Help Create a 500Mbps+ pfSense Firewall Box
-
I'm looking to create a pfSense box that will be used as a firewall along with other features such as VPN and Snort.
It'll need to handle 500Mbps+ throughput and stand up against a good possible number of DDoS attacks if they happen.So what I'm trying to figure out is what sorta hardware should I decide on purchasing to get this job done, I don't mind using Supermicro hardware at all but I would like to try and keep things around $1000 or less to build this system if possible.
Right now I was debating on using a old HP DL360 G4 Server with 2GB of ram and Dual Xeon 2.8Ghz CPU's with a PCI-X Intel Quad Port NIC installed in it but someone told me that it wouldn't hold up to what I was wanting but I'm not so sure of that after reading a few threads on this forum.
Anyways happy to entertain suggestions and idea's of all sorts for this build.
Thanks!
-
You may want to review the sizing page and the other hardware pages.
Note that you can't build a single box to mitigate a DDoS attack of any significance - all they have to do is use more bandwidth than you have (and there are various other approaches they can use).
-
@Cry:
You may want to review the sizing page and the other hardware pages.
Note that you can't build a single box to mitigate a DDoS attack of any significance - all they have to do is use more bandwidth than you have (and there are various other approaches they can use).
I have read the "sizing page" and it says 3Ghz+ for 500+ Mbps but will it handle 50,000+ connection states without having issues and if not then how can it be resolved or is this beyond pfSense's capabilities ?
-
I have read the "sizing page" and it says 3Ghz+ for 500+ Mbps but will it handle 50,000+ connection states without having issues and if not then how can it be resolved or is this beyond pfSense's capabilities ?
The sizing figures don't include VPN and your Netburst Xeons ain't exactly fast. pFsense isn't quite multithreaded (for a lack of a more appropriate term) so having 2 of the Xeons basically doesn't help too much.
The second core might help with Snort but mostly, you'll need external Cryptographic accelerators to hit that kind of performance on VPN.
Also, the DDoS portion doesn't quite work the way you expect it to. Snort with properly don't up rules can help protect the servers behind the F/w. It doesn't stop a DDoS from completely overwhelming your connection though (since the box can only stop the packets and drop them after they reach it).
A proper DDoS protection requires you to have multiple layers of firewall preceding the servers and somewhere higher up there, you'd still need the units to switch the routes to other links that are not saturated. -
An Atom is generally regarded as capable of 200mbps or more throughput without other things (snort, vpn) taking away from the CPU.
When you first run pfsense it will set the state table size, I think based on the amount of system RAM present. On my net5501 with 512M RAM it is set to 48,000. On my SM server with 4GB it is in the neighbourhood of 400,000. You can change this value any time.
-
Only 10,000 on my P4, 512MB system.
-
I use mine on ESXi 4 and there is a significant performance increase to be seen when using 2 core's…
I havent seen "the roof" yet on the box....
-
It defaults to 10,000 on 1.2.3; only in 2.0 does it actually vary (conservatively) according to the amount of system memory. You can, of course, change the value.
For example, I have a Conroe-Celeron @ 1.2GHz w/ 1GB of ram and changed the default value to 500,000. Bear in mind that I don't run any packages - just using it as a NAT router with an oversized state table & HFSC (main reason why I didn't go for SoC based stuff like Microtik or running Vyatta for that matter).Running 3 torrents on one client, I managed a little over 130,000 states but the unit is holding up well:
