Firewall 10gb
-
Hello,
I would like to install a 10gb firewall on my network to protect my Unraid server, I have an 8gb WAN connection and I would like to know if it is possible to make a firewall with pfsense which supports 10gb because I inquired about the purchase a unifi dream machine pro and with the firewall active it only supports 2.5GB no more.
thank you in advance for your help
-
That would depend on whether the hardware is fast enough.
-
@jknott what is the minimum to have to have 8gb? cpu and memory
-
That I couldn't tell you. My firewall was previously on an HP computer, with an Athlon 3200+ CPU & 4 GB memory. It had no problem keeping up with 500 Mb. The replacement I've ordered is an i5 & 4 GB. Also, routers designed for higher bandwidth will often have layer 3 switches, to take the load off the CPU. A lot will also depend on how you use the Internet. If you simply have a 10 Gb connection, but don't using it much, that's quite different from a lot of usage and several VPNs that need encryption.
So, the bandwidth of the connection is just a small part of the equation.
What hardware do you have?
-
@jamesadams How big is your average package and how many do you see on your WAN connection pr. second??
10gbe is a lot of things depending on the scenario on which to implement it.
-
@cool_corona for the package it's a little too technical for me I couldn't tell you
And my wan connection :
-
@jamesadams It important to know the load and what packages IDS/IPS is supposed to run on it afterwards?
10 gbit routing is easy.... 10 gbit IDS is difficult.
-
-
I'll give you an example. I have a 500/20 Mb connection. I recently upgraded from 75/10, but my usage hasn't changed. Is pfsense working harder? Perhaps for short bursts, but overall no.
-
@cool_corona said in Firewall 10gb:
IDS/IPS
I don't yet know which IDS / IPS I'm going to run, because I haven't yet configured a firewall
@JKnott I would say the maximum that I happen to use at the same time is 3-4GB
-
I assume the modem is capable of providing a 10 Gb connection, as is the NIC in the server. However, that says nothing about the performance of those devices. One thing that affects this is all the buffers used in the computer. The packets can be stuffed into a buffer faster than the system can handle. TCP responds to that by slowing down the throughput. So, your hardware may be capable of a 10 Gb connection, but not sustained 10 Gb traffic. Again, it boils down to expected load and what the hardware is capable of.
This question is similar to "how high is up"?
-
@jknott said in Firewall 10gb:
This question is similar to "how high is up"?
how high is up ? I did not understand
-
The point is without data about such things as intended load, hardware performance, etc., it's impossible to answer your question.
-
@jknott the only thing I can tell you is
My modem : Freebox delta s (provided by my internet operator)
My serveur :
-
Ryzen 9 3950X
-
64Go of ram
-
Network card: Asus XG-C100CF SFP+
Maximum consumption seen 3000 mbps
-
-
Real world traffic (imix) can be forwarded (routed not filtered) at 10Gb with Xeon D class chips according to Netgate. Also according to Netgate the same traffic is going to be limited to ~6Gb when filtered (firewalled).
So, the lesson to be learned is real world 10Gb performance (LAN<->WAN) with pfSense as it currently exists is not possible with any reasonable hardware you would want to use as an on 24/7 device. Of course, you could build something that could do that but the cost would be a lot of power consumption and the required fan-noise to keep it from melting down. I guess you could water cool... but would you want that running 24/7?
Netgate mentioned that part of the move to pfSense plus would be improvements to pf. That would filter up to FreeBSD and be of benefit to all. Also, TNSR was developed for the purpose of moving traffic loads greater than 10Gb.
An ASIC based HW router (think big expensive Cisco/Juniper and the like) does 10Gb and beyond routinely.
-
@jwj ok thanks for all your informations :)
-
For some comparison points see the higher end models here:
https://www.netgate.com/products/appliances/
The 1541 shows:
L3 Forwarding: 15.41 Gbps
Firewall: 6.10 Gbps
(10k ACLs)
IPsec VPN: 2.81 Gbps
(AES-128-GCM / AES-NI)Also, higher speeds are what TNSR is for, Netgate's other product. (the second table)
"Can't find a firewall for my massively high speed connection" is definitely a "first world problem"!
-
-
@jamesadams said in Firewall 10gb:
I would like to know if it is possible to make a firewall
Hi,
Studying these will definitely be a good starting point and help
https://calomel.org/freebsd_network_tuning.html
https://calomel.org/network_performance.html
