HW Requirements for 10Gb LAN



  • Hello all!  First post here and hopefully in the right place.

    I currently have an A1SRM2558F running with 8GB of ram in my pfSense box.  Everything works wonderfully.  I have a 250Mb connection and it can push that through a VPN without issue, handles Snort just fine and everything else I'm running.

    The only thing is, I am moving to 10Gb for my LAN connections and will have to route between two 10Gb switches.  I know that this board won't be able to handle that, so I'm trying to figure out what I will need to make that work.

    I'm currently leaning towards a Supermicro X11SSL-F with a Xeon e3-1230 V5.  I know this will be massive overkill for the WAN side of things, but I don't know how it will handle the 10Gb on the LAN.  Are there any specifications for handling LAN connections that fast?

    Thank you in advance!



  • afaik there is not much on this planet that will make in-kernel-routing go much faster then 4Gb/s on FreeBSD.

    so i wouldn't bother getting newer/better hardware until netmap-fwd gets merged into pfSense base.



  • @CookiesLikeWhoa:

    …have to route between two 10Gb switches...

    What switches are this?
    If you only need to route and not to filter you could use an L3 managed switch. Those should handle line speed.
    Or wait as per heper's post.



  • I currently have an A1SRM2558F running with 8GB of ram in my pfSense box.  Everything works wonderfully.  I have a 250Mb connection and it can push that through a VPN without issue, handles Snort just fine and everything else I'm running.

    Pleas efell free to read this side comment from the actual doings and development about the abilities
    and what is going on exactly in pfSense. 10 GbE network with C2758

    The only thing is, I am moving to 10Gb for my LAN connections and will have to route between two 10Gb switches.  I know that this board won't be able to handle that, so I'm trying to figure out what I will need
    to make that work.

    If you route all stuff and the whole load over an Intel Xeon E3-12xxv5 it will be one side of this,
    but what kind of switches are on the other side would be more interesting and on top of this you
    could try out a Chelsio dual 10 GbE NIC from the pfSense store, its best driver supported at this
    time under pfSense and it is coming with an ASIC on board (on the NIC) and this will be able to
    offload fully many TCP/IP tasks such as VLAN, QoS and other things, but is you then have a look
    on your bill, I mean what you have to pay for that you might be thinking 2 Layer3 Switches that
    can be stacked (switch stack) would be the better investment in my eyes if both must be connected
    in the LAN side and not one in the LAN and one in the DMZ.

    I'm currently leaning towards a Supermicro X11SSL-F with a Xeon e3-1230 V5.  I know this will be massive overkill for the WAN side of things, but I don't know how it will handle the 10Gb on the LAN.  Are
    there any specifications for handling LAN connections that fast?

    If I see what comes out from the most of all 10 GbE or SFP+ based connections, it is more something like
    2 GBit/s - 4 GBit/s of protocol independent raw throughput. And a Xeon E3-1230v5 is perhaps capable to
    realize this, but actually not really pfSense.

    It is also and even based on the whole network topology you were planing! If you have;
    Core (Layer) switches > distributed (Layer) switches > access (Layer) switches

    You will be having the Core Layer or switches routing the entire LAN and the firewall is then only
    routing the WAN - LAN and WAN DMZ part, you will be having a more liquid running network as
    with less of one or two Layers. If the whole network load is sprite over many Switch chips and this
    switches are playing all nice together and/or stacked up (switch stack) you might be better sorted
    then let the entire traffic running through the firewall. Perhaps something for you too!?

    Here are some switches we were placing inside of networks from smaller over mid ranged one and also
    pretty new ones and they are working more or less as expected and f* fast together.
    Small:

    • D-Link DGS1510 series
    • Cisco SG500x series

    Mid ranged business and greater:

    • Zyxel XSG45 or XGS47 series
    • Netgear M4300 series

    High end or big business:
    Netgear M6100 chassis Layer3
    Netgear M7300 w/ Layer3 license

    All switches are stackable Layer3 switches, over stack ports or SFP+10 and GbE Ports.
    I am pretty sure they will be sufficient enough to route the whole LAN traffic without
    the border firewall or border router in that game. It all depends more on what your entire
    network load will be in real and what protocols are in usage such as VRRP/VRSP/OSPF/RIP/PBR
    or if this must be a redundant working situation in my eyes.



  • Thank you for the information everyone!

    Currently I have two switches for all the traffic.

    One switch is a Netgear GSM7228PS which handles the IP Cameras on one VLan and all 1Gb traffic on another VLan.  While this doesn't have a lot of 10Gb ports (just 2 actually), the two in use would be pushing all the bandwidth through them.

    The other switch is a Netgear XSM7224S which has been the core switch that handles all of the traffic from the work stations to our NAS's and rendering nodes and the ESXi traffic.  This switch currently does not have a L3 licenses.

    While it would be easier to just run the 7228 into the 7224, we have run out of ports on the 7224 with the addition of another NAS and rendering node.  Hence the need to try to route 10Gb traffic.

    I may try the Chelsio card path first, or see if I can't free up a couple of ports on the 7224.


  • Netgate

    @heper:

    afaik there is not much on this planet that will make in-kernel-routing go much faster then 4Gb/s on FreeBSD.

    so i wouldn't bother getting newer/better hardware until netmap-fwd gets merged into pfSense base.

    You should listen to this guy (I don't know if heper is a guy or not.)

    He knows what he's talking about.

    That said, I don't know that we're going to "merge netmap-fwd into pfSense base" as much as we're going to use it (and monoBSD) as a base to rewrite the thing we all know as "pfSense".



  • Guy

    Don't know anything…. just reproducing what I read in other parts of this forum.



  • @heper:

    afaik there is not much on this planet that will make in-kernel-routing go much faster then 4Gb/s on FreeBSD.

    so i wouldn't bother getting newer/better hardware until netmap-fwd gets merged into pfSense base.

    Interesting to note is even though netmap-fwd is faster than current FreeBSD by quite a bit, it's only single threaded. If someone could make it it threaded, it could be faster!


  • Netgate

    @Harvy66:

    @heper:

    afaik there is not much on this planet that will make in-kernel-routing go much faster then 4Gb/s on FreeBSD.

    so i wouldn't bother getting newer/better hardware until netmap-fwd gets merged into pfSense base.

    Interesting to note is even though netmap-fwd is faster than current FreeBSD by quite a bit, it's only single threaded. If someone could make it it threaded, it could be faster!

    Wow… what an idea!  If only someone could make it threaded, it could be faster!

    %:netmap-fwd jim$ git branch -a
    * master
      threads
      remotes/github/master
      remotes/origin/HEAD -> origin/master
      remotes/origin/master
      remotes/origin/threads
    %:netmap-fwd jim$
    
    


  • May I lend you my box of tags?
    I was criticized in the past for not using them on occasion.


  • Netgate

    I doubt your box of sarcasm would last long if I had access.  :)


Log in to reply