Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Feedback on a large pfsense deployment

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      ucbn.dsi
      last edited by

      Hello,
      We are a University with approximatively 30 000 users.
      Today, we have  2 cisco FWSM with the following specifications :

      • 500 NAT rules
      • 2000 filter rules
      • 2 Gbit/s of bandwidth
        We plan to change our  edge Internet Firewall with a Pfsense installation with Snort.
        Does anyone  have a feedback on such installation ?
        And in this case what kind of hardware is supported and what are the technical limits in term of bandwidth.

      Thank you for your help.

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        :D I think you should hire a professional for this job. :)

        1 Reply Last reply Reply Quote 0
        • U
          ucbn.dsi
          last edited by

          We have already in production :

          • 2 pfsense 2.1 in failover mode for Eduroam network https://www.eduroam.org/  with 1000 simultaneous users (200 Mbit/s)
          • 2 pfsense 2.1 in failover mode for one department with inter-vlan filtering and in dual-stack (v4/v6)
          • 1 pfsense 2.1 with captive portal and snort enable

          Does anyone have a feedback ?

          Thank you for your help.

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            On other threads which discusses hardware requirements for such a deployment it seems that CPU load ist not always the "problem". You probably need an up to date server CPU to handle 2GBit/s but important could be how many simultaneous connections/states the firewall needs to handle. In your enviroment this will probably need much memory. So perhaps provide some information about the states.

            As far as I know on pfsense 2.1 the firewall rules/states can still be handled by one CPU only this means that a multicore CPU will not improve perform,ance focused on NAT/firewall but it will probably help you to handle the snort processes.

            This is probably something you read:

            http://doc.pfsense.org/index.php/Hardware_requirements#High_Throughput_Environments
            
            http://www.pfsense.org/index.php@option=com_content&task=view&id=52&Itemid=49.html
            

            So probably a server CPU with more than 3GHz and quality server network cards.
            For RAM this could be a calculation basis:

            10,000 entries, takes up a little less than 10 MB RAM

            So probably you still knew this but I just want to make sure you got these information.

            1 Reply Last reply Reply Quote 0
            • D
              dhatz
              last edited by

              @ucbn.dsi:

              We are a University with approximatively 30 000 users.
              Today, we have  2 cisco FWSM with the following specifications :

              • 500 NAT rules
              • 2000 filter rules
              • 2 Gbit/s of bandwidth
                We plan to change our  edge Internet Firewall with a Pfsense installation with Snort.

              The bandwidth requirement can certainly be met, with a little googling you can find many reports of people doing it e.g.

              _We use Pfsense to push 6+GBps most of the working day. Not a big deal - pair of Supermicro E3 boxes with Intel 10 gig-e and off to the races. They are in a HA pair and simply just work. We use the excellent Pfblocker package to blacklist a bunch of known scumbags.

              Pfsense has saved us $10's of thousands in retiring 5580's and SMARTNet.

              http://arstechnica.com/civis/viewtopic.php?f=10&t=1173665_

              However, since the pf packet filter is still under GIANT-LOCK under FreeBSD 8.3 (used by pfSense 2.1), depending on the how expensive your NAT and firewall rules are, you may have to put Snort on a different system.

              pfSense 2.2 will be based on FreeBSD10 and SMP-pf.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Snort is a beast in itself and something at large scale better done on separate systems (and also in combination with related tools for full scale NSM - see Security Onion). Especially since at large scale it can tend to run away with all the hardware resources of the box it's running on, so keeping it separate prevents it from dragging down your entire network.

                There are plenty of people doing similar to what you're looking at there. I'd just run Security Onion rather than Snort on the firewall.

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by

                  @cmb:

                  I'd just run Security Onion rather than Snort on the firewall.

                  I guess he's trying to achieve some sort of IPS-like functionality, where the triggering of a Snort rule not only creates an alert but also dynamically adds the offending IP(s) to the firewall's block-list, similar to what is (at long last ;-) offered by pfSense's Snort-package.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.