Firewall hardware

  • I have a pair of machines that have finally come home.  A dual PIII 800 and a Dual PIII 733.  Both have Intel server nics intergrated into the system board.  I was debating turning them into PF-Sense firewalls.  Will the dual 800 or dual 733 handle 5 vpn tunnels with 2 heavy users internal users and lite vpn traffic?

    Does the new verison support the dynamic IPSEC tunnels like m0n0wall yet, I like to test it.


  • What kinds of bandwidth are you talking about?


    VPN - Heavy use of any of the VPN services included in pfSense will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive. The number of connections is much less of a concern than the throughput required. A 266 MHz CPU will max out at around 4 Mbps of IPsec throughput, a 500 MHz CPU can push 10-15 Mbps of IPsec, and relatively new server hardware (Xeon 800 FSB and newer) deployments are pushing over 100 Mbps with plenty of capacity to spare. Supported encryption cards, such as several from Hifn, are capable of significantly reducing CPU requirements.

  • 3 mb down / 512 kb upload by embarq

  • I went back and verified the hardware.  It is Tyan Thunder - LT-E.  It has 2 intel on board adapters (100 MB).  I have 1.5 GB of ram in the machine currently.  I am using a 256 MB flash card running M0n0Wall for some testing.

    The other machine I have is eactly the same specifications except it has dual 733 processors and 1 GB of ram.


  • Both machines should be able to handle your 3mb/512k easily, including VPN.

  • That's great, It will allow me to recover two workstations and then build out a my server that has been acting as a firewall for some time.  Just time to order to 2 us cases and put both machines in that.


  • You write that you have two internal heavy users.
    I assume they are connected via 100Mbit wire, right?
    They would be able to produce 100% CPU load.

    Or are these internal users not encrypted but have to access stuff per VPN on the outside?

  • As I understand it the heavy users produce alot of outgoing traffic which is limited by the 3MBit connection.
    You are absolutely correct otherwise.

  • My wife and I generate a bunch of outgoing and incomming traffice.  All VPN traffic is limited to my consulting business.  I do that during off peak hours and when needed.

    My worksatation which is acting as a server has shares and VPN remote connections.

    pppppThese get accesses very limited.  Mainly for remote backup. during the middle of the night via ftp.

    My biggest need right now is to get dynamic ip-sec tunnels working so I can up pdate and continue working on two customer sites.

    I two test machines that I can set up m0n0wall or the lastest verision of pf-sense alpha if it will support dynamic clients.

    Once I get this working I have a different project that I am working on that will require dynamic vpn connections for customers.

    I am looking into starting my own imaging consulting company that will providing web access to scanned images.
    I know for that I will need to a larger firewall.


  • I'd say way more than enough power.  You want that much power, electricity, heat, noise?

    PFSense is not a UTM appliance, doesn't need a lot of power.  I've played with a lot of hardware and various *nix distros, I've come back to PFSense….because of QoS features.  I run it on one of my old IBM Thinkpad laptops, a mid-range P3.  Only 256 megs of RAM.  Onboad Intel NIC, I stuck in a Linksys PCMCIA NIC...she runs great.  5x users in the house..2 of which are VERY heavy users.  Plus I have an IPSec VPN tunnel to my office, do a lot of other VPNs to other clients.  8 meg connection.  Under the heaviest of loads on the network...I never got CPU utilization above 35%.

    Laptop..nice and small, quiet.

Log in to reply