Pfsense: the post install optimisations thread
-
After my normal thing of looking around for different ways of making pfsense run better, and casually mentioning it in a few threads where I had asked for help on a few issues, I got asked if I would put a thread together to help out everyone else with what it is I had found, tested & am currently running at home
Of course, this thread isnt just for me to pass on what I have found about pfsense & optimising it for the hardware/connection, its also for YOU, to be able to share what it is you've seen, what tips you've found, so that new users who install this lovely Firewall distro have something to sit down and read/try out on their boxen
As most of the paperwork for my stuff is at home as well, and Im starting this thread at work (LOL, NAUGHTY!), I will update it a bit more with some of the links to various sites & forum threads. Everything will be in a Category, so ones for networking in a seperate bit to FS, and so on
If anyone else has anything to add now, before I get home tonight, feel free, lets get this thread started :)
WARNING:
The tweaks/changes contained within the following posts, are for ADVANCED users only. If you do not feel confident changing configuration files, or dont want to potentially break your machine (It would be a very, very, very rare occurance, but it could happen), then please, do NOT attempt any of these changes contained within.)As per cmb's post below:
We provide optimized defaults best suited for the vast majority of users. Squid items aside, nearly no one should touch any of the things mentioned in the above post, if they were good options they would be enabled by default.You are free to make these changes if YOU SO CHOOSE. But myself, nor the pfsense team, can be held liable if something goes wrong. If the machine gets up and walks, it ain't my problem, if it decides to leave you for another server, Im not to blame for that either, lol
-
Network
This particular section is somewhat of a favourite. The network tweaks contained within, can either be manually adjusted with putty (ssh), or through the console if you have a keyboard attached to the server. I personally adjust them manually, then add them to /boot/loader.conf
http://spatula.net/blog/2007/04/freebsd-network-performance-tuning.html
Squid
Like everyone, I've inevitably added squid, and ever since, been obsessed with trying to fine tune squid, and to improve its HIT/MISS ratio. The first of a few links, over the coming days, will be in regards to squid, and making it as snappy & useful as possible
http://areyousecure.blogspot.com.au/2009/12/pfsense-speed-up-transparent-squid.html
http://doc.pfsense.org/index.php/Squid_Package_Tuning
Kernel
Like a lot of the things, kernel polling is somewhat of a YMMV. Without me going into detail, it is best described by the following URL
http://www.freebsd.org/cgi/man.cgi?query=polling&sektion=4
I do have a few other links on my other system, so I will add them over the coming days regarding polling
Security
Here's another good guide for how to make pfsense function as what untangle does (UTM)
http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1
&
http://www.smallnetbuilder.com/security/security-howto/31451-build-your-own-utm-with-pfsense-part-2?start=3
&
http://www.smallnetbuilder.com/security/security-howto/31468-build-your-own-utm-with-pfsense-part-3
Wireless
Kind of stumbled across this as I was searching for a better wireless network card for my box than the Atheros one i have now, thought it would prove useful for all
https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en#gid=0
-
Great to get everything documented somewhere. :)
You should use /boot/loader.conf.local (create the file). Loader.conf gets overwritten during a firmware update but loader.conf.local is carried across.
I can say having played about with it that I would definitely not enable device polling. It increased throughput by a barely measurable amount but reduced everything else (webGUI, ssh etc) to a crawl. Of course YMMV! My own box is relatively low powered and has 10 NICs. There are quite a few threads here on the forum in which peoples problems have been solved by disabling device polling.
Steve
-
I've edited part of the post to include some of what you mentioned stephen, I'll fix up the rest and add some more as I go along
-
We provide optimized defaults best suited for the vast majority of users. Squid items aside, nearly no one should touch any of the things mentioned in the above post, if they were good options they would be enabled by default.
The Squid items are outside of that, those are reasonable. I'm talking about OS-related settings. The FreeBSD links are for a vastly different kind of usage that isn't relevant to best options for a firewall's workload, and is outdated with current FreeBSD versions.
The only scenario where I would recommend touching anything post-install is with high load (datacenter class) installs with bce, bge or igb NICs, as described here.
http://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards -
Thanks for the additions cmb ;D
I included the security stuff as a bit of a good read, but if you think its best off me taking that link down, I can
EDIT: FBSD Security option taken down
EDIT2: Caveat added to postand fyi cmb, these links are mainly there for those people who find they want to get just that little bit more out of their setup, or, like myself, they want everything to work in harmony.
I know its a case of "If it ain't broke, don't fix it", I know that for sure. But myself, I live by a different philosophy at times "If it aint broke, you aint tweaked it right"
Mind you I've been dealing with fbsd/linux stuff for long enough I dont mind a bit of pain every now and then, knowledge is power ;D
-
It's not about getting a "little bit more out of their setup", the defaults do that. Part of the stuff you're linking will actually reduce performance and increase latency in most all circumstances (polling will), or like the network post that's 5 years old, is extremely outdated and is focused on a very specific workload that has no relevance to a firewall's workload.
You're likely to either reduce performance or break things if you start mucking with such settings, there isn't a magic "go faster" knob there that we don't turn for you and leave you to hunt down. If you want to push buttons, more power to ya, just know what you're actually doing and whether it's a good idea and don't be surprised if you make things worse or break something.
-
oh I realise that cmb, believe you me
But my nature for the past 15years has been to get the most out of something. I cant leave something at default. I install it stock for the first few days, then I basically, shall we say…..attack it with a scalpel
I'll experiment a lot, try a lot of things out. I'll break stuff, just to see what I need to do to fix it. I dont make myself out to be someone Im not, but I enjoy being who I am, which is someone who loves getting the most out of whatever it is I get my hands on.
So hence, why i also added the caveat to the first post. Its a way of saying YMMV, something which may work for me, may not work for someone else.
Theres also a lot more I'd like to do to this system, but I cant seem to find any documentation anywhere for how to do it. Windows & Linux do get boring after a little while, lol ;D. I'd been on and off using BSD, but it had something different I couldnt shake. Hence why i inevitably returned to it (in some way hehehe)
-
I included the security stuff as a bit of a good read
Which is was, thanks! :)
For some additional reading checkout the reading room:
http://devwiki.pfsense.org/ReadingRoomSteve
-
Nice add stephen ;D
I just updated the main post with another one regarding wireless NICS, which I thought useful for people setting up an AP inside pfsense