Hardware required to saturate Comcast Gigabit Pro (2gbps + 1 gbps)
-
if i lived in the US, then i'd just call up pfSense support and ask for their advice…
afaik there is no pfSense/freebsd device on the planet that can move 10Gbit wirespeed at this time. ESF&Netgate are working hard to change this; they will be best suited to point you towards hardware that can handle 10Gbe in the future.
-
I don't have the speed fast as that, but I have 300mbps/150mbps fiber and I'm using:
Intel(R) Xeon(R) CPU D-1537 @ 1.70GHz
16 CPUs: 1 package(s) x 8 core(s) x 2 SMT threadsAs my pfsense box. I used to have 2758 but ran into issues between vlan.
The 1537 is the updated version of 1540 using less power. I think the turbo on my SoC is 2.1Ghz. Anyhow, I never see the load go passed 5-7% anyways.
What works with this is the onboard 10GB SFP+ ports which connect to my C2960X switch with 2 10GB SFP+. I have no issues getting nearly 1GBS throughput between machines in different vlans and of course maximum throughput on fiber.
Not sure if I can test and saturate 10GB link somehow within the network between vlans…
-
Thank you for the detailed informations about that Xeon D-15xx platform, it is not so widely spread
in the wild now together with pfSense I assume.Not sure if I can test and saturate 10GB link somehow within the network between vlans..
At the PRTG homepage you will be able to download a freeware tool called "server stress tool" and with them
you might be able to produce a real huge amount of network traffic that will be perhaps able to saturate the
entire network. If you are interested to test it out here is the link to the download. Link
Please be careful with that tool it is really powerful and can freeze a whole network. -
Here is a link to the Comcast documentation
https://drive.google.com/file/d/0B8e0wvBZ26DadUR2OXp1blg3azVrSzJZRjFUMjRabzFQQ3Nv/view?usp=sharingFrom what I can understand, they are only using the Juniper device for the link handoff.
This router is rented to me for a very low price of $20 USD per month. They are not making any money on the rental for sure.Specifically, to use the fiber link, they suggest I need the following equipment:
10G capable Router/Layer 3 switch with at least 1 10Gbps SFP+ cage
10G SFP+ 850nm MMF Transceiver
MMF LC JumperComcast will provide one IPv4 static IP address for the 1Gb connection, and one for the IPv6 2Gbps fiber connection.
You should be able to use a pfSense rig with a SFP+ NIC (either onboard or using the Chelsio adapter) and a SFP+ direct attached cable (this is significantly cheaper than buying optical transceivers).
I have a c2758 pfSense box running in my office with Suricata and inter-VLAN routing.
I doubt it can do >4Gbps (which you can hit if your lines are symmetric) with IDS turned on but that remains to be seen since I don't have a use case that requires more than 2Gbps transfers.
Aside from that, it all works reasonably well. Have 16 vlans running on a single Lagg group (4 x 1GbE) across 2 switches and it hasn't thrown me any curveballs yet. -
I have a c2750 pfsense box running at home on a gigabit connection. With Sucicata turned on the CPU hits 100% at around 210Mbps. With any sort of IPS/IDS feature turned on, you will have to go with a Xeon processor AFAIK to push 1Gbps or higher.
-
I have a c2750 pfsense box running at home on a gigabit connection.
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?With Sucicata turned on the CPU hits 100% at around 210Mbps.
Suricata is now multi CPU core usage and that is then the side effect of lower end Atoms!
With any sort of IPS/IDS feature turned on, you will have to go with a Xeon processor AFAIK to push 1Gbps or higher.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
-
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?I did indeed. And although it doesn't have QuickAssist, it does have AES-NI on chip. For the small amount of encryption I'm doing for home, it seems to be plenty.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
-
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?I did indeed. And although it doesn't have QuickAssist, it does have AES-NI on chip. For the small amount of encryption I'm doing for home, it seems to be plenty.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
An i3 does 150Mbps with IPS using about 2-3% of its capacity with decent sized rules loaded. With Snort (fully loaded with all rules) it hovers around 6-8%. I have tested this on the latest 2.3.1 with 8GB RAM. 85% of my RAM gets used for loading all Snort rules plus Squid with ClamAV and SquidGuard. Moved to an i5 a little while ago or else I would had posted a snapshot of the CPU usage.
The CPU processing would ofcourse change as the speed increases, but I presume it should be able to do at least 500Mbps without breaking a sweat.
-
Here is a link to the Comcast documentation
https://drive.google.com/file/d/0B8e0wvBZ26DadUR2OXp1blg3azVrSzJZRjFUMjRabzFQQ3Nv/view?usp=sharingFrom what I can understand, they are only using the Juniper device for the link handoff.
This router is rented to me for a very low price of $20 USD per month. They are not making any money on the rental for sure.Specifically, to use the fiber link, they suggest I need the following equipment:
10G capable Router/Layer 3 switch with at least 1 10Gbps SFP+ cage
10G SFP+ 850nm MMF Transceiver
MMF LC JumperComcast will provide one IPv4 static IP address for the 1Gb connection, and one for the IPv6 2Gbps fiber connection.
This looks like a single 2Gbps connection to me. They're making it easy to connect with commodity equipment by providing a router that can handle up to 1Gbps; anything beyond that will require 10Gbps networking in your home. That's how I read it anyway. With two static IPs you could set up both your pfsense router and leave theirs up and running, or ditch theirs and do everything on your (presumably) 10Gbps network.
-
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
Running Suricata on a Pentium G3220 (which is slower than a Core i3) and Suricata uses ~80% at 937Mbps (about the limits of my gigabit line).
-
I'd love to see your follow up on what you ended up doing. I'm moving in December to a home with a 1GbE handoff from AT&T and I'm going to need to replace my SG-2220 firewall with something that can handle the increased throughput.
I don't want to venture away from PFsense but I'm looking around at alternatives simply because of price. The PFsense sales team told me the hardware they sell that can handle 1GbE will cost me $1,799 to own.
I'm a fan of doing things with open source software but it's hard to say that it's worth $1,500 more to buy a pfsense unit when a competitor is so much more cost effective.
Either way I'll end up buying pfsense gold because this project is awesome.
-
I'd love to see your follow up on what you ended up doing. I'm moving in December to a home with a 1GbE handoff from AT&T and I'm going to need to replace my SG-2220 firewall with something that can handle the increased throughput.
I don't want to venture away from PFsense but I'm looking around at alternatives simply because of price. The PFsense sales team told me the hardware they sell that can handle 1GbE will cost me $1,799 to own.
I'm a fan of doing things with open source software but it's hard to say that it's worth $1,500 more to buy a pfsense unit when a competitor is so much more cost effective.
Either way I'll end up buying pfsense gold because this project is awesome.
Check Point 750. Can be bought for under $600. Provides throughput of 1 Gbps with encryption throughput of 500 Mbps.
-
You are asking questions without listing your requirements. Give us your exact requirements and we can help you out.
Most soho pfsense devices handle gigabit but I think your problem is 2gbps….
I would just build something.
-
Im kind of in the same boat. I have a 1 gig synchronous fiber to the home connection. I am having a hard time finding something that can handle the throughput without dropping packets. I am using an old Lanner Fw8760 that has an i3 in it, and 4 gig of ram with 8 Intel nics that works great, but I need to put it back in my datacenter so I need something at home that will work just as good.
-
What did you end going with? I'll be getting service in a few weeks.
Im kind of in the same boat. I have a 1 gig synchronous fiber to the home connection. I am having a hard time finding something that can handle the throughput without dropping packets. I am using an old Lanner Fw8760 that has an i3 in it, and 4 gig of ram with 8 Intel nics that works great, but I need to put it back in my datacenter so I need something at home that will work just as good.
-
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?I did indeed. And although it doesn't have QuickAssist, it does have AES-NI on chip. For the small amount of encryption I'm doing for home, it seems to be plenty.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
I have an i3 @4.1 with snort and suricata(for testing purposes) and i get 950 of a gigabit link with 40/50 % of cpu usage. If they are correctly configured, it proves that one must not underestimate an i3.