In previous How To articles we've looked at ways of building a router/gateway out of hardware that you probably have stored in a cupboard. Such units work fine, but as companies move to faster and faster Internet connections the PC-based gateway can become a bottleneck. In this How To, we'll look at ways of coping with increased throughput and thus preserving the lifetime of these devices.

Examine the resources
The first place to look is the resource manager. If you have a Windows-based gateway, check the Task Manager (and in Linux, run "top") to ensure that the CPU, RAM or disk usage isn't being maxed out simply because there's so much work being done.

If the disk is being hammered, then quite frankly something's wrong since the average gateway/router shouldn't really be using the disk – maybe you turned on too many logging options and the machine's having trouble keeping up. If the RAM is at its limits, this is a relatively cheap problem to solve – so long as the machine can take it, whack some more memory in and the problem should be eased. A lack of RAM is often the culprit when the gateway starts to slow down, because as demand increases, so does the amount of data the system has to hold in memory in order to marry incoming packets up to internally-originated sessions.

Since resource utilisation is a function of the complexity of your filtering and routing rules, go back and re-examine your rule table. It's common for the rule-set to grow randomly as time goes by, and after a year or two it's more than likely that the machine is spending time, processor cycles and memory processing rules that either (a) don't apply any more or (b) could be rationalised into a smaller, more well-defined rule-set.

A faster processor
If it's the CPU that's running at 100 per cent utilisation, one option might be to put a faster processor in the box, but this isn't all that desirable because you may have to change other hardware too (such as fans or heatsinks) and you could end up spending more money than the machine is worth.

One alternative may, of course, be to revisit the cupboard that your gateway computer came from in the first place – it may well be that there's a newer machine in there into which you can drop your existing machine's hard disk and network cards in order to wind up with a faster firewall.

Let the LAN card take the strain
A new generation of network adaptors appeared on the market in the summer of 2003, offering TCP/IP offload (often called TOE). The idea is simple: instead of passing every packet through to the operating system for processing, the network adaptor understands TCP/IP and can do much of the work on-board – not least sequencing out-of-order packets and filtering incoming stuff so that the OS only sees packets that the card knows are destined for that machine. Adaptec's NAC 7711 is the best-known example of such offload network adaptors, though, like the "change the CPU" alternative suggested in the previous section, moving to this kind of card isn't a cheap option – it may be cheaper to simply go and buy a commercial firewall. Expect to see Intel processors sporting TOE-like features in the not too distant future.

Offload some of the work
If you can't find (or decide you can't afford) a hardware fix, the last remaining cheap option is to split the workload of the gateway. As with some of the earlier options, this is only really an economical answer if you have a repository of hardware that's not being used – but since many of us do, it's not an unreasonable requirement.

The approach to take, if you go for this option, is to divide the processing into two chunks and to have two devices in series handling their part of the job. So the outermost device (the one that's connected to the Internet) might deal with some coarse packet filtering, such as dropping packets that you can guarantee aren't permitted into the network, and the innermost device will do the more complex tasks such as network address translation and context interpretation. For instance, you might set the outermost unit to allow incoming connection requests that have source port 80 (HTTP) or 25 (SMTP), but only the innermost unit will be able to match them up to corresponding outgoing connections. There's no "right way", because every solution of this kind will be different, but it may well help you keep the traffic flow up to speed.

Buy a proper gateway
If your company grows beyond the capabilities of even the multi-device approach mentioned above, your last resort is to resign yourself to the fact that you just won't be able to make it go any faster unless you buy a commercial device that can cope with the traffic levels. If this is the case, you can at least content yourself with the fact that you've managed for this long without spending any money, and that you've had some unexpected value from that old kit that would otherwise be in the skip by now.