Pfsense bridging?

wyn · Jan 15, 2010, 11:56 AM

Hello all,

Is it correct that pfsense no longer supports bridging modus?
I'm trying to create a bridging firewall that can handle approx. 1.000.000 concurrent connections, any ideas?

Best regards,

Wyn

GruensFroeschli · Jan 15, 2010, 12:14 PM

Where did you read that pfSense doesn't support bridging?

If you expect 1e6 connections i would see to it that the machine has a lot of RAM.

@http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49:

Large state tables - State table entries require about 1 KB of RAM each. The default state table, when full at 10,000 entries, takes up a little less than 10 MB RAM. For large environments requiring state tables with hundreds of thousands of connections, ensure adequate RAM is available.

wyn · Jan 15, 2010, 2:27 PM

Thanks for your reply GruensFroeschli!

I'm not sure where i read this, i thought someone recommended m0n0wall for bridging.
Any idea how to set it up? Do i need 3 network interfaces to get it working? (One NIC for the web interface?)

Also, how many RAM would you recommend for 1.000.000 concurrent connections?

Thanks,

Wyn

GruensFroeschli · Jan 15, 2010, 3:01 PM

The reasons behind recommending m0n0wall are usually: "less ressource hungry".

The optimum would be to set it up with 3 interfaces.
2 work also, but you have to bind the webinterface to one.

Did you read the link i posted above?
If you expect 1e6 concurrent connections i would add 2GB of RAM.
1GB is used for the states, 512 MB for states going over the expected 1e6 connections, about 128MB for the system itself, leaves 384 MB free for packages and other stuff.
What kind of traffic are you expecting to push?
100Mbit? 1Gbit?
Don't forget to have an adequate CPU.
Make sure you have proper NICs (realtek is crap).
Try to get some Intel NICs.

wyn · Jan 15, 2010, 3:56 PM

Thanks again! you helped me a great deal..
I'm running some tests now on old hardware.. when it's working fine i'm gonna think about purchasing an appliance (http://www.applianceshop.eu/index.php/firewalls/opnsense-hd-rack-edition-19-pfsense-appliance.html).

GruensFroeschli · Jan 15, 2010, 4:05 PM

What you posted is an ALIX in a rackmount case.
Underpowered by about a factor of 10.
From your descriptions you're looking for a full-blown multi GHz server.

Can you maybe elaborate what you're trying to achieve?
It sounds to me as if you're not clear yourself what you want.

wyn · Jan 19, 2010, 2:43 PM

Hello GruensFroeschli,

I'm trying to replace an existing FreeBSD filtering bridge with an 'out of the box' solution like pfsense. The reason i want to replace the existing bridge is because alot of downtime was caused last year because of typos in (IPFW) rule sets.

The current box has a throughput of about 60mb/s continously. So my goal is to replace this machine with a more easy to manage interface, with hardware that performs the same or better as the current box.

Thanks,

Wyn

valnar · Jan 19, 2010, 3:21 PM

You should be looking at a modern Core2Duo server with Intel NIC's to achieve that many connections.

jimp · Jan 20, 2010, 5:07 AM

At a minimum, 1,000,000 states would be about 1GB of RAM, which rules out most embedded devices. And since other processes need RAM too, you can't just use 1GB of RAM, you'd be better off with 2GB (since RAM is cheap these days).

Depending on the throughput, you may need a more powerful CPU. If you're just talking about 100Mbit or so, an atom-based box might do the job. If you want to push closer to 1Gbit, you might need something with a couple GHz to it.

wyn · Jan 20, 2010, 9:34 AM

Thanks all,

Now i'm still struggling with trying to create a bridge.. :/