Maximum limitation to NAT and PFsync utilization



  • Hi guys,

    I'm new to pfSense.

    I will use pfSense to replace my old firewall.

    Existing condition of old firewall:

    • MikroTik CCR1016
    • CPU count 16, 1200Mhz, average utilization 5%, RAM 1940MB
    • 4x 1G LACP of WAN interface to ISP, assigned 1 public IP
    • 4x 1G LACP to core switch, assigned 1 private IP
    • NAT daily entries: around 12000 average (we expect 24000 next year or maybe more, and 48000 at year 2018 or maybe more)
    • Daily traffic average at WAN interface: around 2Gbps (we expect 4Gbps next year or maybe more, and 8Gbps at year 2018 or maybe more)

    Inter-VLAN routing is handled by a layer-3 core switch. We will be using the same Layer-3 core switch when we migrate the NAT handling to pfSense.

    I will install pfSense on 2 physical servers and implement CARP.

    The condition of each pfSense server:

    • Each server brief specifications: 2 Xeon 2,4Ghz CPU @ 6 cores hyperthreading (total counted 24 cores detected), 128GB RAM, 128GB SSD, 2x 10G BaseT on-board, 2x 1G NIC.
    • 1 port 10G for upstream, will be assign 1 public IP.
    • 1 port 10G for downstream, will be assign 1 private IP.
    • 2 ports of 1G will be LACP, dedicated for CARP sync, will be assign 1 private IP
    • Will mainly serves as NAT (PAT) to the WAN 1 Virtual IP
    • Downstream network will points the default gateway to its LAN Virtual IP
    • We will leave pfSense rule to its default configuration, since we don't intend to block any traffic from LAN to WAN and from WAN to LAN

    My questions related to the conditions above:
    (1) How much is the pfSense maximum NAT entries?
    (2) How much is the pfSense maximum packet-per-second?
    (3) If each 10G interfaces are fully utilized and the NAT rose to its maximum capacity, will the dedicated 2x1G carp sync becomes a bottleneck?

    Regards,
    Soru


Log in to reply