Building new Firewall for 20~30K users @ 1Gbps
-
Don't think so, will just run Snort, pfBlocker, and probably LCDproc too.
-
Ohhhh well - So long as its just 30K users + SNORT, you should be fine with a small one core Alix system. :P
If you were going to do something processor intensive, I was going to recommend going with a couple SSDs in a RAID for cache, several NICs to split up the user load and a core i7 or better… I might also allocate 7% of whatever disk cache I run in ram. (You should run squid)
Edit by mod: This post should not be taken serious.
-
I see. Nice to know even a little puppy can handle it.
-
That was pure dripping sarcasm. SNORT is a processor pig…
-
Are these people all going to be getting their system updates using this pfsense you are building as their internet access?
I don't normally give alot of thought to HDD type for a pfsense build, but with so many users, cache + really really really speedy drives just seems like a must have. -
Yes, 1Gbps throughput with Snort is going to require serious thinking. It's way outside my experience but there was a thread with some useful info about this recently.
http://forum.pfsense.org/index.php/topic,65462.msg355969.html#msg355969Steve
-
-
Are these people all going to be getting their system updates using this pfsense you are building as their internet access?
I don't normally give alot of thought to HDD type for a pfsense build, but with so many users, cache + really really really speedy drives just seems like a must have.Actually is to protect the server, and of course, garantee the service quality.
-
Yes, 1Gbps throughput with Snort is going to require serious thinking. It's way outside my experience but there was a thread with some useful info about this recently.
http://forum.pfsense.org/index.php/topic,65462.msg355969.html#msg355969Steve
Nice find, too bad he didn't mentioned which CPU (and how many) only NIC.
Looks like E3-1275 v3 is good enough for 5Gbps (real speed).
Last Snort version is 2.9.5.3, I wonder if we'll see that on pfSense.
-
For 20-30K users, my recommendation is to go with server grade hardware with dual Xeon CPUs, 16GB RAM, RAID 10 (if possible) for redundancy. For that many users I highly recommend Squid and Snort. No matter what anyone says.. you need Snort for ensuring your network is not being attacked and the security of the users are not compromised along with the entire network. Add dansguardian with clamd for virus protection and you should be in good shape. You can experiment with pfBlocker if need be.
And yes kejianshi is right.. you would definitely need a cluster as you cannot depend on one single piece of hardware for 20K+ users. Load balancing is something that you would need to look at.
-
asterix - I'm a bit unclear on how well the firewall process and a few other things work across multiple cores on pfsense?
That got me wondering if 4x 2 core pfsense VMs would better utilize 8 cores than a single pfsense with 8 cores at its disposal?
I don't know? Never tried to scale pfsense very big, but I know some have.
-
asterix - I'm a bit unclear on how well the firewall process and a few other things work across multiple cores on pfsense?
The packet filter is currently single threaded but apps can run in parallel with it.
-
Yeah - Thats what I thought. Whats the best scheme to get the most out of the processors/cores available if packet filtering is the primary load?
-
Forgot to add.. yes since its multiple cores.. the best way to deploy this would be on ESX and multiple VMs as clusters.. on separate hosts.
-
Hmmm - I'd like to see how this turns out. Sounds ambitious. I'm pretty sure pfsense can tackle it.
-
I think you'll be ok with a dual xeon server.. The VM idea would be good too but that would involve a lot more cost.
-
Costs? Describe please?
-
Cost of doing a single machine to handle the load versus the hardware to handle multiple instances plus the cost of VM software itself. I'm sure that would work great but would it be cost effective? You would just have to break down the cost and see what would be the best options.
-
I see - Couldn't do it with Vsphere for free?
http://www.google.com/url?sa=t&rct=j&q=vsphere%20pfsense&source=web&cd=2&ved=0CDMQFjAB&url=http%3A%2F%2Fwww.vmsources.com%2Fresources%2Fdoc_download%2F38-installing-pfsense-in-vsphere-esxi&ei=pS4lUuWUEcLc2QXS_oCwBQ&usg=AFQjCNExtgqa942vB1q4SW-IfJ-Ndx2UQg&cad=rja
Edit - (I initially said Hyper-V - Obviously I was being scatter brained)
Anyway - I know that 32 bit instances of pfsense 2.1 run well on ESXi.
I did have some issue with the 64bit version, but only when using more than 4 WAN IPs.
It was perhaps a glitch in that particular snapshot and may already be resolved. Not sure.
I haven't played as much with 2.1 as I'd like yet. -
I don't believe vSphere is free. I know pfsense offers an install instance you can easily install into a VM environment. But the actual VM software itself I don't believe is free.
