Hardware Check
-
Terabytes per what, though?
So you're saying you're generating gigabits of routed throughput (i.e., between subnets – or are the interfaces just bridged?), and your pfSense box is near idle while your L2 switch is busy? That just seems… wrong. Even cheap switches should be able to forward at line rate without breaking a sweat.
-
I agree, traffic between any two interfaces is filtered by pf. Traffic not involving WAN probably isn't NATed and probably not subject to Snort etc. The only way this isn't true is if you've disabled the firewall. Even bridged interfaces are filtered.
Steve
-
I think you could avoid filtering traffic that is just forwarded between bridge members by setting net.link.bridge.pfil_member=0 and net.link.bridge.pfil_bridge=1, but yeah, pfSense seems to be set up the other way around by default.
-
Yes, the default is a filtering bridge. However I believe I read that even with bridge member filtering disabled there is still some processing takes place. Can't find that now of course. ::)
Steve
-
Terabytes per what, though?
So you're saying you're generating gigabits of routed throughput (i.e., between subnets – or are the interfaces just bridged?), and your pfSense box is near idle while your L2 switch is busy? That just seems… wrong. Even cheap switches should be able to forward at line rate without breaking a sweat.
I have a Netgear GSM7248v2 48-port switch. Typical data transfers are between 20 -28 MB/sec across the subnets and each subnet is on it's own NIC. I wouldn't say the pfSense CPU is near idle.. but it's barely even noticeable. It has to be doing some processing but I have 2 physical Xeon CPUs and I suppose its a walk in the park for them.. ;)
-
Oh, OK, I thought we were talking about pushing throughput close to wire speed; less than 30MB/s isn't exactly what I'd consider "hammering" a gigabit switch.
-
What if you wanted the internal networks to be isolated with limited connectivity and utilize the pfsense firewall to do that? Wouldn't that still get processed by the CPU? Admittedly that would not be as taxing as WAN side processing involving NAT/Snort/VPN/etc. but it still needs to be considered, right? Or is it insignificant enough to be "lumped in" with the rest of the load?
If you have multiple 'internal' interfaces segregating your network then that traffic is indeed processed and uses almost as much CPU as WAN-LAN traffic (assuming no NAT). It's not at all insignificant. That's why I asked about it.
The diagram doesn't show any switches so it's hard to say quite what is intended.
Steve
Tanks for your answer. The networks will be splited in different subnets to different nic port on the pfsense.
-
Oh, OK, I thought we were talking about pushing throughput close to wire speed; less than 30MB/s isn't exactly what I'd consider "hammering" a gigabit switch.
Well 30MB/sec on each subnet. I have 2 NAS and they run backups at nights.. and they coincide with data transfers at some point. So the switch is working on 3 subnets at a time.. sometimes with smaller files it gets to 50-60MB/sec on one subnet alone. So techincally its handling lets say 30 + 50 + 60 MB/sec simultaneously.
-
Mine is rocking at about 4Mbps all day and night…
Reliably too ;D