How Far Have You Scaled Your PFS Box?
-
Are you serious? You are my new hero if you are!
Tell me about it. I was pretty stoked about my Epia LN10000EG 1 GHz fanless ITX deployment….."was" being the operative word lol..
But seriously, I think its beautiful that the software scales so dramatically. I'm curious, tho, are there any commercial gateway/firewalls that can handle that kind of load and have a similar feature set as PFS?.... that are within the same price range as a poweredge 6850?
Why would one choose PFS over a Cisco or Foundry, etc?
Once again, out of sheer morbid curiosity ;P
-M@
-
I'm actually in the middle of this argument with one of my bosses. He wants Cisco, mainly because of paid support - which I completely understand. I told him I'm more comfortable with pfsense, I know what it can and can't do. I don't know anything about Cisco IOS.
Plus the Cisco ASA, if you want to get anywhere near 1gpbs, you're looking at $190,000. I'm sorry, it's just not worth it.
He may eventually overrule me on this, and make me dump pfsense, however I really, really don't think he's going to.
-
I'm actually in the middle of this argument with one of my bosses. He wants Cisco, mainly because of paid support - which I completely understand. I told him I'm more comfortable with pfsense, I know what it can and can't do. I don't know anything about Cisco IOS.
Plus the Cisco ASA, if you want to get anywhere near 1gpbs, you're looking at $190,000. I'm sorry, it's just not worth it.
He may eventually overrule me on this, and make me dump pfsense, however I really, really don't think he's going to.
We have paid commercial support. See the front page of pfsense.org :)
-
I have been running pfSense for a while now and I have it running everywhere.
At work I have 3 sets of pfSense firewalls. Primary and failover. They work beautifully. They are all running on Dell Optiplex GX260's which if my memory serves me right, they are around 2.4Ghz each with 1GB RAM and 40GB HD. I originally had 3COM 3c2000 NIC's all over the place, but I had lots of issues so now I run Intel PRO1000's across the board.
Each box runs rock solid and has about 300 computers behind them. We run a lot services from the company, primarly an offsite backup service for a few hundred clients so we have a ton of traffic all the time.
We recently upgraded to a 100mbit internet connection and our ISP recommended we purchase a Cisco 7204 for somethign like $9,000. Well that didn't fly so I slapped pfSense on another GX260 and turned off the firewall so it was just a router and we stress tested the bad boy and were able to achieve a solid 300mbit, which was more than enough. So I ended up paying a grand total of $0, which is just amazing.
I would be able to replace my Cisco PIX's if pfSense could do Policy NAT because we have a few hundred IPSEC Tunnels and as you can imagine, subnets get claimed really fast, so policy NAT is a must.
I recently made a purchase on eBay of 50 Intel Pro 100's, so now whenever one of my coworkers, friends, relatives is in need of a firewall I just tell them to go find a working peice of crap computer and I will set them up an awesome firewall. Needless to say I have a few dozen pfSense boxes runnning at there homes and an IPSEC tunnel to each, for helping them out with comptuer problems, file sharing, etc. I have running at my house an old school P2 300Mhz Overclocked to 450Mhz (thats such an insane increase if you think about it!) with 256mb RAM, 6gb HD. It runs flawlessly. My record uptime was 290 something days, but ofcourse the power went out and killed my record (time for a ups right?).
My only complaint is about the PPTP GRE NAT issue, but really, I love pfSense and have been nothing but pleased over and over and over. Whenever I speak with other IT guys and friends I always promote pfSense, it is simply amazing and well on its way to becoming a Cisco/Checkpoint killer, the other boys cant really hold a candle to pfSense.
Kudos to all you guys who help make pfSense what it is, you rock!!!
-
Our office has a single PII 400 with 128MB RAM and 5 3COM 3C905-TX NICs, 3 of which are currently in use. We have about 50 constant users, and our average bandwidth usage is around 6MBps of our cable connection and 1-1.5 of our DSL. The only service we use so far is ntop, so it doesn't seem to be overloaded yet. This machine was supposed to be just a demo for the bosses, but ended up working so well that we put it in production and it stayed there. Within a few months I'm hoping we'll get permission to buy a new system for it so I can get better traffic filtering in place.
-
Yep, I'll be at the datacenter tomorrow, I'll take some pictures of our cage with my phone. We've got 6 6850's in production right now, mostly for database servers. Then another 40 or so 1950's/1850's in our cage, all behind the firewalls - which again, are 1950's for the time being.
So where are those pictures at foo! ??? ;D
-M@
-
Was in a different post!
http://box.nevernet.com/~foo/IMG00036.jpg
10 6850's, a bunch of 1950's, and a few 1750's. Few Sun boxes, too. In about a week we're going to have a gigantic 3Par (san) cabinet that everything pulls from.
-
Was in a different post!
http://box.nevernet.com/~foo/IMG00036.jpg
10 6850's, a bunch of 1950's, and a few 1750's. Few Sun boxes, too. In about a week we're going to have a gigantic 3Par (san) cabinet that everything pulls from.
/drool
-
After few day of installing, testing, transferring existing rules/routes, and some testing again I can proudly say: New pfsense firewall/router is working instead of Alliedtelesyn Rapier 24i.
I have installed pfsense on Intel sr1350ahlx (dual core xeon, 2 GB RAM, 2x500 GB HDD in RAID 1, 2 integrated Gb NICs and additional PCI-X 2 port Intel Gb NIC). This machine is serving 1 WAN connection (E1, soon double E1) 4 VLANs (in one of VLAN's I have internal routers for 9 other networks), 1 DMZ and one admin network. On VLAN port VLANs are distributed trough gigabit port on AT8000s/24 switch and fiber optics.
Altogether there is around 400 PC's, 30+ servers (Windows and UNIX) few-dozen print-servers, etc.
For now load is minimal. Tomorrow I am adding some IPSec tunnels.
So far this is my biggest pfSense installation.
Sasa
-
My biggest pfSense installation to date is a pair of Dell 1950s that have been running 1.01 flawlessly for something over a year now. They're in a cabinet at a data center, supporting a handful of web servers, a mail and DNS server and a few (non-public) database servers. 95th %ile traffic is around 2 megabits, but we get spikes up to 10 during the day.
I had hoped to use pfSense for the firewall when we moved into our new office space last summer, too, but the Pentium III box I had handy to install the firewall on wouldn't boot either 1.01 or the 1.2 beta, or anything else with a FreeBSD kernel. I never did find out why. Fortunately, it boots OpenBSD just fine, so at least I still get pf, even without the web interface and the additional features I like in pfSense.
-
I had hoped to use pfSense for the firewall when we moved into our new office space last summer, too, but the Pentium III box I had handy to install the firewall on wouldn't boot either 1.01 or the 1.2 beta, or anything else with a FreeBSD kernel. I never did find out why. Fortunately, it boots OpenBSD just fine, so at least I still get pf, even without the web interface and the additional features I like in pfSense.
You should retry with the upcoming 1.3 release which will be based on freebsd 7. Also make sure your bios is up2date and maybe exchange the cdrom. freebsd is sometimes picky about cdroms.
-
Will take a few more pictures on Monday. We've grown considerably since I originally commented on this thread.
-
I had hoped to use pfSense for the firewall when we moved into our new office space last summer, too, but the Pentium III box I had handy to install the firewall on wouldn't boot either 1.01 or the 1.2 beta, or anything else with a FreeBSD kernel. I never did find out why. Fortunately, it boots OpenBSD just fine, so at least I still get pf, even without the web interface and the additional features I like in pfSense.
You should retry with the upcoming 1.3 release which will be based on freebsd 7. Also make sure your bios is up2date and maybe exchange the cdrom. freebsd is sometimes picky about cdroms.
I already tried with a FreeBSD 7 release candidate CD, and again with RELEASE. Those won't boot either. (Neither will 6.2 or Dragonfly, and neither will a hard drive with pfSense installed on it and moved from another box.)
If I were ever to replace that firewall with a different machine, I would try pfSense again. It's been outstanding in our data center cabinet. But for now, the OpenBSD installation we have is working fine.
-
Just for the record, which PIII hardware is that? Motherboard and chipset mf'rer?
-
My setup providing Internet for about 500 people policy based load balancing on 8 x 8/2mbit ADSLs. I left out a lot of details about equipments for the ADSLs, the LAN and layer-2 failover.
| A1 |A2 |A3 |A4 |A5 |A6 |A7 |A8
| | | | | | | |
* VLAN Switch *
| |
****************** sync *******************- PFSense 1.2 * - - - - - - * PFSense 1.2 *
****************** *******************
\ /
*******************
* VLAN Switch *
*******************
/
******************* sync ******************* - PFSense 1.2 * - - - - - - * PFSense 1.2 *
******************* *******************
\ /
*******************
* VLAN Switch * –----------- DMZ (Through the firewall setup)
*******************
|
500 people LAN
./Thomas
- PFSense 1.2 * - - - - - - * PFSense 1.2 *
-
Just for the record, which PIII hardware is that? Motherboard and chipset mf'rer?
Looks like it's not a PIII, it's a Duron. According to dmidecode, the motherboard is an Asus A7N8X2.0 with Phoenix BIOS dated 2003-03-19.
-
…and with an nVidia nForce2 chipset.
The nve(4) driver supports the NVIDIA MCP onboard adapters of mainboards with the following chipsets:
* nForce
* nForce2
* nForce3
* nForce4So I guess the chipset should be supported. The AMD Duron is in this list as well. Hm…
What about your BIOS settings? Have you tried to disable ACPI / flash latest firmware etc.?
Found this from a quick google search: http://marc.info/?l=freebsd-questions&m=111719084502712&w=2
Try disabling firewire in the bios.
I had the same problem with my system (A7N8X). Worked until 4.9 then
stopped working.Disabling firewire allowed me to boot.
Thanks for the tip on disabling firewire to get this board to work.
Do you have the sata raid going as well?Never tried it.
-
qdk
why do you have 2 sets of failover pairs of firewalls?
-
@sai:
qdk
why do you have 2 sets of failover pairs of firewalls?
Just to keep it simple… The first layer of firewalls isnt needed when decent Internet is provided like a 100mbit fiber terminated in ethernet. futhermore there are some limits with captive portal and didnt go well with the policy based routing.
./Thomas
-
So its been a little over a year since this thread began, I figure there's got to be some new stories out there. Since I started this thread, I've deployed 4 more PFS's, and working on my 5th tonight. I've been following the same template as I outlined earlier, VIA EPIA LN 10000EG mini-ITX boards running of CF's. Though I did have my first CF failure (I've been running them in x86 mode rather than embedded. Fortunately, solid state drives have come down in price enough now that I was able to replace that CF with a 32 GB SSD. The nice thing is however, that when a CF fails, the vast majority of the data is still intact and accessible, so I was able to pull the XML file off the old CF, and put it on a brand new install on the new SSD. Only picture I have, I took with my cellphone.
The box I'm installing tomorrow is just an Alix board, will be used as a remote IPsec gateway….actually connecting to the PFS box in the above picture as luck would have it.
So....any new stories out there? Is FoxNews guy still lurking about? Its always interesting to see what others have done/are doing with this stuff!!
-M@
-
Currently we are pushing 500Mbit+ through firewalls built up of Intel DG965SS desktop boards, Intel Pro 1000s and 4GB ram with v1.2.2. The ram usage is fine but at about 500Mbit the cpu is in the red at 90%+. We are currently looking at upgrading the hardware with the least expensive solution as possible that will allow us to saturate 1Gbit traffic. We love PFsense and really want to donate money and will as soon as a couple of our projects take off a bit. I feel awful about not having anything sizable to give at the moment because this software really is wonderful. Its amazing how tight money is these days.
-
Nice :) What CPU are you using in that Intel board?
-M@
-
1.86GHZ E6300
-
Just starting out with PFsense.
First deployment was in a VM on my server (i know a dedicated box would be better but i cant afford to co-lo a 2nd box just for the firewall), now it's sitting between the other VM's and the internet also doing a bit of routing quite nicely.
Second was on a Dell gx240 at home, to load balance my DSL lines.
Replaced the Dell with a Alix 2D3 (my DSL lines come into my livingroom atm, so the noise from the dell got on my nerves) and just upgraded it to 2.23-prerelease since 2.22 seemed to crash/reboot itself a couple times wanted to see if was a problem specific to 6.22
The box on the VM has a 100Mbit connection, although most of the time isn't pushing more a 1 - 2Mbit/s
Alix is working as Firewall/Nat Router and Loadbalancer
I sometimes use the inbuilt PPTP server to remote in when on HSDPA although that's speed limited by the DSL. (Vpn is only setup for wan1)DSL lines are synched at ~24Mbit on the downstream and ~2.5Mbit on the upstream taking overheads into account with Pfsense doing the load balancing it allows me to pull about 40Mbit/s of actuall IP throughput in the downstream direction and 4Mbit/s in the upstream direction.
-
We have pfsense running on a dell pwoeredge server with a 2.4ghz xeon processor and I think 2 gig ram.
We have a 100/100 connection and with snort monitoring traffice we are getting 58/48 through the firewall/router. which is actually pretty decent. with snort off we get about 90/60
-
Update:
We have an Intel SR1520ML server that we are testing. This thing has 2 separate servers in it. Each side we have a 2.4Ghz quad core cpu and 4GB DDR2-800 memory with the x83ML boards. With the onboard nics that it comes with, the thing will saturate 1GB. Right now we are pushing it over 750MBit pretty consistently. The cpu isn't even hitting 45%.
I have attached a pic for the non believers ;)
-
:o Yup…..now THAT'S what I'm talking about :o Now lets see it do that in the real world ;)
-
Actually now it is in the real world. We have proxyarped a few servers behind it pushing real traffic.
-
Awsome thread!
I have PFS running on a Mini-ITX intel board by Jenson, 1.6ghz core-duo, 2 gig ram stick, 1 gig ide solid state. (4) gigabit ethernet adapters, 3 Wireless USB sticks. Running PFS 1.2.3. I am currently combining 3 WAN connections into our home for personal use.
No pictures right now of the case, it looks like a fat common router case.
-
I use pfSense at about six locations providing internet to a total of about 500 users and growing. Each location has at least a 16mbps/2mbps line to the internet, some are mutli WAN. The pfSense boxes use very little resources and I literally "set it…. and forget it " :) I login remotely every couple weeks just to look at some of the usage graphs and poke around a little bit. I cannot wait for 2.0 to be released, but I am almost positive I will be using it as its still in RC. When 1.2 was in RC it was solid as a rock, so I'm kind of hoping the same for 2.0.
This project is truly amazing and I can't complement the developers enough. Although money is also tight here, I try and help the project by providing them with a VM in a top notch datacenter.
Don't forget to help support the pfSense developers and the project if you're using pfSense in any way, especially in a commercial environment!!!!
-
I work as a free lancer for a buisness school. In our network there are around 300-400 users connected over wifi to the network, around 200 faculty systems ( some are linux terminal servers, others are fat clients/laptops). We have 3 x 2 mbps links which are load balanced by pfsense for all the users. Pfsense has been running super stable since last 8 months now with about 3-4 reboots ( just for heck of it, pfsense never gave up) . We have already pushed 3.85 TB of data to the internet. Thank you pfsense.
-
This is the main MRTG graph on a 10gbit link attached to a PFSense box. Pfsense is really rocking! I can't discuss too much detail about the systems, but they have 16GB ram and Xeon Processors. 35% CPU utilization on 8 cores with this level of traffic. Network cards are PCI-E 8x and pfsense is acting as a core router. No NAT, No firewall. Same performance as a $250,000 Cisco. We were deciding between a fully loaded Catalyst 6500 and this system. Price and performance won out here. We were using custom FreeBSD for this, but we have applied our tweaks to PFSense, so that there is a more friendly interface to those that need to support this system. I find that the biggest issue isn't amount of traffic, but packets. We are averaging ~215,000 packets per second on the WAN. This is a ridiculous number to wrap around, and for those of you trying to do the math, the packet size in the real world is not a perfect 1500. For those of you that know this, please forgive me, I just don't want to explain that the average bandwidth should not be 2.4gbps based on the pps.
-
I tend to go a little overboard on all my builds so my Firewall was no exception. I just finished my third box, I started with a VIA 900mhz embeded motherboard with 3-NICs and 1-Wireless NIC, 512 RAM. Second was a retired Inspiron 6000 laptop: 2-NICs(would have done more but only 1 PCMCIA slot) and 1-Wifi, 1.3Ghz Celeron and 2GB RAM, the fianl one I am using currently is a Intel D945GNC ATX board with a Q9400 Quad Core, 3.5GB of RAM, 2-Intel PRO1000 NICs for LAN, Onboard 10/100 for the WAN and 1- 10/100 PCI NIC for WAN2, and a D-Link Wireless card. The utilization is far below what it can handle even with the 7 VPN connections that run all the time. I will have this one for quite awhile. Gotta love Pfsense…
-
Unlocking topic. Let's hear some more stories. 2.0 stories would be nice, too!
-
Fun to see a thread I started so long ago still kicking :)
This one isn't all that exciting as far as througput goes, but it's mildly interesting. I've got an Intel 1.6 GHz single core Atom board running with a Soekris quad NIC in it, and load balancing 4 DSL lines. This box is actually running in the pressbox of Qualcomm Stadium for the San Diego Chargers media folks. It's sad that in a stadium named after a communications giant, all we can get is standard ADSL lines, but on a budget, I put this box together and have about half a dozen Cisco Aironets hanging off it, and the thing actually load balances quite well. I'm thinking about upgrading to 2.0 for the coming season, as I hear the load balancing is improved. The only other feature I'm using is the Captive Portal. But in my experience thus far, the Intel Atom boards are EXTREMELY stable running PFSense!
Is the load balancing in 2.0 improved enough to warrant the upgrade?
-
Is the load balancing in 2.0 improved enough to warrant the upgrade?
IMHO, it's way easier to set up and it's a lot more flexible. You an achieve a very complex setup with a mix of loadbalancing, failover and policy based routing.
As to whether it's actually better at load balancing? I have no numbers to show any real improvement. I could say it 'seems' better. It has produced less odd website problems. It certainly seems to play nicer with speedtest.net, though that could just be speedtest updating their client. ;)Steve
-
I see the same thing with speedtest.net on 1.2.3 I can get over 15 Mb/s out of a bunch of 6 Mb/s DSL lines. I think the speedtest client just opens several concurrent connections and aggregates them for the speed display, though I haven't run a packet capture or anything on it.
-
'm actually in the middle of this argument with one of my bosses. He wants Cisco, mainly because of paid support - which I completely understand. I told him I'm more comfortable with pfsense, I know what it can and can't do. I don't know anything about Cisco IOS.
-
'm actually in the middle of this argument with one of my bosses. He wants Cisco, mainly because of paid support - which I completely understand. I told him I'm more comfortable with pfsense, I know what it can and can't do. I don't know anything about Cisco IOS.
There is commercial support for pfsense, too:
http://www.pfsense.org/index.php?option=com_content&task=view&id=62&Itemid=73 -
'm actually in the middle of this argument with one of my bosses. He wants Cisco, mainly because of paid support - which I completely understand. I told him I'm more comfortable with pfsense, I know what it can and can't do. I don't know anything about Cisco IOS.
Depends on the application, but for most small businesses, PFSense is much more capable than Cisco, and doesn't nickle and dime you to death. I like to use PFSense for firewalls/routers, and Cisco for switches. PFSense does "Router on a Stick" with a Cisco switch just as well as Cisco does.