Server CPU - more cores or more Ghz?

  • Hi

    Which CPU is preferable for a pfSense firewall? The machine will mainly be used for packet filtering, IDS/IPS and routing. All interfaces are 1Gbit with constantly ~300 to 500Mbit throughput. An AOC-SGP-I4 PCI-e NIC will be used (Intel i350 chip).

    Are more cores and/or threads prefered? Or does it like more Ghz?
    I selected a few E3's and Scalables, what should you use?

    • Intel Xeon E3-1220V6 - 4 cores / 4 threads - 3Ghz
    • Intel Xeon E3-1280V6 - 4 cores / 8 threads - 3.9Ghz
    • Intel Xeon Scalable Silver 4108 - 8 cores / 16 threads - 2Ghz
    • Intel Xeon Scalable Silver 4114 - 10 cores / 20 threads - 2.2Ghz

    Thanks for the ideas

  • On the Product page it says this might help

    CPU Selection
    The numbers stated in the following sections can be increased slightly for quality NICs, and decreased (possibly substantially) with low quality NICs. All of the following numbers also assume no packages are installed.
    10-20 Mbps	We recommend a modern (less than 4 year old) Intel or AMD CPU clocked at at least 500MHz.
    21-100 Mbps	We recommend a modern 1.0 GHz Intel or AMD CPU.
    101-500 Mbps	No less than a modern Intel or AMD CPU clocked at 2.0 GHz. Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters.
    501+ Mbps	Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters.
    Remember if you want to use your pfSense installation to protect your wireless network, or segment multiple LAN segments, throughput between interfaces must be taken into account. In environments where extremely high throughput through several interfaces is required, especially with gigabit interfaces, PCI bus speed must be taken into account. When using multiple interfaces in the same system, the bandwidth of the PCI bus can easily become a bottleneck.```

  • Hi Darkvodka34

    Yes I know that page. But it does not say that much. What are "multiple cores"? Two cores? Quad cores? What about the threads? And how does the core/thread amount stands in proportion to the Ghz?

  • For most part more GHz is better because packet filtering and routing scale very badly over multiple cores. IDS/IPS and other services that are not directly tied to the packet filtering flow can make use of more CPU cores though.

  • That makes sense, thanks for the reply, kpa!

  • Netgate Administrator

    I would think any of those CPUs would have no problems at 500Mbps of firewall/IDS to be honest.


  • @darkvodka34 no, those recommendations are pretty meaningless

  • @vamike Than they need to update there page.

  • Netgate Administrator

    Yes, it was updated (it was very out of date previously!) but I agree it could use a refresh.
    It's hard to put numbers on things very precisely though given the variables.
    I'll see what we can do.


  • Due to my knowledge from security onion(an IDS distribution), snort in it will use 1 core per snort process(cpu core, not cpu thread) and each snort process can handle 200Mbps throughput. I haven't try snort in pfSense with a high power CPU.

Log in to reply