Predicting resources used by packages
-
I have been using pfSense for a few years, and would like to upgrade my machine. The new machine needs to handle gigabit ethernet and maximum 20 users.
My problem is calculating how much extra power I need for multiple packages and a VPN client. The pfSense hardware sizing guidance gives suggestions about how much additional CPU and RAM each package needs, but I also know from the forums that resources depend highly on individual configurations.
I've read the countless posts of "how powerful does my computer need to be?" I'd like to know how to come to those answers so I can do it myself.
For pfBlocker, what is the base system resource usage and what functions increase that usage?
Same thing for Suricata.
Now, the big question. How do you measure the impact of packages on speed?
I am happy to buy what ever hardware I need, I just want to make sure that it is the right stuff.
-
"It depends." :) Is Gigabit your WAN connection? That can affect things greatly because "doing a thing" at 50 Mbps is a much different load than doing it at 1000 Mbps.
https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html
https://www.netgate.com/products/appliances/VPN has a large impact because every packet is encrypted/decrypted. 20 users of occasional browsing and letter writing is much different than 20 simultaneous gamers with voice connections.
pfBlocker basically adds firewall rules to block traffic. It has other uses but we use it for geo-blocking so it's basically just having more rules to search. We typically use Suricata as well which inspects packets. With those two, we've not had a resource problem with any of our SMB clients with an SG-3100 and typical SMB cable Internet (~75 down, 10 up, around here).
-
It is a Gigabit WAN connection. Would have been great if I'd mentioned that the first time.
-
Both pfBlocker and Suricata can add variable loads because you can choose to load huge lists or all the signature files or only what you actually need. Suricata in addition has numerous tuning options.
As said though pfBlocker basically adds firewall rules so it's adding load to processes already running. Suricata (or Snort) adds new processes so if you have a system that has multiple CPU cores you might find it uses them more effectively.So, yeah, unfortunately; it depends.
But really you're asking what system you need to pass 1Gbps with pfBlocker and Suricata running with some base level rulesets loaded?
Steve
-
Thanks for all the responses so far. For context, I set up my system similar to pfSense baseline guide with VPN, Guest and VLAN support and then added pfBlocker and Suricata on top.
My question is actually how to calculate what changing each of those many variables will add or subtract from the resource load. I want to find it my ideal settings, calculate how much resources everything takes, and then build my system to those specifications.
For example, if I am using pfBlocker and I add another feed, how do I calculate the additional CPU and RAM usage that adding that feed will require? Let me know if I am clearly explaining my request.
-
@riftor_77 said in Predicting resources used by packages:
Thanks for all the responses so far. For context, I set up my system similar to pfSense baseline guide with VPN, Guest and VLAN support and then added pfBlocker and Suricata on top.
My question is actually how to calculate what changing each of those many variables will add or subtract from the resource load. I want to find it my ideal settings, calculate how much resources everything takes, and then build my system to those specifications.
For example, if I am using pfBlocker and I add another feed, how do I calculate the additional CPU and RAM usage that adding that feed will require? Let me know if I am clearly explaining my request.
Why not simply run a controlled test and see for yourself? Measure CPU and RAM usage while running traffic through the box with
iperf
without that additional feed enabled, then repeat the exact same test with the feed enabled. You can even do it several times and compute an average. I doubt you see very much of a change, though.Just remember to reset the states in between the tests to be sure the firewall actually inspects the test traffic against the entire rule chain and does not use an existing state established during the first test to bypass a bunch of rules in the second test.