Hardware Available at the pfSense Store
-
I'm not sure what they mean by "connections / sec".
Typically this is a web server metric.
A dual Intel Xeon X5670 (2 * 6 cores @ 2.93 GHz, 2 threads per core) with 24GB of RAM will do 500K connections/sec to nginx.
I've not measured it, but the C2758 cores each benchmark pretty close to a 5600 series ("Westmere ") Xeon. The C2758 only has 8 cores (not 12 in the system above) and they each run at 2.4GHZ, not 2.9GHz, but overall, I'd bet the C2758 can do at least 400K connections/sec in a similar benchmark.Maybe they mean new connections / second to the IPsec endpoint. We haven't measured it.
If they mean packets per second (pps), then that number sucks by comparison. In an Untuned state, the hardware will run 585Kpps per interface without the overhead of pf. Those are minimum-sized (64 byte) packets.
With a bit of tuning, and a single stateful rule installed in the packet filter, the rate goes up to nearly 800Kpps.
Their IMIX is oddly stated at 1280 byte UDP packets. That's not mixed. Typical firewall vendor BS.
http://en.wikipedia.org/wiki/Internet_MixAssuming an IMIX of PPS * ( 7*(40+14) + 4*(576+14) + 1*(1500+14) )/12*8, the IMIX thoughput for this is 2.267Gbps, which, you will note, is faster than the interfaces. This shatters the quoted IMIX throughput for the Sonicwall NSA 2400 (235 Mbps)
And we're after far (far) more. Stay tuned. I LOVE this hardware, and plan to make the most out of it for pfSense.
By comparison, here are the numbers for a PC Engines APU:
154.17 Kpps - raw routing (est IMIX throughput = 437 Mb/s)
88.12 Kpps - with a single, stateful 'pf' rule installed (est IMIX thoughput = 250Mbps)Note that even this is faster than the NSA 2400 you pointed to.
So there it is, a real-world result, the C2758 is about 10X faster than an APU, and I've just gotten started.
-
And the lower-end, Sonicwall does limit the number of nodes behind the firewall (that use the firewall).
http://help.mysonicwall.com/sw/eng/305/ui2/23100/System/Licenses.htmHere is a reseller of Sonicwall node licenses, just so you can check prices.
http://www.sonicguard.com/NodeUpgrades.aspTo be fair, some Sonicwall devices (such as the NSA 2400) come with an "unrestriced" node license.
There are some very early benchmarks (using iPerf, which I loathe) of the C2758 here:
http://store.pfsense.org/c2758/ -
Isn't The C2758 Product page @ http://store.pfsense.org/c2758/ Misleading?!?!?!
It clearly states "No additional usage or feature based pricing. Unlimited users, firewall rules, VPN connections, etc."
However, the Quick Start Guide @ http://support.netgate.com/index.php?/Knowledgebase/Article/View/18/9/where-can-i-find-the-c2758-quick-start-guide, on page 7 states "One year of pfSense Certified software updates and bug fixes
One year of Netgate’s pfSense Certified premium add-ons for pfSense 2.1"Which in my mind at least, tells me there is feature based pricing.. At least in that there is a renewal for whatever 'premium add-ons' are included. Shouldn't mention of this appear in the fine print of the product page?
Also, since I'm bound to be starting a mess here, can clarification be added on Netgate/ESF for these purchase? The documentation clearly states in numerous places, that this is a Netgate firewall, yet, that is left off the pfSense page, leading one to believe this is an ESF product. This seems deceptive.
I understand Netgate is now a majority? share holder of ESF, but ESF != Netgate and Netgate != ESF. It seems you have two separate companies by design, yet you are merging the two or using them like they are one.
Who's collecting the money from this purchase directly? ESF? or Netgate?
Is ESF directly reselling Netgate equipment (Netgate is a supplier)? or am I buying Netgate directly, who then in turn makes a donation to ESF? Who's responsible for the warranty?
I am probably not the only one wondering about this last set of questions, and I don't mean to be creating problems, I'd just like clarity. If I decide to buy one of these, I'd like to know who is it truly benefiting from the purchase.
-
@gonzopancho:
And the lower-end, Sonicwall does limit the number of nodes behind the firewall (that use the firewall).
http://help.mysonicwall.com/sw/eng/305/ui2/23100/System/Licenses.htmWow. The more I learn about just how bad they are the more I don't understand how the company has been in business for so long. The day I retired the Sonicwall was one of the happiest days of my life (at least that's how I remember it).
Like I said, I don't believe anything they say about Sonicwall devices. My experience and reading user forums has taught me that they never perform anywhere even close to what the specs say, and unless you're doing just basic firewalling from LAN to WAN they don't ever actually work as expected either.
-
Isn't The C2758 Product page @ http://store.pfsense.org/c2758/ Misleading?!?!?!
It clearly states "No additional usage or feature based pricing. Unlimited users, firewall rules, VPN connections, etc."
However, the Quick Start Guide @ http://support.netgate.com/index.php?/Knowledgebase/Article/View/18/9/where-can-i-find-the-c2758-quick-start-guide, on page 7 states "One year of pfSense Certified software updates and bug fixes
One year of Netgate’s pfSense Certified premium add-ons for pfSense 2.1"Obviously there is some editing to do.
Which in my mind at least, tells me there is feature based pricing.. At least in that there is a renewal for whatever 'premium add-ons' are included. Shouldn't mention of this appear in the fine print of the product page?
See above.
Also, since I'm bound to be starting a mess here, can clarification be added on Netgate/ESF for these purchase? The documentation clearly states in numerous places, that this is a Netgate firewall, yet, that is left off the pfSense page, leading one to believe this is an ESF product. This seems deceptive.
I understand Netgate is now a majority? share holder of ESF, but ESF != Netgate and Netgate != ESF. It seems you have two separate companies by design, yet you are merging the two or using them like they are one.
Your "understanding" is flawed. Netgate is not a majority shareholder of ESF, but the principals of Netgate are the majority shareholders of ESF.
You are correct when you state "ESF != Netgate and Netgate != ESF". That said, the two companies are co-located in the same office space, and I tend to use what people and resources are available for the tasks at-hand.
Who's collecting the money from this purchase directly? ESF? or Netgate?
Is ESF directly reselling Netgate equipment (Netgate is a supplier)? or am I buying Netgate directly, who then in turn makes a donation to ESF? Who's responsible for the warranty?
In answer to both of your questions: Which store did you buy it from? There is your answer.
I am probably not the only one wondering about this last set of questions, and I don't mean to be creating problems, I'd just like clarity. If I decide to buy one of these, I'd like to know who is it truly benefiting from the purchase.
-
@gonzopancho:
I'm not sure what they mean by "connections / sec".
No, seems odd for a firewall.
Perhaps the nearest thing might be state table inserts per second? Or maybe state table searches per second?
See this thread for some big numbers:
https://forum.pfsense.org/index.php?topic=72810.0Steve
-
Note that all of our equipment is suitable for US power standards. If you live outside the United States, be aware you may need to find a different power adapter / power supply to use your equipment.
(from http://store.netgate.com/International-Order-Payment-W9C111.aspx)
Can someone comment it? Do I need to buy additional power supply if I want to use it in Europe?
-
Almost certainly not.
The vast majority of computer equipment are using switching power supplies with 90-250V input so you can use them in Europe or the US. You may need a different power lead to connect the PSU to the wall socket but these will be easily available locally to you.
There are some exceptions to this though (some laptops and similar power bricks for example) so best to ask about the exact product.Steve
-
Gents, one thing that would really help is more detail on the performance.
I'm looking for a box that will give about 25MBPS on AirVPN:
-
4096 bit RSA keys size
-
AES-256-CBC Data Channel
-
4096 bit Diffie-Hellman keys size
-
HMAC SHA1 Control Channel
-
TLS additional authorization layer key: 2048 bit
-
Perfect Forward Secrecy through Diffie-Hellman key exchange DHE.
Can you advise me? I posted this here instead of just emailing as I thought the reply might be useful for others too.
-
-
Gents, one thing that would really help is more detail on the performance.
I'm looking for a box that will give about 25MBPS on AirVPN:
-
4096 bit RSA keys size
-
AES-256-CBC Data Channel
-
4096 bit Diffie-Hellman keys size
-
HMAC SHA1 Control Channel
-
TLS additional authorization layer key: 2048 bit
-
Perfect Forward Secrecy through Diffie-Hellman key exchange DHE.
I'm assuming you likely mean Mbps (bits). The VK-T40 and C2758 platforms we sell will both do well upwards 25 Mbps with those parameters. The 2D13 is the only system we sell that would struggle to reach 25 Mbps across a VPN with those parameters.
You may have issues reaching 25 Mbps with VPN providers along those lines for reasons entirely unrelated to your firewall. 25 Mbps probably isn't too difficult to reach, but that depends on what kind of load the provider's servers and network are under, how far away you are from the VPN server, and how far the ultimate destination of your traffic is from the VPN server. The higher latency makes it more difficult to achieve high throughput (see "long fat pipe") depending on how high it is. Some providers also significantly over-subscribe their networks and/or servers and hence perform poorly during peak times. I'm not familiar with that provider in particular so not sure what you can expect.
-
-
What is the difference between the VK-T40E and the Netgate APM4? They seem to be identical. We want to begin to replace the old watchguards at all of our satellite sites. thanks.
-
They are identical.
You may want to wait for RCC-VE.
-
Hello,
The pfSense store states the routers come with one year of 'ESF Premium Software Support'.
Is this phone support or e-mail support, etc.?
-
The bundled support is primarily handled via ticket system / e-mail / chat, but may include a phone call initiated by a support representative if circumstances dictate that it's necessary.
-
Hey,
So I am very excited to see the new hardware options on the pfsesne store.
The question I have is with a 1G up and down and a desire to run Suricata which would one be better off with, the SG-2440 or the SG-4860? No VPN traffic at all.
-
Hey,
So I am very excited to see the new hardware options on the pfsesne store.
The question I have is with a 1G up and down and a desire to run Suricata which would one be better off with, the SG-2440 or the SG-4860? No VPN traffic at all.
SG-2440
Dual Core Intel Atom C2358 1.7 GHz, with AES-NI and Intel QuickAssistSG-4860
Quad Core Intel Atom C2558 2.4 GHz, with AES-NI and Intel QuickAssistThe SG-4860 comes with a higher CPU frequency, more cores and more RAM
so it would be the better appliance.Overall let us not only taking at the todays CPU performance, but more at QuickAssist.
For some applications with Intel QA using code, it will be changing and one of the common
applications QuickAssist works for at this time is snort, so for those using Rangeley as a UTM
or firewall appliance, it is a major consideration as I see it right. So perhaps you should find out
at next if suricata also benefits from Intel´s QA or not and then what you have to do for activating
in snort for using the Intel QA option to speed up the entire performance. :o -
Intel removed the version of firmware that would accelerate Snort.
Read: don't believe everything you read on the Internet.
The firmware for QAT these days will accelerate crypto and compression.
-
Hey,
So I am very excited to see the new hardware options on the pfsesne store.
The question I have is with a 1G up and down and a desire to run Suricata which would one be better off with, the SG-2440 or the SG-4860? No VPN traffic at all.
You'll want more cores.
Someday I'll turn my attention to Snort/Suricata, DPDK and multi-core regex (probably with AVX/AVX2 acceleration.)
Today is not that day.
-
Hi There
Do you have a supplier in China or Hongkong for the PFSense devices that you mention on this forum… if you do, what is that shop name and contact, willing to bought some of it for my network..Appreciate asap reply...
-
OK, the new website is saying that:
'Bundled' and 'Incident' support is for ticketing system/e-mail support, 24 hour response SLA
'Professional Services' is for consulting via telephone, e-mail, etc.
Is this correct?
What is the pricing of Professional Services?