Hi Everyone, First post to the list - hope I have hit the right list for all of the questions below! I have several queries over the "front end" infrastructure of a vast data center infrastructure we are planning, connecting 20ish services to the BGP Routed infrastructure being provided by our datacenter provider. There are around 10-30 thousand end users of these services, and I have 100M total bandwidth across the two connections (I can weight the traffic down them as I choose). The setup looks a little like this: (Dual I/Net Connections) ( on BGP Routed Network) | | | | -------------------- | | ----------- ----------- |Fw/Shpr 1| |Fw/Shpr 2| ----------- ----------- | | ------------------- | -------------------- |Core Switches, etc| -------------------- | | | [Lots of Connections] [ to lots of servers] I am essentially provided with two RJ45 Plugs on the end of two Cat5 Gig Cables, and around 50 IP Addresses for all of my services. In the diagram above, the two connections are represented at the top, and the Core infrastructure and services at the bottom. I need the ability to traffic shape, firewall, and have redundancy; the plan being to do this on the 2 boxes marked Fw/Spr 1 and 2 respectively, which will be running Linux (with an Internal and External Gig interface each). So, the questions: 1) Is it best to NAT in this scenario, or bridge and use the public IP''s internally, or ''route'' them (by having the BGP Routers point the relevant routes at FW''s), in terms of performance? 2) Is it best to run an active/passive or active/active scenario with the front end firewalls (bearing in mind I could use something like Linux HA)? 3) Would it be worth, performance wise, splitting out the firewall function from the tc function (ie. Add a further two boxes between the core and front end firewalls for traffic shaping)? Is this going to give me a huge performance gain? 4) In your opinion, will two run-of-the mill average rack servers be able to keep up with around 2000-3000 connections and about 100-200M throughput, whilst using IpTables and Traffic Control (assuming alot of iptables NAT, around 100 rules, and a few htb configs)? 5) If I start sending outbound traffic to multiple default gateways, will I have a huge performance hit if I use the ''random packet distribution'' function of iptables? Whats the best way to distribute traffic to two default gateways? 6) Whats the best way, if I were to use an active/active scenario on the firewalls, to handle outbound traffic (bearing in mind I would need to sync the bandwidth usage for the shapers somehow)? 7) Is there any easy way to use some sort of ''virtual ip'' as a default gateway, for the internal servers, to allow the outbound packets to be distributed between the two firewalls in a load-balanced manner? 8) Lastly - Am I crazy to do this (bearing in mind the throughput and no. of end users) with Linux rather than dedicated hardware firewalls and packet shapers?! Thanks for any replies in advance - apologies for the long message! Kind Regards Dan