pfSense as a router performance



  • I currently have pfSense running on a Dell R610 as a transparent firewall using two 1gb ports, 1 in and 1 out.

    I want to change the daughter card on the R610 to two 10g and two 1g card so I can upgrade my bandwidth to 2g but also use pfSense as a router as well.

    Has anyone tested pfSense's performance on similar hardware over 1g?

    At what point did performance degrade?

    How hard would it be to change my basic config to have pfSense doing functions of router, firewall, IPS and VPN?


  • Netgate Administrator

    You still plan to run it transparently? That is not routing if so, that is bridging which is a different data path. I'm not sure I've seen any data for bridging above 1Gbps.
    However you can probably make a reasonable guess by looking at the CPU usage across the cores in your current config while pushing 1Gbps and scaling accordingly. Be sure to check from the command line using top aSH so you can see all core usage, you might be hitting a limit on one core.

    Bridged is usually a more complex setup, running as a router/firewall is the default so generally easier. Adding IPS or VPN to that is relatively trivial.

    Steve



  • @stephenw10 At the time I set this up, I did a transparent firewall because I had my network being routed by my ISP. Currently I have a MikroTik as my router into my pfSense running the same as before. I want to eliminate the MikroTik and just have my fiber in one port and fiber out to my switch on the other port. All equipment behind the firewall use global IPs. The router would need to have a global IP from the ISP and then a static route for my own /24. Is that what you're saying is a very basic setup?


  • Netgate Administrator

    Yes.
    pfSense will NAT by default but you can disable that and it will be faster without it.

    https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html#disabling-outbound-nat

    Steve



  • @stephenw10 Ok, that link for NAT looks straight forward. I think I was editing the post while you responded. What about using the ISP's global IP on the WAN but routing my own /24 network? I was looking for that in the docs but didn't see this specifically mentioned. I'm still intermediate at this. I'll be trying this on a local config then attempting to implement down at the ISP once I have it working.


  • Netgate Administrator

    If the ISP is routing a public subnet to you via some other public IP you can just use that subnet on an internal interface and pfSense will route that traffic.

    https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html



  • @stephenw10 Just making sure I'm clear on this. I have my own pre-ARIN /24. The ISP assigns me a single IP and I have to set up a static route to handle my /24 amongst my servers behind pfSense. Does that link still apply?


  • Netgate Administrator

    As long as that single IP they assign you is outside the /24 then you don't need to add any routes. They would be statically routing the /24 to that IP but pfSense would just route between it's interfaces, the single IP on WAN and the /24 on LAN, by default.

    Steve


Log in to reply