Next firewall (10Gbe+)

einervonvielen

Hi there,

currently we have a pair of "hardware" ASIC based firewall for:

• 2x 1 Gbps to ISP
• 180000 sessions
• total of 900 Mbps@1518byte
• up to 15000 internal clients
• firewall rules <2000
• IPS with 9000 rules
• SSL inspection support

The current hardware has reached its end of life. We simply need more power. So, what kind of hardware would I need in PFSense/Snort/Squid world?
Something like a XG-1540 => http://store.pfsense.org/XG-1540/? The new firewalls should serve us for at least 5 years, so I assume those numbers will at least be twice as high within those time frame (except the number of clients)

Best Regards
Michael

Supermule

No. Run it in a VM and be done with limited hardware!

einervonvielen

@Supermule:

No. Run it in a VM and be done with limited hardware!

Well,

• Please correct me: If I have 100 physical hosts with 24 cores each, with VMWare it will not be possible to give more ressources (VM cpus) to that virtual host than on one phyisical host, as VMWare is not possible to "load balance" one virtual host between other physical hosts?
• I´d rather take 2 new physical hosts with enough CPU power, put on Hyperv/KVM/VMWare and install PFSense on those units.
• But the questions still exist: How much ressources do I need?

Guest

currently we have a pair of "hardware" ASIC based firewall for:

And why you want to move from this ASIC/FPGA based firewall to a lower one?
What is this with for a vendor and model, you are actual using at this time?

• 2x 1 Gbps to ISP
• 180000 sessions
• total of 900 Mbps@1518byte

This can easily done by the XG-1540 but the numbers of rules and matching the IDS/IPS patterns
would not be running, it is to much I think.

• I´d rather take 2 new physical hosts with enough CPU power, put on Hyperv/KVM/VMWare and install PFSense on those units.

Would also my way in this case! Without doubling the numbers within the next 5 years
it would be also running to set up;

• 2 x XG-1540 + Chelsio 520 adapter
• 1 separate Squid Server

But running than in the trap that the hardware must be changed in a really short time
because doubling the numbers at all.

2 x Xeon E5-26xx @3,0GHz
ECC RAM
Chelsio adapter
perhaps a pair of Intel bypass cards

And if the pfSense is then sorted right with Intel QuickAssist you would b easily able to insert
such cards from Intel also. QuickAssist Adapters

einervonvielen

What is this with for a vendor and model, you are actual using at this time?

2x Fortigate 311B => https://www.fortinet.com/sites/default/files/productdatasheets/FGT300Series_DS.pdf

And why you want to move from this ASIC/FPGA based firewall to a lower one?

It has reached its limit. And I wouldn´t buy Fortigate anymore. Too much problems with software

This can easily done by the XG-1540 but the numbers of rules and matching the IDS/IPS patterns
would not be running, it is to much I think.

Unfortunately, the PFSense team hasn´t published any information about performance capabilities for the XG-1540 and I cannot find any examples of some bigger setups of PFSense

And if the pfSense is then sorted right with Intel QuickAssist you would b easily able to insert
such cards from Intel also. QuickAssist Adapters

Offloading is nice, although I am asking myself whether PFSense currently can utilize even Chelsio´s "T5" features. If you look for "Tilera Tile-Gx", you will find PCIe cards, but no information about FreeBSD kernel support.

jasonlitka

You're not going to get 10Gbe out of a pfSense box without DPDK and/or QuickAssist.  The best I've done is about a third of that, and that was FW+NAT only.

I'm not sure the D-1540 has QuickAssist like the pfSense Store says though.

Guest

and I cannot find any examples of some bigger setups of PFSense

This peoples would then take more Server hardware and put the pfSense in a VM
and if you have then two servers and on each a pfSense VM you would be also able
to work with CARP or VRRP. Should be much better to be able to insert the pfSense
natively on a bigger device such as Lanner are offering in the FW-889x range!

If you look for "Tilera Tile-Gx", you will find PCIe cards, but no information about FreeBSD kernel support.

The Tile Gx cards are not supported, as I see it right at this time. But they would be also really
rocking in pfSense I am pretty sure.

Unfortunately, the PFSense team hasn´t published any information about performance capabilities for the XG-1540 and I cannot find any examples of some bigger setups of PFSense

The appliance it pretty to new! I really think based on some number named by you the XG-1540
would reaching the goal but not in all kinds, that means related to the number of rules it could be
that they are not really fast enough to utilize this numbers of rules.

I'm not sure the D-1540 has QuickAssist like the pfSense Store says though.

But I hope so.

about a third of that, and that was FW+NAT only.

Puuh this would be really sad, with the Chelsio adapters and the XG-1540 it was all
looking really good for peoples you have to saturate more throughput.

jdillard

@Jason:

I'm not sure the D-1540 has QuickAssist like the pfSense Store says though.

It says at the bottom of the page:

2 Future pfSense distributions will have support for QuickAssist. AES-NI support is included.

but the footnote wasn't tied in correctly. I went ahead and added the footnote marker at the top of the description. Thanks for pointing that out.

Guest

2 Future pfSense distributions will have support for QuickAssist. AES-NI support is included.

@jdillard
This was more pointed to the hardware, he means that the hardware (XG-D-1540) is capable of the QuickAssist
technology, or in shorter words, do the XG-1540 hardware does comes with support of Intel QuickAssist?

athurdent

@einervonvielen:

• 2x 1 Gbps to ISP
• 180000 sessions
• total of 900 Mbps@1518byte
• up to 15000 internal clients
• firewall rules <2000
• IPS with 9000 rules
• SSL inspection support

If you are responsible for 15000 clients you'd better not solely rely on this forum. Why not ask directly @ http://store.pfsense.org/contact-us/ ?

jdillard

@BlueKobold:

This was more pointed to the hardware, he means that the hardware (XG-D-1540) is capable of the QuickAssist
technology, or in shorter words, do the XG-1540 hardware does comes with support of Intel QuickAssist?

Ah you are correct, I do web not hardware :) I'm not sure how that text got in there (probably a copy paste error), but I took it out and will have someone review the text to make sure the rest is accurate. Thanks again!

einervonvielen

@athurdent:

@einervonvielen:

• 2x 1 Gbps to ISP
• 180000 sessions
• total of 900 Mbps@1518byte
• up to 15000 internal clients
• firewall rules <2000
• IPS with 9000 rules
• SSL inspection support

If you are responsible for 15000 clients you'd better not solely rely on this forum. Why not ask directly @ http://store.pfsense.org/contact-us/ ?

So I did and received an answer: "The pfSense XG-1540 http://store.pfsense.org/XG-1540/ can handle that load."
Thanks all for your answers!