Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense or other Firewall for growing company with 10Gbps internet connection?

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shaw222
      last edited by

      We are currently running pfSense community version 2.6.0-RELEASE with PfblockerNG and has a 1Gbps internet connection.
      with 180 users (including 50 OpenVpn connections) in a single building.

      We are going to go into two buildings - bldg 1 corp hq will have a 10Gbps fiber connection and bldg 2 branch office will have 2Gbps connection.

      After the move, we will have 300 users (including 125 OpenVPN connection).

      1. We will need to have a site to site vpn between the two buildings.
      2. We will need to have an IDS/IPS system and a log aggregator so we can analyze the traffic by the top talker, top destionations, top source. Which add on will allow me to consolidate the web browsing by host id (which sites they are going to and how much time is spent there and the upload/download stats?
      3. We need to have high availability
      4. Need help with sizing the hardware

      I intend to buy pfsense plus and pay for the netgate support if I chose to deploy the pfsense solution.

      Can some one guide me on hardware configuration please and comment on the questions listed above

      Thanks!

      S H 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @shaw222
        last edited by

        @shaw222 If you compare specs to say the 1541 that will give you a starting point.
        https://shop.netgate.com/collections/rack-appliances

        OpenVPN uses a single core. Don’t expect 10 Gbps speed. Note the 1541 shows IPSec “IMIX Traffic: 1.77 Gbps.” How active are the 125 connections?

        10gbps fiber or copper?

        TNSR doesn’t have IDS or OpenVPN but has IPSec.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        S 1 Reply Last reply Reply Quote 0
        • H
          heper @shaw222
          last edited by heper

          @shaw222 said in PfSense or other Firewall for growing company with 10Gbps internet connection?:

          I intend to buy pfsense plus and pay for the netgate support if I chose to deploy the pfsense solution.

          Maybe you should contact support to help you with picking the hardware as well

          1 Reply Last reply Reply Quote 0
          • S
            shaw222 @SteveITS
            last edited by

            @steveits said in PfSense or other Firewall for growing company with 10Gbps internet connection?:

            https://shop.netgate.com/collections/rack-appliances

            Thanks Steve. If TNSR doesn't support OpenVPN, how do I get the VPN connections?
            Also, how can I implement an IDS/IPS solution with this?

            I will send you the typical bandwidth usage by VPN clients by end of business today.

            S 1 Reply Last reply Reply Quote 0
            • S
              shaw222
              last edited by

              @heper I will, thanks

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @shaw222
                last edited by

                @shaw222 “throw hardware at it” seems overly simplistic but the requirements are really high for pfSense. Can you somehow offload the VPN to an internal server or second router instead of the primary router? Switch to IPSec?

                @stephenw10 may have suggestions.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                S 1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Yeah to get a real 10Gbps throughput in pfSense requires serious hardware and if you need to Snort/Suricata and ntopng at those rates then you're looking at close to the fastest you can get.

                  Off loading the OpenVPN connection is certainly something I would consider for a connection that size. It would at least make it a lot more flexible.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    shaw222 @SteveITS
                    last edited by

                    @steveits said in PfSense or other Firewall for growing company with 10Gbps internet connection?:

                    Can you somehow offload the VPN to an internal server or second router instead of the primary router? Switch to IPSec?

                    Hi Steve - I haven't done this. Can you guide me on to a link on how to do it. So if I am to guess, the primary firewall will allow the vpn traffic and direct it to a secondary firewall which will do the authentication and management (thereby freeing the overhead from the primary firewall? )

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      shaw222 @stephenw10
                      last edited by

                      @stephenw10 said in PfSense or other Firewall for growing company with 10Gbps internet connection?:

                      Yeah to get a real 10Gbps throughput in pfSense requires serious hardware and if you need to Snort/Suricata and ntopng at those rates then you're looking at close to the fastest you can get.
                      Off loading the OpenVPN connection is certainly something I would consider for a connection that size. It would at least make it a lot more flexible.

                      Hi Stephenw10 - Can I run snort/suricata on a secondary machine? How do I go about doing that. Also how can I make the primary firewall High Availability? (by adding a similar hardware and being on standby?)

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        As an IDS you could. In fact we had a write up of using TNSR tio mirror traffic to Snort:
                        https://github.com/Netgate/TNSR_IDS
                        But that would only be for analysing not for blocking.

                        pfSense supports HA: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#high-availability

                        1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @shaw222
                          last edited by

                          @shaw222 I don’t have a link but forward the ports to your VPN server running on your LAN. I was just brainstorming.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.