How Far Have You Scaled Your PFS Box?
-
We use it at a wireless community setup as firewall/gateway to the internet and also in some cases as wireless client/ap router.
The internet box is a Compaq Deskpro SFF (PII 400Mhz | 512MB RAM | 80GB HDD | 3 x Intel Pro 100 NIC's), manages 6Mbps/512Kbps PPPoE ADSL connection, soon to add a 2nd ADSL connection… It runs pfSense with squid and lightsquid and provides access to internet to 30-40 users.
It's been rocksolid for months, specially after the upgrade from 256MB to 512MB of RAM.
As a wireless client/ap router we use the same Compaq boxes with atheros cards and only 64MB RAM and booting from CF cards. The boxes provide access to the wireless community network and internet through their wireless card (WAN) and basic NAT/firewall/DHCP to the user's home network. Sometimes a 2nd atheros card is added to provide wifi in the area. Also works fine, although recently we've been using beta versions of m0n0wall to this function due to lack PC100 SDRAM to this boxes, and m0n0 works better with 64MB in this setup.
Overall, m0n0wall/pfSense are great projects, we've been using them for 3 years in this network.
-
We use it at a wireless community setup as firewall/gateway to the internet and also in some cases as wireless client/ap router.
The internet box is a Compaq Deskpro SFF (PII 400Mhz | 512MB RAM | 80GB HDD | 3 x Intel Pro 100 NIC's), manages 6Mbps/512Kbps PPPoE ADSL connection, soon to add a 2nd ADSL connection… It runs pfSense with squid and lightsquid and provides access to internet to 30-40 users.
Ya, I used to run Squid, until I got the 2nd internet feed (I've got one 6 Mb/s DSL line, and one 15 Mb/s cable line load balancing and failover) but found out the hard way that squid doesn't work in dual wan mode. Actually, its seems most add-on packages break when you add a 2nd gateway. But forced to choose between 21 Mb/s combined bandwidth and squid, I'll choose 21 Mb/s lol ….tho I do miss tailing the squid logs and watching the random URL's go by. Maybe I'll get a 2nd box for squid....who knows, I could always use a higher power bill :)
-M@
-
Ya, I used to run Squid, until I got the 2nd internet feed (I've got one 6 Mb/s DSL line, and one 15 Mb/s cable line load balancing and failover) but found out the hard way that squid doesn't work in dual wan mode.
My goal with 2nd WAN is to make all high priority traffic (http/dns/pop3/voip) go through the WAN1 and all other traffic go to WAN2. I'm not trying to aggregate bandwidth or do failover, just simple routing policy, and really need squid/lightsquid statistics. Shouldn't it work this way?
PS: sorry if this is a bit offtopic…
-
From my experience….sorta. Its been about 6 months since I stopped using squid, but if my memory serves me, clients would be directed over the transparent proxy if I directed them to go over the default gateway. If you add a 2nd gateway, squid has no idea about it, it doesn't really know it exists.
-M@
-
I suppose you get set up 3 PFsense boxes:
2 boxes connect to each DSL line respectively, both run Squid (both only have one connection, right?)
1 box is the gateway for your LAN, and it load balances to the other two boxes.
-
I have Foxnews.com and Foxbusiness.com behind two redundant pfsense firewalls running on Dell 2950's.
-
Foxnews.com and Foxbusiness.com
Just out of curiosity: how much traffic do they generate on average?
-
Obviously most of the http requests are Akamaized, but not all of it. There's ads and everything else we deal with, plus odd projects, etc. So, it's not so much 'bandwidth/traffic' as it is 'packets'.
I don't have a whole lot behind them yet, I'm in the process of moving more services from other datacenters.
At any rate, currently they're only doing about 60mbps. In 3 months time, I expect to be doing about 1gpbs consistently.
-
In 3 months time, I expect to be doing about 1gpbs consistently.
What sort of hardware you planning on using for THAT ?
-
@sai:
In 3 months time, I expect to be doing about 1gpbs consistently.
What sort of hardware you planning on using for THAT ?
I've already got 2 Dell 6850's allocated for it. 2950's will do the job easily, but you always want to be prepared for future growth. 6850's will let me ignore any firewall related hardware upgrades in the future.
-
I've already got 2 Dell 6850's allocated for it. 2950's will do the job easily, but you always want to be prepared for future growth. 6850's will let me ignore any firewall related hardware upgrades in the future.
Are you serious? You are my new hero if you are!
-
Yep, I'll be at the datacenter tomorrow, I'll take some pictures of our cage with my phone. We've got 6 6850's in production right now, mostly for database servers. Then another 40 or so 1950's/1850's in our cage, all behind the firewalls - which again, are 1950's for the time being.
1950's will surprise you, before I went live with the pfsense firewalls, I got around 600mbps through them in testing, stable. Bursts up to around 800mbps.
I really don't want to do anymore changes to the firewalls until pfsense 1.2 is released. FreeBSD 7 is going to help things a lot more than you might think.
-
Are you serious? You are my new hero if you are!
Tell me about it. I was pretty stoked about my Epia LN10000EG 1 GHz fanless ITX deployment….."was" being the operative word lol..
But seriously, I think its beautiful that the software scales so dramatically. I'm curious, tho, are there any commercial gateway/firewalls that can handle that kind of load and have a similar feature set as PFS?.... that are within the same price range as a poweredge 6850?
Why would one choose PFS over a Cisco or Foundry, etc?
Once again, out of sheer morbid curiosity ;P
-M@
-
I'm actually in the middle of this argument with one of my bosses. He wants Cisco, mainly because of paid support - which I completely understand. I told him I'm more comfortable with pfsense, I know what it can and can't do. I don't know anything about Cisco IOS.
Plus the Cisco ASA, if you want to get anywhere near 1gpbs, you're looking at $190,000. I'm sorry, it's just not worth it.
He may eventually overrule me on this, and make me dump pfsense, however I really, really don't think he's going to.
-
I'm actually in the middle of this argument with one of my bosses. He wants Cisco, mainly because of paid support - which I completely understand. I told him I'm more comfortable with pfsense, I know what it can and can't do. I don't know anything about Cisco IOS.
Plus the Cisco ASA, if you want to get anywhere near 1gpbs, you're looking at $190,000. I'm sorry, it's just not worth it.
He may eventually overrule me on this, and make me dump pfsense, however I really, really don't think he's going to.
We have paid commercial support. See the front page of pfsense.org :)
-
I have been running pfSense for a while now and I have it running everywhere.
At work I have 3 sets of pfSense firewalls. Primary and failover. They work beautifully. They are all running on Dell Optiplex GX260's which if my memory serves me right, they are around 2.4Ghz each with 1GB RAM and 40GB HD. I originally had 3COM 3c2000 NIC's all over the place, but I had lots of issues so now I run Intel PRO1000's across the board.
Each box runs rock solid and has about 300 computers behind them. We run a lot services from the company, primarly an offsite backup service for a few hundred clients so we have a ton of traffic all the time.
We recently upgraded to a 100mbit internet connection and our ISP recommended we purchase a Cisco 7204 for somethign like $9,000. Well that didn't fly so I slapped pfSense on another GX260 and turned off the firewall so it was just a router and we stress tested the bad boy and were able to achieve a solid 300mbit, which was more than enough. So I ended up paying a grand total of $0, which is just amazing.
I would be able to replace my Cisco PIX's if pfSense could do Policy NAT because we have a few hundred IPSEC Tunnels and as you can imagine, subnets get claimed really fast, so policy NAT is a must.
I recently made a purchase on eBay of 50 Intel Pro 100's, so now whenever one of my coworkers, friends, relatives is in need of a firewall I just tell them to go find a working peice of crap computer and I will set them up an awesome firewall. Needless to say I have a few dozen pfSense boxes runnning at there homes and an IPSEC tunnel to each, for helping them out with comptuer problems, file sharing, etc. I have running at my house an old school P2 300Mhz Overclocked to 450Mhz (thats such an insane increase if you think about it!) with 256mb RAM, 6gb HD. It runs flawlessly. My record uptime was 290 something days, but ofcourse the power went out and killed my record (time for a ups right?).
My only complaint is about the PPTP GRE NAT issue, but really, I love pfSense and have been nothing but pleased over and over and over. Whenever I speak with other IT guys and friends I always promote pfSense, it is simply amazing and well on its way to becoming a Cisco/Checkpoint killer, the other boys cant really hold a candle to pfSense.
Kudos to all you guys who help make pfSense what it is, you rock!!!
-
Our office has a single PII 400 with 128MB RAM and 5 3COM 3C905-TX NICs, 3 of which are currently in use. We have about 50 constant users, and our average bandwidth usage is around 6MBps of our cable connection and 1-1.5 of our DSL. The only service we use so far is ntop, so it doesn't seem to be overloaded yet. This machine was supposed to be just a demo for the bosses, but ended up working so well that we put it in production and it stayed there. Within a few months I'm hoping we'll get permission to buy a new system for it so I can get better traffic filtering in place.
-
Yep, I'll be at the datacenter tomorrow, I'll take some pictures of our cage with my phone. We've got 6 6850's in production right now, mostly for database servers. Then another 40 or so 1950's/1850's in our cage, all behind the firewalls - which again, are 1950's for the time being.
So where are those pictures at foo! ??? ;D
-M@
-
Was in a different post!
http://box.nevernet.com/~foo/IMG00036.jpg
10 6850's, a bunch of 1950's, and a few 1750's. Few Sun boxes, too. In about a week we're going to have a gigantic 3Par (san) cabinet that everything pulls from.
-
Was in a different post!
http://box.nevernet.com/~foo/IMG00036.jpg
10 6850's, a bunch of 1950's, and a few 1750's. Few Sun boxes, too. In about a week we're going to have a gigantic 3Par (san) cabinet that everything pulls from.
/drool
