Hardware for Firewalling and routing 200 Vlan at 2x100Gbps ?
-
Hi,
We want to test Pfsense to filter and route about 200 Vlans with 2 or more 100Gbps ethernet cards. (or backbone is 4x100Gbps)
Does anyone have try these speed ? What about the hardware needed ?
And more simply : is it possible ?
We need Filtering so we can't use tnsr...
Thank's. -
@dst31 Sorry but at that speed you need consultants. Not a forum...
-
@dst31 https://docs.netgate.com/tnsr/en/latest/acl/index.html
-
No hardware will pass anywhere near 100G with pfSense.
Also at 200 interfaces you will find some parts if the GUI become inconvenient to use. There's no technical limit on the number of interfaces but I usually recommend 250 as the number at which some things start to become unusable.Steve
-
@stephenw10 Among that the GUI traffic graphs.... since you cant split them into more columns.
-
@stephenw10
what do you mean about anywhere near 100G? pfsense cannot use 100G interface or the system will never be enought responsive to manage 100G workflow ? -
Like I would be surprised to see anything >20Gbps even on the fastest hardware.
-
I think what they are trying to say is to run at 100Gb you will need to process ~67,000,000 packets per second. This is the domain of ASICs, not CPUs.
Then you want to filter the traffic, this results in the CPU needing to look at, and act on ~12GBs of data per second. -
@andyrh said in Hardware for Firewalling and routing 200 Vlan at 2x100Gbps ?:
~12GBs of data per second
Hey, that's my new Comcast internet connection speed package that I just got!
just kidding, LOL
-
TNSR can do it without ASICs. That's where it excels.
pfSense was never intended or expected to pass that sort of traffic with it's current architecture.
Steve
-
@cool_corona said in Hardware for Firewalling and routing 200 Vlan at 2x100Gbps ?:
Sorry but at that speed you need consultants. Not a forum...
This was the best answer given here as I see it right.
Network part and devices
DPI part and devices
- Corero SmartWall DPI solution
(up to 160 GBit/s) starting at ~$250.000,00
Firewall, routing and inspecting part
So you may see, products are all available on the market
and for sure only for brainstorming it might be also good to ask here and there in a forum.Dobby
- Corero SmartWall DPI solution