Building new Firewall for 20~30K users @ 1Gbps

wallabybob

@kejianshi:

asterix - I'm a bit unclear on how well the firewall process and a few other things work across multiple cores on pfsense?

The packet filter is currently single threaded but apps can run in parallel with it.

kejianshi

Yeah - Thats what I thought.  Whats the best scheme to get the most out of the processors/cores available if packet filtering is the primary load?

asterix

Forgot to add.. yes since its multiple cores.. the best way to deploy this would be on ESX and multiple VMs as clusters.. on separate hosts.

kejianshi

Hmmm - I'd like to see how this turns out.  Sounds ambitious.  I'm pretty sure pfsense can tackle it.

stryfe

I think you'll be ok with a dual xeon server..  The VM idea would be good too but that would involve a lot more cost.

kejianshi

Costs?  Describe please?

stryfe

Cost of doing a single machine to handle the load versus the hardware to handle multiple instances plus the cost of VM software itself.  I'm sure that would work great but would it be cost effective?  You would just have to break down the cost and see what would be the best options.

kejianshi

I see - Couldn't do it with Vsphere for free?

http://www.google.com/url?sa=t&rct=j&q=vsphere%20pfsense&source=web&cd=2&ved=0CDMQFjAB&url=http%3A%2F%2Fwww.vmsources.com%2Fresources%2Fdoc_download%2F38-installing-pfsense-in-vsphere-esxi&ei=pS4lUuWUEcLc2QXS_oCwBQ&usg=AFQjCNExtgqa942vB1q4SW-IfJ-Ndx2UQg&cad=rja

Edit - (I initially said Hyper-V - Obviously I was being scatter brained)

Anyway - I know that 32 bit instances of pfsense 2.1 run well on ESXi.
I did have some issue with the 64bit version, but only when using more than 4 WAN IPs. 
It was perhaps a glitch in that particular snapshot and may already be resolved.  Not sure.
I haven't played as much with 2.1 as I'd like yet.

stryfe

I don't believe vSphere is free.  I know pfsense offers an install instance you can easily install into a VM environment. But the actual VM software itself I don't believe is free.

kejianshi

http://www.vmware.com/products/vsphere-hypervisor/

stryfe

Learn something new everyday lol!  If that's the case then all you'll have is hardware at that point and from there you can maybe setup pfsesnse in a load balance type setup.

stryfe

On another note I've found what I'm going to install on my new server I'm going to buy.

kejianshi

And that is?

maverick_slo

ESXi 5.X free hypervisor :)
At least this is how I imagine what he ment :)

stryfe

Yep!!  I already use it at work for 2 or 3 test machines and since it's free and I have licenses for all the server OSes may as well take advantage of it. :)

kejianshi

Good deal.

stryfe

This has got me wondering now how pfsense can be integrated into this with a load balancing type configuration.  That would be an ideal solution.

kejianshi

There are tons of links here and there on the subject of pfsense / cluster / carp / load balance.  Etc Etc.

I haven't tested any of them, but they should work in VM just fine if they work in physical machines.

stryfe

Ha I need to search more but you're right if they work in physical they should work in virtual and better actually.