Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Howto setup pfsense to manage more than 300mbits throughput or 500k packets?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 6 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tommics
      last edited by

      Hey folks,

      we are investigating if pfsense can help us out in dealing with some heavy DOS Attacks. We are searching for a setup which can manage at least 500.000 incoming packets /s or at least easily manage about 300mbit/s.

      Our Testing Scenario is the following.

      pfsense 1.2.2 as a transparent bridge with Intel Gigabit NIC PRO1000 MF. 2 Xeon CPU @ 3,2 Ghz each and 4GB RAM.
      pfsense's WAN iface is connected to a 3com Gigabit switch over fiber. Also connected to this Switch are 3 Traffic Generator Machines. They are running debian and using packeth for generating traffic. Each is generating an output of about 150 mbit. so we should see 450 mbit on WAN.

      When we Disable all firewalling features in pfsense it seems to cap the traffic at 300mbit. Doesn't matter if we turn the third traffic generator on or off.
      pfsense CPU utilization displays 30% usage.

      When we enable firewalling, it dramatically decreases throughput to between 60 and 100 mbit/s. We don't even have some rules applied except pass everything.

      Are there any tweaks or misconfiguration flaws which can result in this behavior?
      Has someone tested a similar setup and can share what hardware is needed to manage this traffic?

      Thanks in advance.

      Best Regards!

      PS after one day of testing we get following error:

      ad0: FAILURE memory in out of start?!

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        Are these PCI NIC's?
        The whole internal PCI bus has a maximum speed of 1Gbit. (In all directions).

        300 Mbit sounds about right for PCI.
        (300 Mbit from receiving NIC, 300 Mbit to transmitting NIC, plus whatever else is running on the bus.)

        What kind of traffic do these generators produce?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T Offline
          tommics
          last edited by

          the nic is pci-x (64bit 66mhz =  0,533 GByte/s = 4GBit/s) so that should not be the limiter :(
          packeth is producing the same packet we were attacked with. you can just import that from an tcpdump. it is TCP to dst port 22 with some random payload.

          1 Reply Last reply Reply Quote 0
          • S Offline
            Supermule Banned
            last edited by

            You see 250.000 PPS with 1Gbps Wirespeed (size 500 bytes). Normal overall traffic sees 700bytes average per packet. It sounds like an IBm Xseries server something you have running.

            1 Reply Last reply Reply Quote 0
            • T Offline
              tommics
              last edited by

              No its no xSeries server. Its a selfassembled tyan S5350 board. Is there a flaw in the xSeries? perhaps thats our problem too?
              Do you think our hardware should be able to manage more traffic? Or is this a good value for our setup?

              1 Reply Last reply Reply Quote 0
              • P Offline
                Perry
                last edited by

                AFAIK 300mbits throughput with 500k packets could be hard to reach if frame size are small.
                Though I don't think it will change much it's best practice to test with the latest stable FreeBSD version which atm. is 7.2  = pfSense 1.2.3 http://snapshots.pfsense.org, Upgrade motherboard BIOS and set State Tables = your ram size (4GB = 3,000,000).

                /Perry
                doc.pfsense.org

                1 Reply Last reply Reply Quote 0
                • A Offline
                  Abacabb
                  last edited by

                  just wanted to say im doing over 400 mbit/s at the moment in a natted network. no tweaks or whatsoever

                  i use a E5420 quad core + 4 gb ram + 80 gb sata disk + intel pro 1000 mt nic's , load on the cpu is now 50%

                  1 Reply Last reply Reply Quote 0
                  • C Offline
                    cmb
                    last edited by

                    You're probably exhausting the state table first, you'll need to bump it way up from the default 10,000.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.