Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hardware sizing NAT/Firewall 5.200 users

    Scheduled Pinned Locked Moved Hardware
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      omel1
      last edited by

      Hello,

      we are planing to use pfsense for a students dorm network. pfsense should act as a nat-gateway and do some firewalling.
      The network is divided into several IPv4 /24 networks - in total about 5.200 clients.
      The average used bandwith at the core switch for all clients total is about 2 Gbit/s.

      I am now thinking about the hardware sizing for pfsense. Should I go with one big box and 10 Gibt/s interfaces or spread the load
      over several physical pfsense instances? I personally tend to use several boxes.

      How many NAT connections can I calculate to handle with one box and how would you size the hardware (CPU/Cores, RAM)?

      If there is any info missing I am happy to provide it.

      Best regards
      Omel

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        You might be able to go with more then one solution.

        pfSense XG-2758 or XG-1541 as a HA setup would be matching here well, but likes often it may be also pending on what
        kind of packets you will be installing and the protocols that will be in usage or on top of this what services you are
        planning to use together with that amount of users.

        • Hown many VLANs must be served?
        • pfBlockerNG to block countries or areas
        • Snort or Suricata as IDS/IPS system to high up security
        • is BGPi or BGPe a theme or VRRP or VRSP
        • HA set up to be ensure to work around a hardware failure too
        • Captive portal for guest WiFi or BYOND WiFi in the campus cantina
        • FreeRadius and OpenLDAP as security for wireless and wired devices
        • Squid & SuidGuard & SARG as caching proxy or plain http-proxy with logging capabilities
        • Multi-WAN solution (load balancing and/or fail over) How many WAN ports and with what throughput

        What also will be matching would be Lanner FW-8894 and FW-8996 appliances with a hypervisor and then 2 pfSense
        instances in a VM to have a virtual HA set up might be also nice to go with. There will be also enough head space for
        other instances such as a separate Captive Portal, WLAN controller from UBNT perhaps, and a bigger Radius Server
        or other routers perhaps.

        Build your own Xeon E5 appliance and stick in a Chelsio t-520 or T-540 NIC that would be able to fully offload
        something likes NAT, VLANs, and other networking stuff.

        1 Reply Last reply Reply Quote 0
        • O
          omel1
          last edited by

          Hi,

          I think it will be a pretty simple setup. We have two VLANs (in/out) and two physical 2 * 10GE fibre.

          Authentication is not needed at the firewall as we intent to go with Option82 DHCP (DHCP Server will be apart).  There is no  need for VPN, LDAP or CaptivePortal.

          Protocol I guess will be mainly HTTP/S. Its all private use.

          If we have say 4.000 users online - all with some sessions established the box needs to keep all the NAT states. I am just not sure if pfSense is the right product  and if its okay to go with a general purpose CPU with standard server hardware for that amount of users (throughput) or if it would be better to go with a real firewall vendor using ASICs or something. The $ delta seems to be huge in favor for pfsense!
          The pfsense hardware requirement guide goes only up until 500Mbps (https://www.pfsense.org/hardware/).

          Danke.

          Regards

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            I think it will be a pretty simple setup. We have two VLANs (in/out) and two physical 2 * 10GE fibre.

            You will be able to use then a Chelsio card that is fully offloading the NAT part.

            Authentication is not needed at the firewall as we intent to go with Option82 DHCP (DHCP Server will be apart).  There is no  need for VPN, LDAP or CaptivePortal.

            Ok, that would it make more simple.

            If we have say 4.000 users online - all with some sessions established the box needs to keep all the NAT states. I am just not sure if pfSense is the right product  and if its okay to go with a general purpose CPU with standard server hardware for that amount of users (throughput)

            DHCP and DNS entries must also be stored for caching them too, there will be not limitations only the hardware
            is setting up the highest level, from the side of pfSense you may get not be pressed down!

            or if it would be better to go with a real firewall vendor using ASICs or something.

            If only firewall rules SPI (netfilter) and NAT is needed pfSense would do that job with ease, only
            to find the real matching hardware would be here the problem in my eyes.

            The $ delta seems to be huge in favor for pfsense!

            Money is not all, if the network must be running really 24/4/365 and also a HA set up might be the
            best bet to give a guarantee that all is well.

            The pfsense hardware requirement guide goes only up until 500Mbps (https://www.pfsense.org/hardware/).

            Not really, there is written something to archive "over" 500 MBit/s that means more then 500 MBit/s or above that
            you will be need - 501+ Mbps Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters
            2 x Xeon E5-26xxv3/v4 and 32 GB RAM or more will be your choice and way to go with as I see it right. Or a self made
            Supermicro Xeon D-15x8 platform should be more then enough.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.