Building new Firewall for 20~30K users @ 1Gbps
-
Unless I'm reading this wrong, you are going to need a cluster… Forget about a single computer handling this.
Is that 1 Gbps each? Or total?
My initial read is that you want to start an ISP or something.
-
Total of course.
ISP? Nah, I had this back in 1995.
-
Ahhhh - Your memory is fine. i5 will be fine. I'm not sure what 20 thousand or 30 thousand users will do to this box…
Unless I misinterpreted the meaning of "k" today...
-
I see. I was even looking at Xeon's. :)
Actually it will be light-hosting and another services, but not access (like ISP).
So in reality I can see until 5000 users using it at the same time as max even with 30,000 users.
But since I like to go safer, I even imagine 10,000 users using it at the same time.
Of course, will use SSDs too.
-
Well - Will you be adding a bunch of processor heavy add-on packages to this?
-
Don't think so, will just run Snort, pfBlocker, and probably LCDproc too.
-
Ohhhh well - So long as its just 30K users + SNORT, you should be fine with a small one core Alix system. :P
If you were going to do something processor intensive, I was going to recommend going with a couple SSDs in a RAID for cache, several NICs to split up the user load and a core i7 or better… I might also allocate 7% of whatever disk cache I run in ram. (You should run squid)
Edit by mod: This post should not be taken serious.
-
I see. Nice to know even a little puppy can handle it.
-
That was pure dripping sarcasm. SNORT is a processor pig…
-
Are these people all going to be getting their system updates using this pfsense you are building as their internet access?
I don't normally give alot of thought to HDD type for a pfsense build, but with so many users, cache + really really really speedy drives just seems like a must have. -
Yes, 1Gbps throughput with Snort is going to require serious thinking. It's way outside my experience but there was a thread with some useful info about this recently.
http://forum.pfsense.org/index.php/topic,65462.msg355969.html#msg355969Steve
-
-
Are these people all going to be getting their system updates using this pfsense you are building as their internet access?
I don't normally give alot of thought to HDD type for a pfsense build, but with so many users, cache + really really really speedy drives just seems like a must have.Actually is to protect the server, and of course, garantee the service quality.
-
Yes, 1Gbps throughput with Snort is going to require serious thinking. It's way outside my experience but there was a thread with some useful info about this recently.
http://forum.pfsense.org/index.php/topic,65462.msg355969.html#msg355969Steve
Nice find, too bad he didn't mentioned which CPU (and how many) only NIC.
Looks like E3-1275 v3 is good enough for 5Gbps (real speed).
Last Snort version is 2.9.5.3, I wonder if we'll see that on pfSense.
-
For 20-30K users, my recommendation is to go with server grade hardware with dual Xeon CPUs, 16GB RAM, RAID 10 (if possible) for redundancy. For that many users I highly recommend Squid and Snort. No matter what anyone says.. you need Snort for ensuring your network is not being attacked and the security of the users are not compromised along with the entire network. Add dansguardian with clamd for virus protection and you should be in good shape. You can experiment with pfBlocker if need be.
And yes kejianshi is right.. you would definitely need a cluster as you cannot depend on one single piece of hardware for 20K+ users. Load balancing is something that you would need to look at.
-
asterix - I'm a bit unclear on how well the firewall process and a few other things work across multiple cores on pfsense?
That got me wondering if 4x 2 core pfsense VMs would better utilize 8 cores than a single pfsense with 8 cores at its disposal?
I don't know? Never tried to scale pfsense very big, but I know some have.
-
asterix - I'm a bit unclear on how well the firewall process and a few other things work across multiple cores on pfsense?
The packet filter is currently single threaded but apps can run in parallel with it.
-
Yeah - Thats what I thought. Whats the best scheme to get the most out of the processors/cores available if packet filtering is the primary load?
-
Forgot to add.. yes since its multiple cores.. the best way to deploy this would be on ESX and multiple VMs as clusters.. on separate hosts.
-
Hmmm - I'd like to see how this turns out. Sounds ambitious. I'm pretty sure pfsense can tackle it.
