Hardware required to saturate Comcast Gigabit Pro (2gbps + 1 gbps)
-
I have a c2750 pfsense box running at home on a gigabit connection. With Sucicata turned on the CPU hits 100% at around 210Mbps. With any sort of IPS/IDS feature turned on, you will have to go with a Xeon processor AFAIK to push 1Gbps or higher.
-
I have a c2750 pfsense box running at home on a gigabit connection.
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?With Sucicata turned on the CPU hits 100% at around 210Mbps.
Suricata is now multi CPU core usage and that is then the side effect of lower end Atoms!
With any sort of IPS/IDS feature turned on, you will have to go with a Xeon processor AFAIK to push 1Gbps or higher.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
-
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?I did indeed. And although it doesn't have QuickAssist, it does have AES-NI on chip. For the small amount of encryption I'm doing for home, it seems to be plenty.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
-
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?I did indeed. And although it doesn't have QuickAssist, it does have AES-NI on chip. For the small amount of encryption I'm doing for home, it seems to be plenty.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
An i3 does 150Mbps with IPS using about 2-3% of its capacity with decent sized rules loaded. With Snort (fully loaded with all rules) it hovers around 6-8%. I have tested this on the latest 2.3.1 with 8GB RAM. 85% of my RAM gets used for loading all Snort rules plus Squid with ClamAV and SquidGuard. Moved to an i5 a little while ago or else I would had posted a snapshot of the CPU usage.
The CPU processing would ofcourse change as the speed increases, but I presume it should be able to do at least 500Mbps without breaking a sweat.
-
Here is a link to the Comcast documentation
https://drive.google.com/file/d/0B8e0wvBZ26DadUR2OXp1blg3azVrSzJZRjFUMjRabzFQQ3Nv/view?usp=sharingFrom what I can understand, they are only using the Juniper device for the link handoff.
This router is rented to me for a very low price of $20 USD per month. They are not making any money on the rental for sure.Specifically, to use the fiber link, they suggest I need the following equipment:
10G capable Router/Layer 3 switch with at least 1 10Gbps SFP+ cage
10G SFP+ 850nm MMF Transceiver
MMF LC JumperComcast will provide one IPv4 static IP address for the 1Gb connection, and one for the IPv6 2Gbps fiber connection.
This looks like a single 2Gbps connection to me. They're making it easy to connect with commodity equipment by providing a router that can handle up to 1Gbps; anything beyond that will require 10Gbps networking in your home. That's how I read it anyway. With two static IPs you could set up both your pfsense router and leave theirs up and running, or ditch theirs and do everything on your (presumably) 10Gbps network.
-
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
Running Suricata on a Pentium G3220 (which is slower than a Core i3) and Suricata uses ~80% at 937Mbps (about the limits of my gigabit line).
-
I'd love to see your follow up on what you ended up doing. I'm moving in December to a home with a 1GbE handoff from AT&T and I'm going to need to replace my SG-2220 firewall with something that can handle the increased throughput.
I don't want to venture away from PFsense but I'm looking around at alternatives simply because of price. The PFsense sales team told me the hardware they sell that can handle 1GbE will cost me $1,799 to own.
I'm a fan of doing things with open source software but it's hard to say that it's worth $1,500 more to buy a pfsense unit when a competitor is so much more cost effective.
Either way I'll end up buying pfsense gold because this project is awesome.
-
I'd love to see your follow up on what you ended up doing. I'm moving in December to a home with a 1GbE handoff from AT&T and I'm going to need to replace my SG-2220 firewall with something that can handle the increased throughput.
I don't want to venture away from PFsense but I'm looking around at alternatives simply because of price. The PFsense sales team told me the hardware they sell that can handle 1GbE will cost me $1,799 to own.
I'm a fan of doing things with open source software but it's hard to say that it's worth $1,500 more to buy a pfsense unit when a competitor is so much more cost effective.
Either way I'll end up buying pfsense gold because this project is awesome.
Check Point 750. Can be bought for under $600. Provides throughput of 1 Gbps with encryption throughput of 500 Mbps.
-
You are asking questions without listing your requirements. Give us your exact requirements and we can help you out.
Most soho pfsense devices handle gigabit but I think your problem is 2gbps….
I would just build something.
-
Im kind of in the same boat. I have a 1 gig synchronous fiber to the home connection. I am having a hard time finding something that can handle the throughput without dropping packets. I am using an old Lanner Fw8760 that has an i3 in it, and 4 gig of ram with 8 Intel nics that works great, but I need to put it back in my datacenter so I need something at home that will work just as good.
-
What did you end going with? I'll be getting service in a few weeks.
Im kind of in the same boat. I have a 1 gig synchronous fiber to the home connection. I am having a hard time finding something that can handle the throughput without dropping packets. I am using an old Lanner Fw8760 that has an i3 in it, and 4 gig of ram with 8 Intel nics that works great, but I need to put it back in my datacenter so I need something at home that will work just as good.
-
That board has no Intel QuickAssist, but it comes together with TurboBoost and so did you
enable the PowerD (hi adaptive)?I did indeed. And although it doesn't have QuickAssist, it does have AES-NI on chip. For the small amount of encryption I'm doing for home, it seems to be plenty.
An Intel Core i3 or i5 will do the job too, but the Xeon E3 is more electric power saving.
I'm not a expert, and I could very well be completely off base, perhaps you're correct. I'll just say I'd have to see it to believe it. An i3 doing IPS inspection at 1Gbps seems like a far stretch to me.
I have an i3 @4.1 with snort and suricata(for testing purposes) and i get 950 of a gigabit link with 40/50 % of cpu usage. If they are correctly configured, it proves that one must not underestimate an i3.