SG-5100 gigabit throughput with UTM packages?
-
Hello, first off, my apologies if this has been asked before, I've been searching through the forums and could not find an exact answer.
Anyway, I am thinking of getting a SG-5100 for my home network. I have a 1000 up/1000 down fiber internet through AT&T using a NVG599 Arris modem. I am aware of the tweak to bypass the modem and use it for auth packets only so that is also a consideration for this setup.
My proposal is to use the SG-5100 appliance as a firewall+router+UTM. So that means in addition to base setup, installing either snort or suricata, clamAV, pfblockerNG, and possibly squidguard. The goal is to have IPS/IDS, Antivirus, adblock, and web content filtering in one device. I know IDS/IPS rules can be memory hungry so I would upgrade the RAM to 16 GB.
Is this proposed setup able to maintain gigabit throughput on the SG-5100? I would probably be using the IGB ports for LAN and WAN, and then an IX port for the modem auth. I will also be experimenting with VLANs as well. There would be 4 VLANs - wifi, gaming, lab, and media. Each will be isolated from the others.
-
More than anything else, the relative throughput in these situations is determined by the average packet size. It's better to think of network throughput in packets per second (pps) rather than bits per second (bps). The reason is there is a lot of overhead involved with receiving, decoding/unpacking and handling a given packet.
So the CPU can process 1000 64-byte UDP packets per second and the throughput is 512 kilobits/second (1000 x 64 = 64,000 bytes/sec x 8 = 512,000 bits/sec). Now calculate the throughput if those 1000 packets were each 1500-byte packets. We get 12 megabits/second (1000 x 1500 = 1,500,000 bytes/sec x 8 = 12,000,000 bits/second). These are just simple example numbers. The real packets per second rate of pfSense is of course much higher.
So how this relates to your question is that you need to know the average packet composition in your Internet stream. If you have a lot of really small payload packets, you might never reach Gigabit/second speed. However, if you are downloading a large file from a fast server and it is sending you full 1500-byte payloads in the packets, then achieving Gigabit speeds is possible.
Doing things like VPN will alter this a bit as now you have to account for the encryption/decryption overhead.
The SG-5100 can certainly achive Gigabit speeds with moderate Snort or Suricata rulesets and typical average packet payloads. As you noted, the number of enabled rules impacts RAM usage, but even more so it impacts throughput. A package like pfBlockerNG is not the same because it is not inspecting almost every single packet like the IDS/IPS is doing.
-
@bmeeks Thanks for the detailed explanation. I do run multiple VMs all of which can connect online so I'd imagine the packet payload is pretty high. My current router is capable of 2 million pps so if the SG-5100 is comparable to that, then it may not be worth the upgrade. I might have to go a step further to Xeon D.
-
@Evanc9126 said in SG-5100 gigabit throughput with UTM packages?:
@bmeeks Thanks for the detailed explanation. I do run multiple VMs all of which can connect online so I'd imagine the packet payload is pretty high. My current router is capable of 2 million pps so if the SG-5100 is comparable to that, then it may not be worth the upgrade. I might have to go a step further to Xeon D.
Here is a link to the Netgate hardware comparison table. This shows (on page 2 of the PDF) all of the current Netgate hardware and what the throughput is for each model with a few different traffic types. The type that likely is most applicable to your case is the one called "IMIX", which is a combination of large and small packets intended to mimic what most production networks would typically see.
https://info.netgate.com/hubfs/website-assets/netgate-hardware-comparison-doc.pdf.
