Setting up pfSense with multi wan and gigabit
mdahal last edited by
I am in the process of starting a new business of providing offsite backup storage and computing. Since it is in its infancy and only have 3 clients so far. This is all going to be hosted in my homelab.
The plan is to have 2 X 1000Mbps down 400Mbps up connection from two isp. However I only have 2 X 250Mbps down and 100Mbps up currwntly. One will be for my home use and another for business with home connection being backup for business.
Also, being a startup unable to purchase any netgate hardware at this stage but plan to do down the road.
I will be using the parts I already have to build the firewall and use saved cash for buying storage hardware.
Hardware, I have is cpu i5-4690. Intel quad port nic and supermicro 1150 motherboard wiith two nics built in and 16gb memory.
The usage would be 3 site to site vpn(clients connecting to me) using openvpn. Package to include will be snort(As many rules enabled as possible), pfblockerng and ntopng.
My question is will this be able to handle at a minimum my current bandwith ? And 2gbps in future. The current N3700(Supermicro SYS-E200-9B Mini-ITX 1U Server with Intel Pentium Processor N3700 SoC) I have struggles when snort enabled and pushed through single 250 X 100 Mbps. Eventually I will purchase some dedicated hardware with failover.
Appreciate your feedback.
It surprises me that an N3700 would have a problem passing 250Mbps with Snort. Unless maybe you have every single Snort signature enabled and a CPU intensive patter match algorithm. Or perhaps it is not running at it's turbo mode, stuck at 1.6GHz.
The 4690 should be OK for the 2Gbps but not with OpenVPN traffic. I would expect it to fill 2x 250Mbps encrypted though.
You may need to tune your Snort settings if what you're running is affecting the 3700.
mdahal last edited by
Thank you for your respose Steve.
Just double checking now. I have search method as AC-BNFA. IPS policy as balanced. Auto flowbit rules enabled and open appid rules enabled. I have selectively whitelisted over time. I have 4 interfaces WAN,LAN,DMZ,WIFI
Furthermore, for my planned use case what sort of computing power I am looking at ? In terms of netgate hardware or generic cpu would be much appreciated.
The biggest factor there is how much of that traffic will be over OpenVPN. If the majority of it is and you want to get anywhere near 2Gbps you're going to need the fastest CPU you can get hold of. Each OpenVPN process is single threaded so less cores at higher speeds wins here if you have only a few tunnels.