Sizing up an appliance
-
I have a situation where i am looking to replace a commercial firewall i have at one of my sites and pfsense is a recommendation of mine to the business.
The site right now has 2 Internet 1Gbps circuits. The average throughput, daily, is 300Mbps. There is a 1Gbps point2point circuit to a data center that has a daily throughput of around 60Mbps (will be removed later this year). The future plan for this site will be Internet only and employees reserve a desk and VPN to the main datacenter where they are able to access resources. So the expectation is that in the future probably 400-500Mbps daily throughput on the Internet circuits with IPsec clients.My concern is the specs offered on some of the units. I feel a 6100Max may be proper for the site but a Quad Core Atom CPU seems very underpowered for this task. I could completely be wrong.
The current firewall is running the following:
CPU0: Intel(R) Celeron(R) CPU P4505 @ 1.87GHz stepping 05
CPU1: Intel(R) Celeron(R) CPU P4505 @ 1.87GHz stepping 05There are ASICs on this unit as well.
EDIT: There is a possibility that IPsec termination will take place at the site (non user traffic, data replication,etc..) so how well could it handle up to 1Gbps sustained traffic if a backup job is taking place and software images are transferred back and forth?
-
@michmoor said in Sizing up an appliance:
Celeron(R) CPU P4505
Yeah, that CPU would be the management plane only in that machine.
You need 1Gbps IPSec throughput? Any restrictions on the ciphers that can use?
-
@stephenw10
The current suite used
Phase 1:DH2-AES192-SHA256
Phase2: ESP-DH2-AES192-SHA256 -
AES-CBC I assume? The 6100 can pass 1Gbps IPSec for large TCP packet connections given the right conditions but that's using AES-GCM.
Something more powerful might be in order if you need to use AES-CBC and the traffic might be varied packet sizes etc.
Steve
-
@stephenw10 So should i go into the Xeon terrority?
-
Yes, I would be looking there if you need that sort of encrypted traffic level.
Steve
