 internal subnets?"
This discussion has been archived. No new comments can be posted.

x86 Commodity-Hardware Router? More

x86 Commodity-Hardware Router?

Comments Filter:

  • VPN (Score:3, Interesting)

    by aeakett ( 561176 ) on Wednesday March 17, 2004 @03:29PM (#8591020) Homepage Journal
    VPN can be a real resource hog... word is though, that the Via C3 has some sort of processor level instructions to help accelerate this. Has anbody else heard of this?

    • Re:VPN (Score:4, Informative)

      by aeakett ( 561176 ) on Wednesday March 17, 2004 @03:33PM (#8591061) Homepage Journal
      Ah! Here [deadly.org] it is! It's the encryption that the C3 seems to rip through.

    • Re:VPN (Score:3, Informative)

      by quinkin ( 601839 )
      VPN should be offloaded to a seperate box/boxes (NB: boxen is not the plural of box, just as foxen is not the plural of fox - although that does imply that bixen should be a female box...).

      Even with the higher end router/vpn embedded solutions there seems to be an appreciable slowdown in the other traffics response times and throughput when the VPN is being heavily used - and the hardware acceleration in these systems is liable to "better" than the C3 acceleration.

      Does anyone know if the C3 can do h/war

  • Upgrade? Hell, you're already massively over-spec! (Score:5, Insightful)

    by Finni ( 23475 ) on Wednesday March 17, 2004 @03:31PM (#8591035)
    You'll be fine with what you've got right there!

    No seriously, you're going to swamp your PCI bus if you're doing routing between internal subnets. Goodbye, LAN throughput. Not to mention what merry hell you'll play with the CPU with VPN and firewall rules.

    Your solution is great for a small place, or even a large place in a dedicated niche (like only VPN and/or firewall, or monitoring/IDS.) I wouldn't do something that ambitious with PC hardware though.

    • You'll be fine with what you've got right there!

      As long as he;s not trying to do VPN encryption on it, he probably will. Personal experience tells me a P100 (running FreeBSD, not Linux) can easily firewall a 100Mb network link for a few dozen users, so anything P2 class shouldn't have any trouble at all.

      No seriously, you're going to swamp your PCI bus if you're doing routing between internal subnets. Goodbye, LAN throughput. Not to mention what merry hell you'll play with the CPU with VPN and firewall

    • well, to give you an idea of what can be done, i'm running a slackware based p100 as a gateway/firewall/router/name server for my entire home network. there are 12 computers between a bunch of people. it sits between the cable modem and two switches with 2 10/100 $10 ethernet cards in it. of course this is not a large scale network, but it shows you what a p100 can handle with ease. for security i disallow all incoming connections except ssh. and if you think it doesn't get much traffic, i keep gnutella run

  • Go BSD rather then Linux..... (Score:5, Interesting)

    by jsimon12 ( 207119 ) on Wednesday March 17, 2004 @03:33PM (#8591054) Homepage
    I would personally go with a BSD flavor rather then Linux. Don't get me wrong Linux is great but BSD was designed with routing in mind. You will be able to get away with less hardware and out of box things like OpenBSD are going to be more secure then a commodity Linux.

  • 1000+ Users???? (Score:4, Insightful)

    by the eric conspiracy ( 20178 ) on Wednesday March 17, 2004 @03:37PM (#8591102)

    Do the math. If your homebrew system goes down, you will be burning the time of 1000+ people ($60,000) per hour. With those kind of numbers it doesn't pay to do it on the cheap. Get a redundant Cisco system with plenty of power backup.

    • Re:1000+ Users???? (Score:3, Insightful)

      by ADRA ( 37398 )
      Not that i'm arguing here, but a Cisco equiv. Is hella-bucks for what this guys is trying to do, and its only a Passive failover anyways. If you want a solution that is truly expensive, try any ACTIVE failover provider.

      Anyways, I have been using netfilter/iptables for on my 30 user, >100mbs network, 6 active NIC's and I've never had a crash that I didn't cause!

      • The Cisco PIX OS 6+ and recent Cisco IOS code revs support stateful failover. We already do this and it works just fine. If you are looking at several interfaces and need to run at DS3 speeds, a PIX515E Unrestricted Licensed PIX and a PIX515E Failover licensed PIX will do the trick. True, they aren't price comparable to commodity x86 hardware (even though they are based on that architecture), if you have 3000+ users, you can most likely afford these.

        • Re:1000+ Users???? (Score:1, Informative)

          by Anonymous Coward
          OpenBSD has state synchronization [deadly.org], which could be used to implement failover. But I don't know how this would compare with Cisco's failover support.
      • I have a nickel that says you compose your posts in a word processor.

        Am I right?

        -Peter
    • I must agree here. Working for a large company, 10,000+ users that have a 45 Meg Internet connection I have seen first hand even the most powerful Linux solution can not handle the load and log files that are needed. We ended up pulling out a cluster of 2 linux boxes load balancing NAT connections and replacing them with the PIX 535 firewalls. This was without this solution handling any of the VPN requirements. VPN is a whole other ball game. Cisco [cisco.com] is in this business, and the stuff is priced reasonable e
    • Do the math. If your homebrew system goes down, you will be burning the time of 1000+ people ($60,000) per hour. With those kind of numbers it doesn't pay to do it on the cheap. Get a redundant Cisco system with plenty of power backup.

      Or you could use something like this [linux-ha.org] to provide redundant Linux routers on cheap commodity hardware and spend the money saved on getting more backup power.

  • All things considered, spend a couple hundred. (Score:5, Informative)

    by WolfWings ( 266521 ) on Wednesday March 17, 2004 @03:39PM (#8591115) Homepage
    And for said couple-hundred, you're looking to pick a secondary network card, along with a 2Ghz or so Athlon or P4 of your choice with a motherboard with a built-in network card. The built-in network card is important for a router.

    An Athlon-64 or above would be ideal, simply because you'd be able to mount ludicrous amounts of memory on the box, which is pretty much all that could ever matter for a router/firewall app, as Linux can easilly support logging anything you want to a remote boxen.

    Realistically though, I've routed 8 T1's at 80+% capacity in both directions among 650 laptops before, including 3 seperated subnets, all routed through one box.

    The box was a Celeron (P2) 800Mhz we'd downclocked to 633Mhz (standard practice at my company, downclock everything for live events for stability) and it used around 10% of the CPU at peak once configured correctly.

    By 'correctly' I mean having the T1's all coming in on a seperate PCI bus from the actual network cards for the subnets. Specifically, the built-in ethernet turned out to be on a seperate PCI bus from the actual PCI slots in the case. Configuring the box to take advantage of this dropped CPU load from 80+% to ~10%.

    So... for a T3 fully loaded? I'd say get a 2.0Ghz machine just for breathing room, and give it at least 2GB of memory, as neither is that expensive and will leave plenty of breathing room for things like IPSec or other fancier options down the road without any problems.
    • Hmmm, I've got a few questions. First off, they never made a P2 that went 800Mhz. Those stopped at the 500Mhz mark or so. Next, your telling me you cracked open a case on a working machine, fiddled with jumpers (not many P2/3 era MoBo's had clock speed settings via the BIOS). I'm not sure, but you probably had to switch the clock rate of the FSB, which was bad in and of itself. Why on earth would you switch the configuration on a known good machine? That's among the more assine things I've heard done
      • First off, the case itself was one of the 'all in one' deals, simple one-5.25 bay, one-HD bay, one-floppy, half-height PCI cards only, etc.

        The P2 was a typo, and one I appologize for. P3 would be much more accurate, and overlooking the typo is inexcusable as I was simply typing quietly before I hit post, and didn't read the entire post from the beginning before hitting post.

        As for the T1's, we didn't use any PCI T1 cards. We used an external 10/100/1000 switch with all 8 T1's plugged into it via normal T1
        • The T110/100 was supposed to be "T1 to/from 10/100" with arrows pointing both ways. Slashdot ate the greater-than/less-than signs, along with the hyphen.
        • Hmmm, never heard of the T1 to 10/100 converters (I was unaware the framing was the same, or that the addressing could be fiddled with so that you could use a transceiver to change from one to the other). I'll have to look at the physical framing to see if that makes any sense at all. Got a link to one? I could use one where I work at points.

          While you can do the direct copying from one care to another (I didn't know it could jump PCI buses, but it makes sense), that eliminates all of the packet process

          • Okay, point-by-point again.

            The 't1 to 10/100 converters' are just common T1 interface boxes that output ethernet instead of 24 voice/data jacks. Data-only T1 interfaces, essentially. Unfortunately, that was one aspect I had zero to do with, the site provided them and I haven't had a reason to use them since (we usually do satellite T1 links for remote sites, or use sDSL for medium-term fixed emplacements), so other than saying Netopia was branded all over the boxes, I can't help further than a Google searc
            • The 't1 to 10/100 converters' are just common T1 interface boxes that output ethernet instead of 24 voice/data jacks. Data-only T1 interfaces, essentially.

              There's no such thing as a 't1 to 10/100 converter'... you must be talking about something which bridges two ethernets over a t1 line.

              Anyway, so you had all these 'converters' plus this linux router plugged into one ethernet switch? I hope you weren't relying on the linux router to enforce any kind of security among these remote networks. Assuming they
              • I'd pull up proper terms, but we don't actually deal with physical T1's from the Telco often enough for me to have bothered memorizing the correct terms, manufacturers, or anything else about them. Even in phone work we usually find ourselves dealing with PRI at the fanciest.

                The T1's were all used for combined bandwidth, as the event organizers dropped their order for a fractional T3 and got eight T1's at the last moment. We had no say in that aspect. And each T1 was plugged directly from the box-with-a-ca

      • I have at least two, maybe three slot-1 motherboards from different manufacturers that allow you to change the FSB via the bios. they were around.

      • I have a Celeron 300a and I can change the clock, FSB, and voltage in the bios. The machine is now 5 years old and has the original mobo.

        I used to overclock it to 475 but it was unstable.

  • no can do sorry (Score:2, Insightful)

    by nocomment ( 239368 )
    It doesn't matter what sort of PC you are using...you simply cannot pump that much through a standard PC. 3000+ users? forget it. You are going to need a cisco my man. Unless anyone knows if those quad cards can route between connectors at faster (much much muuuuuch faster) than the PCI bus will allow.

    • Re:no can do sorry (Score:3, Interesting)

      by Paul Jakma ( 2677 )
      you simply cannot pump that much through a standard PC. .... Unless anyone knows if those quad cards can route between connectors at faster (much much muuuuuch faster) than the PCI bus will allow

      If its 100baseT, 4x12.5MB/s = 50MB/s is easily within the capabilities of a standard 32bit/33MHz PCI bus (100MB/s sustained), at least in terms of transfer rate. Make sure to use a card that has drivers which support polling (aka NAPI on linux).
      • you're talking max bandwidth there. Would you actually try to route 3000+ users through that?

        That's just the max that is _theoretically possible. The PCI bus (32 bit) is capable of a (again) _theoretical 127MB. Would you stake your job on those numbers? I sure as hell wouldn't. I'd divide all numbers by 5 and you will see a more likely transfer rate plus have room to grow a little. The asker didn't say what type of business it is, but I'd bet at 3000 users a lot of those are transferring some big fi
        • you're talking max bandwidth there. Would you actually try to route 3000+ users through that?

          4x100Mbit is 4x100MBit.. what in gods name does the number of users have to do with it? If you have 400Mbit/s, is that 400MBit/s "bigger" in some way because its generated by 3000 users instead of, eg, 1000 or 500 or even just 1? It isnt.

          That's just the max that is _theoretically possible.

          Look, if the machine has a quad fast ethernet card then the max that box will have to route is 4x100Mbit/s. No amount of u
          • 4x100Mbit is 4x100MBit.. what in gods name does the number of users have to do with it? If you have 400Mbit/s, is that 400MBit/s "bigger" in some way because its generated by 3000 users instead of, eg, 1000 or 500 or even just 1? It isnt.

            true...sort of. if those 3000 users aren't doing much other than checking email and browsing the web. If they are doing some serious stuff; which they may not be who knows?; then chances are good that 3000 users means a heck of a lot of traffic. For example, I have an
            • true...sort of.

              There's no sort of about it, sorry.

              then chances are good that 3000 users means a heck of a lot of traffic.

              Again, no amount of users will be able to get more than 100Mb/s of data through any of those 4 or 5 interfaces. That's 12.5MB/s * 4 * 2 = 100MB/s - absolute worst case, which PCI can do. However, you're unlikely to get 100Mb/s of multi-stream traffic through a 100BaseT network to the box, never mind into this box itself. So that's 100MB/s of bus bandwidth is an absolute max.

              I have
            • "true...sort of. if those 3000 users aren't doing much other than checking email and browsing the web. If they are doing some serious stuff; which they may not be who knows?; then chances are good that 3000 users means a heck of a lot of traffic."

              You're just not grasping this concept very well, are you? Let me spell it out to you very slowly: the limiting rate here is his T3 connection! No matter what these 3000+ users are doing, they cannot generate more than 45Mbit/sec of traffic because that's the m
              • You're just not grasping this concept very well, are you? Let me spell it out to you very slowly: the limiting rate here is his T3 connection! No matter what these 3000+ users are doing, they cannot generate more than 45Mbit/sec of traffic because that's the max the T3 will handle (actually it's slightly less than even that due to overhead).

                *Sigh* I grasp that concept very nicely, my point is being misunderstood. Not all traffic is going out the T3. Yes I'm aware that you will never go above the 45MB.
                • Fine, but it still doesn't remove the basic issue that the PC is certainly capable of doing the job. 100Mbit being saturated? Get a Gigabit card, or load-share across multiple 100Mbit cards. There are multiport Ethernet cards that do internal port-to-port switching as well, completely bypassing the PCI bus limitations.

                  As one of the other posters pointed out, it's not bandwidth that's your problem, it's pps (packets per second). The limiting factor there is going to be how quickly your system can handle

  • It's do-able but... (Score:3, Informative)

    by dcowart ( 13321 ) <dzcowart@COWgmail.com minus herbivore> on Wednesday March 17, 2004 @03:42PM (#8591156) Homepage Journal
    It's do-able but segment out the functions at that point. Do you really want to try to route between subnets as iptables is traversing the masq table? Get three boxes; one box for routing, one for vpn traffic and one for actual firewall/masqing. IBM has crypto boards for accelerating SSL/IPSec stuff with linux drivers IIRC for your vpn box. Also, with three boxes you can take down the vpn without taking down the internet connection.

    I would suggest getting PIII's instead of PII's though, but check where bottle neck's may be PCI bus, CPU processing packets, NIC not doing so well... etc. Plus if one box is connected to multiple subnets, it can be dhcp and/or dns and/or wins for them (if you do DNS please use the forwarder's option to forward dns requests to an upstream DNS server if possible).
  • You're going to run into a hardware bottleneck, mostly because of the PCI bus. You simply can't throuhput more than your 10MBit card can handle, and you'll be lucky if you get that much through. No non-dedicated machine is going to be as fast (and by dedicated, I'm referring to something specifically designed to be a router/switch), they just aren't designed that way. Bus limitations aren't as important in a machine that will be limited by external factors such as a broadband connection.

    Go invest in a g

  • T3 only? (Score:3, Informative)

    by ADRA ( 37398 ) on Wednesday March 17, 2004 @04:20PM (#8591554)
    If you're just powering a T3 and 6 10/100 subnets, you could get by on

    P4 2.xxGhz (assuming moderate VPN usage)
    512MB-1GB RAM depending on how many simultaious connections you're working with. The more connections the more memory eaten up
    Hard drives: minimal config.
    Motherboard & NIC's: Depending on how much you're 10/100's saturate, you may want to get some 66Mhz 64bit PCI cards instead of regular 33/32's. Eg:
    http://www.cisco.com/en/US/products/hw/vpndev c/ps2 030/products_data_sheet09186a0080189f0a.html
    It all depends on how much simultanious traffic you're looking at. You can use the analogy that the PCI bus is a network switch's backplain. 66/64's can transmit a theoretical maximum of 4gbits/sec. so it should be enough for anything you throw at it. 33/32's maximum theoretical is 1gbits/sec. but in reality expect for much less.


    • If you are looking for cheap 64bit PCI NICs go here [google.com]

    • Interesting idea: have you heard of floppyfw? I've used it in a variety of small-office locations and found it to be a fantastic little one-floppy firewall. You can totally dispense with the need for a hard drive, which removes the possibility of mechanical failure. Now the only mechanical things left to fail are fans.

      The other nice thing about using a floppy instead of a hard drive? Just write protect the floppy when you're done building the firewall. If someone ever "breaks into" your firewall, you
  • Buying enterprise-class network equipment for the first time round is scary (it's a strange and complex world.)

    If you're inexperienced, try to get everything from one vendor so that getting it all working together is their problem, not yours.

    You could do worse than a http://www.nortelnetworks.com/products/01/passport /lan/ [slashdot.org].

  • Apple Airport Base stations (Score:3, Informative)

    by adzoox ( 615327 ) * on Wednesday March 17, 2004 @04:50PM (#8591862) Journal
    The original Apple Airport Base Stations called "Graphite v1.0" actually had a 486DX100 AMD Equivalent - if I'm not mistaken these were called "Dave Processors".

    The Airport Base Station (original) is a very good "take apart" to learn how to build your own router.They couldn't be more simplistic in design and implementation.

  • Admittedly, the pci bus will probably be the first absolute roadblock with a good machine, but I think you are all underestimating it's ability.

    I did a quick test on my home network to make sure. I easily got 97 Mbps using NFS to transfer (multiple simultaneous) files between 2 machines on 100 Mb ethernet. I think that is pretty conclusive evidence that the PCI bus will not be a limit even on a DS3(T3), which only goes 51 Mbps. One of these machines even has the video card on the pci bus.

    Anecdotally, w
    • So you're saying that you could maintain a transfer rate of 97mbit between two boxen. I'm curious to see your test environment. I've done some samples accross my local network, and at best, I've only been able to sustain 40mbit. I'd like to know a couple of things. What protocol were you using, what NIC, etc hardware config, and again what was your test files.

      I'm not doubting you, just really skeptical!

      harryk
      • Disclaimer:
        Original experiment is not scientific!! I am not legally responsible if someone dies because you cited my post that 97 Mbps is possible over the PCI bus.

        It would probably have been a better idea to use netcat to dump packets to /dev/null on one end and have it send an endless stream of them on the other, but I didn't have the time or interest. My method was quick.

        Actual response

        Using bargain basement NIC's, I can't remember manufacturer or model.

        Netgear 8 port switch.

        800 MB file

        I copied
        • Understood about the disclaimer.

          My real reasoning for questing is because I want to do video streaming on a local network, with the potential for as many as 4 video streams. Currently I'm not able to sustain that kind of bandwidth, but then again, I'm streaming UDP, which I figured would be more effective, seeing as TCP would cause skipping.

          Was the three NIC's acting as one, like in line balancing, or where they seperate IP addresses as well?

          Still interesting though.
          • You definitely want to use udp for video streaming, even on a fast lan. You might also want to look at RTP (real-time protocol). It is used for voip and some video applications.

            The three NICs in one box are all on seperate networks. One directly to a cable modem, another directly to a WAP, the other to an ethernet. (I live with techie roommates, so we have lot's of boxen).

            If all four of these streams are the same, you should definitely look into multicasting. It really sucks over the real internet (r

  • Don't use Linux for this (Score:5, Insightful)

    by phoenix_rizzen ( 256998 ) on Wednesday March 17, 2004 @05:30PM (#8592220)
    The packet filtering software on Linux is horrible. The syntax is just nasty. And there are no guarantees it won't change again with the next kernel release.

    Use a BSD system, with a real packet filter. FreeBSD gives you the choice of IPFW, IPF, or PF. OpenBSD gives you PF. NetBSD gives you IPF or PF. All of those have much larger / better features sets than IPChains / IPTables, and work a *lot* better in NAT/PAT/MASQ situations. These packet filters are also truly stateful (last time I checked IPTables, it wasn't truly stateful without a bunch of extra patches).

    Linux makes an OK home firewall. But I wouldn't use it anywhere near a business.

    We use FreeBSD 4.9 on Pentium 166 MHz systems with 128 MB RAM using IPFW to server secondary schools with just under 300 student computers. Haven't had any problems yet with network slowdowns or dropoffs or anything. These are on T1s in the remote schools, and 8 Mbit cable in town.

    (I had problems keeping a similar box running Linux and IPTables working on my home wireless T1-equiv link.)
    • These packet filters are also truly stateful (last time I checked IPTables, it wasn't truly stateful without a bunch of extra patches).

      What do you mean by 'truly stateful'? AFAIK iptables is stateful.

      I've got a little diskless P120 that does just fine with DevilLinux on a 1.5Mbit cable connection at home. Even does VPN. Not the fastest for VPN, but I've never seen it not keep up with my non-VPN traffic.

    • Linux makes an OK home firewall. But I wouldn't use it anywhere near a business.

      I have to question this. Given the few arguments named, it's easy to do so. I built lots of routers with and without VPN (FreeS/WAN and recently Racoon), proxy services (for http, ftp, mail), firewalls doing NAT, VPN and anything else you can imagine. Customers read about a feature on Cisco routers/PIX and they want to have this suddenly. It often does not make much sense, but the customer is king. (I don't connect to T1s di

    • I recommend ClarkConnect [clarkconnect.com] for a firewall for those who can't figure out iptables. It's got a nice default config and a web gui to tweak it. Plus it has other nifty stuff setup; like snort for intrusion detection and gives some nice stats with mrtg.

    • hmmm...this guy didn't have a problem:

      Somewhere in 1997 I downloaded and configured the linuxrouter.org projects mini-distro (called LRP). It was based on Debian 'some vegtable' 2.0.36 kernel. It was put on a Zenith Z-select Workstation with a 486 DX with 12 Megs of Ram and two identical 3Com 3c509 ISA parallel taking cards 10Mbit only. From the time it went to production til its retirement it served solid. It has only one failure, the floppy drive. I can say it NEVER failed because of OS. It did act squi

  • etc (Score:2)

    by XO ( 250276 )
    my network is basically served by a Tandy Sensation 2, a 486sx/33 with a 487slc/33 coprocessor installed. 40MB RAM, 2GB hard disk. It runs router services for .. uh.. 4 computers currently, and has run services for 10-12 computers. It also sports the network's email server, for three domains that I receive mail at. And a MySQL server, that I haven't had much use for lately, but it used to gain a few thousand SQL requests a day.

  • Dont bother (Score:4, Insightful)

    by moosesocks ( 264553 ) on Wednesday March 17, 2004 @11:58PM (#8595430) Homepage
    If your company can afford to pay 1000 people and run a T3, they have the money to buy a PROPER Cisco-based setup.

    Oh. And hire an experienced professional to install it (i don't dobut that you could manage it, though). I wouldn't trust a job of this size to someone who 'did it once at home and it worked'. The enterprise works much differently than your basement.

    If you set it up and something goes wrong, you, my friend, are screwed.

  • I'm already doing something similar (Score:3, Interesting)

    by David E. Smith ( 4570 ) * on Thursday March 18, 2004 @12:00AM (#8595442)
    There's a whole niche market for "stripped-down versions of Linux" that handle things like this.

    Currently, I'm using Mikrotik RouterOS [mikrotik.com] as a core router. It's at a small ISP -- 400 or so high-speed customers, 3000 dialup customers (400-500 of which are connected during peak times). Standard routing stuff (30 or so internal static routes, big deal). Couple hundred firewall rules (some for stopping Windows worms from spreading, some for general network security, some to help keep the nastier spammers in check). And BGP, taking a full BGP feed from our upstream, plus a couple multihops from places like Cymru's bogons project. And it doubles as a PPTP server so I can securely work from home (in a gesture of supreme irony, I can't get Internet connectivity from the company I work at).

    And some other stuff I can't think of right now.

    All this is running in a 1U system I got from eRacks [eracks.com] (they make good cheap stuff), except for the hard drive, which I yanked and replaced with a 64MB IDE-flash drive from these guys [wisp-router.com]. Celeron 1.3GHz, 512MB RAM. The system never ever, even during peak times, goes over 10% CPU load.

    This isn't quite up to the specs the original author was looking for, mainly because this hardware isn't also doing the T1 stuff. (It's got plain old boring Ethernet to an older Cisco router, to which our four T1s are connected, but the Cisco is basically just a really big media converter.) But given how low the hardware utilization is on this unit, and how underpowered this system is as compared to current hardware, I think it shows that the notion is quite feasible.
  • and they seem to be doing pretty well. I went looking for weird NIC hardware and came across Imagestream [imagestream.com]. They make big routers with Linux at the core, on x86 hardware in industrial form factors. Definitely worth a look.

    Also on the thread of interface cards, try Mikrotik [mikrotik.com]. If you're doing wireless, the MiniPCI carrier boards will make your day.

    Full disclosure: I'm not related to or affiliated with either of those companies in any way. I've never even bought anything from either of them. I just came across
  • Our main firewall for our hosting company is a 2Ghz P4. We are not doing vpn, which would be the most resource intensive, but our T-3 line comes directly into it and we have a ton of firewall rules. There is never a load on the box, except when nimda hit :).

    And with bridging you can have two transparent firewalls (no ips) that are redundant, using Spanning Tree Protocol. Pretty cool.
  • Just to clarify, this is a project for my High School. They are upgrading the network infrastructure, and I work with the tech-ed department through an internship class. I just wanted to make sure this was reasnoble, before I suggested it to my own bosses.
    • I would say yes. If you're not dealing with all the connections needing to be encrypted or something else that requires every single packet to be fully modified by the CPU of the router in question, a medium-low-end ($200-$500 bought piecemeal at Fry's or similair) PC should do the job just fine.

      And good luck to you. :-)
  • Love the thought but pc hardware is hardly up to mission critical status even with a stable OS on it ata drives fail cpu's overheat junk ram corrupts data a company of 3000+ people cant afford to have downtime from that crap chipset or failed ram and can afford to by something that is more likely to last

Slashdot Top Deals

A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson

Close