Advice on new network



  • Hello all,

    I would like to ask for advice, with an aim to understanding which of my two suggested configurations would provide me with the best (fastest) performance. (It might also be that both my suggestions need important changes, and would be happy to hear about that too!)

    Network connection
    1GB nic from ISP with 50MB down, 5MB up internet (and 3 static ips)

    Hardware currently available:
    Compaq DL320 (P3 1ghz, 1Gb ECC ram, 2x builtin 100mb ports, 1x dlink pci 1gb card)
    Dlink 1gb switch (DGS-1005D)

    Computers to connect
    Webserver with 1gb nic
    Mailserver with 1gb nic
    Pfsense with Freeswitch running (on above mentioned DL320)
    Various LAN pc's

    Idea 1)

    WAN –> 1gb switch --> 1gb nic on webserver with static ip1 (and own iptables firewall)
                                  --> 1gb nic on mailserver with static ip2 (and own iptables firewall)
                                  --> 1gb nic on pfsense with static ip3 (and freeswitch + nat sharing of lan pc's)
                                        (out from pfsense on 100mb nic1 to LAN)

    Idea 2)

    WAN --> pfsense 100mb nic/multiWAN out on 1gb nic1 to dmz

    --> 1gb dmz switch --> webserver (local ip mapped to public static)
                                --> mailserver (local ip mapped to public static)

    --> out on 100mb nic 2 to LAN

    I hope all this makes sense. I think that if the pfsense firewall on my "old" DL320 would be just as fast as using the 1gb switch first (as idea1), then idea2 would be easy to administer from a firewall point of view. But if I would noticable speed benefit from idea1, then it would be worth the extra firewall "work" for me !

    If idea2 would be cool, but only if I had 2 1gb nics on that server (so in from wan and out to dmz switch) then I could buy a dual port 1gb card. But as the internet is max 50mb anyhow, then surely the 100mb card is more than enough on the wan side??



  • Idea 1): I presume you mean the webserver and mailserver would each have their own firewall. So, three firewalls to manage. OK if you like managing firewalls :-)
    No gain from using gigabit NICs unless you have some heavy duty communication between the webserver and mailserver.

    I prefer idea 2: one place to set firewall rules, one place to log firewall rule violations. I presume there is some kind of switch on the LAN side. Depending on how much communication there will be between LAN and DMZ, 100Mb NICs are probably ample in both places, but if you already have the gigabit NIC by all means use it.



  • Thank you wallabybob.

    You are right that the individual servers are firewalled.

    Putting that aside and thinking about my main question about performance…

    Am I right to think that:

    There would be no performance gain in using a "switch" for the dmz before the pfsense because the pfsense can handle just as much throughput as the switch, if not more. And the 1GB WAN connection is irrelevant because the maximum 50MB speed I get means that a 100MB nic would already be double what I need!

    In "Idea 1" the pfsense would only deal with the load of the LAN (and the voip to freeswitch too)

    In "Idea 2" the pfsense would need to deal with the load of all dmz servers (ie. web & email), as well as the lan/voip stuff

    Logically I was thinking that to move some of the load off pfsense (ie. the web and mail servers hook directly to the internet via the switch), this might improve performance as the data would need to pass through one less stage (ie. not being natted and filtered at pfsense).

    But if pfsense can handle that without performance issues, then I would have to agree Idea2 would mean simpler admin, and perhaps improved security and bandwidth control.

    .. Maybe the question is that IF I built the pfsense server with 3 100MB nics. (1 to WAN, 1 to DMZ, 1 to LAN), does this mean that the server could handle 100MB/s traffic from WAN to DMZ, DMZ to LAN and LAN to WAN simulaneously ? (Although obviously the traffic going to WAN would be limited by the ISP to max 50MB)

    Perhaps I am being a little nervous with my deployment; I really appreciate any feedback !

    Thank you.



  • I suspect your proposed system would easily handle 2 x 100Mbps links plus 1 x 50Mbps link provided the data doesn't include "too many" small packets. (Since these systems tend to see an interrupt request for a small number of packets and there is substantial overhead for processing a packet, regardless of its size, 100Mbps of "small" packets requires considerably more CPU processing than 100Mbps of large packets).

    I suggest you implement idea 2 and take some measurements (top or systat) to see how much processing is used with your "typical" load mix.



  • Thank you again Wallabybob.

    Your reply makes it clear for me, and also made a "penny drop"…

    Previously I had read the details about minimum specs/sizing at:
    http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

    .. but I did not really understand the throughput considerations. Now with your description I suddenly "get it".

    I will go with idea2 and monitor it as you say. If my cpu shows too much load, obviously I can move to faster hardware. Otherwise, I should be all ok up to peak 200MB/s

    :very happy:


Log in to reply