Howto setup pfsense to manage more than 300mbits throughput or 500k packets?
-
Hey folks,
we are investigating if pfsense can help us out in dealing with some heavy DOS Attacks. We are searching for a setup which can manage at least 500.000 incoming packets /s or at least easily manage about 300mbit/s.
Our Testing Scenario is the following.
pfsense 1.2.2 as a transparent bridge with Intel Gigabit NIC PRO1000 MF. 2 Xeon CPU @ 3,2 Ghz each and 4GB RAM.
pfsense's WAN iface is connected to a 3com Gigabit switch over fiber. Also connected to this Switch are 3 Traffic Generator Machines. They are running debian and using packeth for generating traffic. Each is generating an output of about 150 mbit. so we should see 450 mbit on WAN.When we Disable all firewalling features in pfsense it seems to cap the traffic at 300mbit. Doesn't matter if we turn the third traffic generator on or off.
pfsense CPU utilization displays 30% usage.When we enable firewalling, it dramatically decreases throughput to between 60 and 100 mbit/s. We don't even have some rules applied except pass everything.
Are there any tweaks or misconfiguration flaws which can result in this behavior?
Has someone tested a similar setup and can share what hardware is needed to manage this traffic?Thanks in advance.
Best Regards!
PS after one day of testing we get following error:
ad0: FAILURE memory in out of start?!
-
Are these PCI NIC's?
The whole internal PCI bus has a maximum speed of 1Gbit. (In all directions).300 Mbit sounds about right for PCI.
(300 Mbit from receiving NIC, 300 Mbit to transmitting NIC, plus whatever else is running on the bus.)What kind of traffic do these generators produce?
-
the nic is pci-x (64bit 66mhz = 0,533 GByte/s = 4GBit/s) so that should not be the limiter :(
packeth is producing the same packet we were attacked with. you can just import that from an tcpdump. it is TCP to dst port 22 with some random payload. -
You see 250.000 PPS with 1Gbps Wirespeed (size 500 bytes). Normal overall traffic sees 700bytes average per packet. It sounds like an IBm Xseries server something you have running.
-
No its no xSeries server. Its a selfassembled tyan S5350 board. Is there a flaw in the xSeries? perhaps thats our problem too?
Do you think our hardware should be able to manage more traffic? Or is this a good value for our setup? -
AFAIK 300mbits throughput with 500k packets could be hard to reach if frame size are small.
Though I don't think it will change much it's best practice to test with the latest stable FreeBSD version which atm. is 7.2 = pfSense 1.2.3 http://snapshots.pfsense.org, Upgrade motherboard BIOS and set State Tables = your ram size (4GB = 3,000,000). -
just wanted to say im doing over 400 mbit/s at the moment in a natted network. no tweaks or whatsoever
i use a E5420 quad core + 4 gb ram + 80 gb sata disk + intel pro 1000 mt nic's , load on the cpu is now 50%
-
You're probably exhausting the state table first, you'll need to bump it way up from the default 10,000.