Is PFSENSE up to the task of being a firewall for a medium sized hosting company



  • I work for a hosting company in the states here and our owner asked us admins to do some research on the open source firewalls and the needed hardware to support a OC-48.

    I am new to pfsense I will be installing it on a 4 core machine with 4 giga bit nics and 16 gigs ram I know overkill but that is the smallest machine I have available.

    Please leave any suggestions…



  • That level of connection is a bit out of my league, and I seriously doubt that I'll be able to help, but how exactly is it terminated?  I guess what I'm asking is how are you planning on spreading 2.5Gbit/s over 4 Gig-E adapters?



  • I have to think this would be one of the highest bandwidth installations that the forum has seen thus far.  That said, I would check the HCL for 10 gig cards.  If you can terminate into one interface (fiber or copper) I think that pfSense could handle the bandwidth fairly easily with properly scaled hardware.

    As jasonlitka said, this type of connection is way out of my league as well.  My limited knowledge of these things leads me to believe you would need to be using BGP.  I do not know the current status of BGP within pfSense, but that would warrant some research of its own.

    Keep the forum up to date on your findings as this would be a huge victory for the project/devs if you find that pfSense can handle everything you need.

    http://forum.pfsense.org/index.php/topic,7668.0.html
    http://forum.pfsense.org/index.php/topic,21117.0.html



  • @jasonlitka:

    how are you planning on spreading 2.5Gbit/s over 4 Gig-E adapters?

    Each PCI-e lane is capable of 2.5 gbps (double that on an AMD chipset). Therefore, dual and quad port cards, such as the Pro1000/PT adapters from Intel, require a 4x pcie slot, which has enough bandwidth to do simultaneous wirespeed on all 4 ports (assuming the rest of the hardware is up to it).

    @mhab12:

    http://forum.pfsense.org/index.php/topic,7668.0.html
    http://forum.pfsense.org/index.php/topic,21117.0.html

    foomanjee has some interesting posts in the first link there, detailing a deployment that would perhaps be in the same league.



  • @thayner:

    I will be installing it on a 4 core machine with 4 giga bit nics and 16 gigs ram I know overkill but that is the smallest machine I have available.

    LOL  :o



  • Issues would be:

    1. State table size - pfsense would max at something over 3 million states due to 32-bit memory address limitations.

    2. pps - 2.5gbps pushing 1500-byte packets would be about 200,000pps which is doable.  Internet "average" packet size is somewhere around 500 bytes (grown slightly over the years, used to be 300-400, but in this range - see research at caida.org and elsewhere), this would require a pps capacity of about 600,000 which is right at the edge of what high-end commodity hardware can handle.  Realistically a hosting outfit would probably be somewhere in between these numbers.  You should get some figures of what your edge routers are seeing in terms of pps and then evaluate your situation.



  • @thayner:

    I am new to pfsense I will be installing it on a 4 core machine with 4 giga bit nics and 16 gigs ram I know overkill but that is the smallest machine I have available.

    As far as I know, pfSense is a 32-bit OS, so any memory over 3G is just wasted.

    For what it's worth, I have pfSense running on a quad core 2.6GHz machine with two gigs of RAM, and two Intel gigabit cards (actually, two machines in HA configuration).  The servers are handling well over 1.2 million connections per day with virtually 0% CPU utilization. In addition, they are running haproxy package for our back-end web server farm. These machines have been rock solid since installation, and we have never noticed any performance issues whatsoever. I'm sure we could easily hit 10 million connections a day and probably never see a CPU spike..

    Because the type of software we run, I have configured the state table for aggressive mode (short-lived connections).  At any one time, we probably are tracking 3000 active states. Again, we never noticed any performance problems.

    Hope this helps…



  • @clarknova:

    @jasonlitka:

    how are you planning on spreading 2.5Gbit/s over 4 Gig-E adapters?

    Each PCI-e lane is capable of 2.5 gbps (double that on an AMD chipset). Therefore, dual and quad port cards, such as the Pro1000/PT adapters from Intel, require a 4x pcie slot, which has enough bandwidth to do simultaneous wirespeed on all 4 ports (assuming the rest of the hardware is up to it).

    That wasn't the question I was asking, I know that a PCI-e x4 quad Gig-E card has more than enough bandwidth to do the job.  I was asking how the OP's circuit was terminated such that he was going to take a single 2.5Gbit/s pipe and balance the traffic from it across 4 smaller pipes.



  • Yep. Totally missed that. Sorry for the noise.  :P



  • If you ever try out pfsense with that OC-48 link, please do let us know, as I for one would be very interested in the results.

    It's not that I need my pfsense to do such has bandwidth stuff, it's just that most of us don't have the privilege of such a high connection to play around with, so please, do let us know how our beloved pfsense deals with OC-48, even if you don't use it in production  :)



  • What matters is pps, not bandwidth, so it's hard to say if ~2.5 Gbps is reasonable. I suspect you may be beyond what any general purpose hardware can handle at that scale, at least with filtering enabled. i.e. you can probably route at that speed, but maybe not firewall. 10 Gb NICs, even if only a 1 Gb link on them, will give you better performance at high load.

    Hosting companies are one of the best fits for pfSense in general. There are countless hosting companies with a couple hundred Mbps or less that I'm aware of, many of which I helped design and setup their network. Though 2+ Gbps of Internet traffic through a single box is probably uncharted territory, as far as I'm aware.


  • Rebel Alliance Developer Netgate

    You might also consider some kind of high performance IP router in front, and then multiple pfSense boxes on separate network segments behind to do filtering. For example, have 1/3 of your IP space routed to each of three pfSense boxes from whatever CPE is terminating the OC-48.


Log in to reply