Dennis Ljungmark:
Hi,
 We're currently running 6 different 100-200Mbit relay/guard nodes, and
are looking at some issues moving on towards high performant exit nodes.

 There are some administrative issues ( needing another IP block due to
the RIPE registration, our ISP doesn't want their name on the exit nodes
that we are responsible for )
which are generally minor ( are being resolved anyhow ) and then the big
stumbling block.

Right now, with iptables modifications ( raw tables hacks to disable
conntrack, bucket increases, following the general best practices ) our
firewall is running at high amounts of CPU, but coping.  However, once we
start introducing Exit Nodes into this equation, things turn sour.

So, since we do not want to trust only routing level separation between
Exit Nodes and internal networks, we're going to have to invest into new
hardware that can cope with this.  Before this, we tried Ingate firewalls,
and they weren't capable of coping with the load of guard nodes.

 ( The traditional "linux box in front" doesn't quite cut it due to
networking hardware in most cases. )

So,
 in summary,  when you get to the point of actively dealing with 8-900Mbps
of Tor traffic ( on top of normal users and others) what hardware is needed
to cope with firewalling?


Hey Dennis,

What hardware are you using? In general iptables/netfilter should be
able to handle more than 200Mb without any trouble at all.

I wonder if your network card is an issue? What CPUs are you using? What
versions of OpenSSL and other relevant software are in use?

All the best,
Jacob

Also tweaking a few sysctls and playing around with txqueuelen will help.
See https://www.torservers.net/wiki/setup/server. I'll add some more stuff to the high bandwidth part of that page in a minute, also. I've done some more tweaking towards gbit that certainly helped, which I haven't documented yet.

Julian