Me again.....

Just a quick question.

We're thinking about letting our linux box do some bridging/firewalling as an additional security measure. We already have a network appliance performing NAT on the outside of the lan (for our WAN connection), and we're thinking about letting linux be a 2nd firewall.

Anyway, the question is, if the two cards differ in speed, will that affect performance, or are there technical issues with running different cards? One is an Intel Gigabit ethernet card, the other is a 100 Mbps 3Com ethernet card. If I bridge the two, will the gigabit card run at only 100 Mbps to accomodate the 3Com card?

We have a 768K ADSL WAN connection. I was going to run cat5 from the network appliance (NAT router) directly to the 3Com card, and then the Intel card would be connected to our Gigabit switch.

In the future, I'd like to get another Intel card, just to keep things simple. For now, however, it's the 3Com or no firewall. But if it will slow the Intel card down, then I won't do it. We had reasons for putting a gigabit card on that box.

Just considering my options.

Thanks for the help.

Your up/down from your ISP will never be better than 100MBs, so you up/down to your firewall will never be more than that. Your set up will be fine. In fact, it's a little overkill to even have the intel gig adapter, but it wont hurt anything.

In my setup I have IPtables running on a RH9 box, 1 gig card (going to my secure network), and 2 10/100 cards (one going to comcast, one going to my DMZ). I run routing and NAT all on my firewall, works great.

Here is a good link to check out for FW design:
http://eressea.pikus.net/~pikus/plug...all/page0.html

One more thing though, each interface will need to be in a different subnet. This is an absolute must. If you have two interfaces in a system, and both are in the same subnet, then Linux will only use one interface to respond to all traffic reguarless of which interface the traffic came in on...causing obvious problems. Just make sure you have different subnets and routing enabled.

You're correct that the DSL will never fill a 100 Mbps pipe (in fact, we'll probably never see it fill a 10 Mbps pipe). This server also provides many other services (Apache, MySQL, DHCP, Jabber, ProFTPd, Samba file server, among others). The samba file sharing requires the gigabit. When you are in the publishing industry, files get real large, real fast, and network response time is critical.

My concern is that the bridge will make the gigabit card slow down to a 100 Mbps connection to match the 3Com. If that is the case, then I'm slitting my own throat, so to speak. I have to have that gigabit card running at a full 1 Gbps connection.

Will the bridge force the gigabit card to slow down to 100 Mbps, or does linux even care?

I may not be right, but I would think that if you subnet interface you would not loose your 1Gbp pipe until you send data over to the 10/100. if you are only sending the the large data on gig interface you should not have any probs. If you try it, would you please post your results... thanks

p.s. this was just my 2 cents worth

Just to answer this question, I emailed the maintainer of the brctl package, and this is what I got:

Hello,

Bridging a 100mbit connection and a gigabit connection will work just
fine. And no, it will not slow down file transfers to the slowest
link present in the machine -- it will only slow down transfers to the
slowest link that is present in the path. So if there are only gigabit
links between two machines, the transfers between those two machines
will run at gigabit speed.


cheers,
Lennert

So the bridge itself would be 100 Mbps (that only makes sense), but any lan traffic intended for the machine itself (samba, database, etc) is at the gigabit speed.