Gigabit Internet with quite a few packages enabled

  • I have been reading up for the past few days to find users who can verify CPU/RAM requirements that have enabled all IDS IPS Snort packages AND achieved gigabit WAN-LAN speeds.  And if they turned on other packages like Suricata, VPN, AV scanning and/or SquidGuard, it wouldnt affect their gigabit internet speeds at their home with 50 to 60 various devices.

    In your reply, please note the hardware specs you are using and which packages are turned on and what LAN-WAN-LAN speeds are you getting?  In other words, are you able to fully utilize your gigabit speeds while you have all those fw/IDS/IPS/AV packages turned on?

    (I would like to turn on (Snort/Suricata, pfBlocker, OpenVPN, HAVP, SquidGuard, pfBlockerNG, Darkstat) and still be able to fully utilize my gigabit Internet connection)

    Please dont just say i5 AES CPU and 4GB should work.  I am looking for real world experiences.


  • Is there no one with gigabit internet connection and IDS/IPS plus a few other packages turned on AND able to utilize their gigabit internet without issues?

  • I am actually in this same position …
    I have 500/500 internet with a reasonable chance it will go up to 1/1 Gbps in the not so distant future.
    Everywhere I look it's setup's for 'high speed office connections' and  then you look and it's not even 100Mbps.

    I was looking at the Sophos UTM as well and there's people over there with this problem too. The problems start when you want to enable the 'whole shebang' in features, more specifically the IDS/IPS functionality because that's a resource hog.

    If you leave that out then the requirements go down drastically.

  • Netgate Administrator

    The problem with this question is that it becomes difficult to get any sort of meaningful result when you start running packages like that.

    You can't just run a test against and expect it to reflect real world throughput.

    Even if you did it's difficult to compare that with anyone else since there are so many variables in a package like Snort.

    The biggest restriction you have listed there though is OpenVPN. Are you wanting to use that for your full 1Gbps? Because that requires a much higher power cpu.


  • It's always been a good idea to let a firewall be a firewall, and use other boxes/resources to do IPS/IDS, content filtering, etc. UTM's and pfSense started to reverse that for the convenience factor of having everything in one box, but with gigabit speeds becoming commonplace people once again are running into performance problems.

    So split the load. Luckily pfSense is an appliance so it's easy to set up additional pfSense instances. I've started to split the load - doing a bare metal pfSense install that just does routing, NAT, firewall and QoS if I need it. For everything else (VPN, pfBlocker NG, DNS, DHCP etc.) I spin up a second instance of pfSense in a VM. It's a bit more work, but I suspect it's the only way you are going to be able to get max throughput on your Internet link, and also be able to do the other stuff you want to.

Log in to reply