Suggested Hardware for 1Gbit Throughput / 100% working Hardware-Suggestion
-
Jonb,
regarding the bridge: You have to activate it manually. Per default it is deactivated!
Regarding the CPU:
Well I think it is a combination of everything. Like when we test the throughput and have around 526 MBit/second with 130kbyte-TCP-Packets, our CPU is at 70% (tested on an old P-III with 1.3 Ghz and 3 GB Ram)
So the new System will have the power of not only handling the throughput but also (if needed later) AV-Scans etc. :)Best regards,
Chris
-
Sorry I should claritfy it better. What I ment is that if you enable the bridge over two connections on PFsense it will not pass the packets through the firewall roules. Like hoba said you can enable it in the advanced section of the setuo. Is this something you have done or are you just trying to get the firewall to act as a hub.
Jonb,
regarding the bridge: You have to activate it manually. Per default it is deactivated!
Regarding the CPU:
Well I think it is a combination of everything. Like when we test the throughput and have around 526 MBit/second with 130kbyte-TCP-Packets, our CPU is at 70% (tested on an old P-III with 1.3 Ghz and 3 GB Ram)
So the new System will have the power of not only handling the throughput but also (if needed later) AV-Scans etc. :)Best regards,
Chris
-
Hey ;-)
I yes of course a bridge uses the firewall rules :)
That's what a bridge is for… It sits transparently in front of your servers and only let's those packets through
which are allowed...Or did I get you wrong again ;D
We are currently using pfSense as a transparent FW (as a bridge) between OPT1 and WAN...
-
system -> advaced then on that page you will see
Enable filtering bridge
This will cause bridged packets to pass through the packet filter in the same way as routed packets do (by default bridged packets are always passed). If you enable this option, you'll have to add filter rules to selectively permit traffic from bridged interfaces.They way I read that firewall will only apply if you put a tick in that box which isn't there by default.
-
Ah NOW I think I get you ;D
I was thinking the other way around all the time ;)
So what you want to say is if I disable that option (and all packets are simply put through pfSense without
checking) I should try and find out what happens? -
Yes if you disable the firewall for the bridge. Then you can see what through put you can achive straight through the nic. If it is still bad than you could maybe say it is more of hardware/software with the actual routing/connection side of PFsense. If it is good then it points to firewall/processor problems.
If anyone of the dev's say I am wrong here please say :)
-
Sure,
but for us the bridged traffic counts… so we'll do all the tests with bridging enabled ;)
So we're now waiting for the new server... :)
Best regards,
Chris
-
Technicaly it should work on the blade server. I would enable the bridge and make sure that the is no firewall active on the bridge and see what you get.
-
I use Dell Poweredge 850 and 860 carp clusters.
They have 6 Ge ports. 2 Broadcom (better not use those too much) and 2 Dual Port Intel E1000 nics.
They should do fine, I use it as a internal VLAN router/firewall.A basic Dell PE 860 with the cheapest processor and 1GB ram and a disk costs between 1000 and 1200 with the Dell account manager.
I have not done any benchmarking but it looks to push atleast a couple hundred megabits and the monitoring system is not complaining.
-
While I haven't messed around with the bridging interface on pfSense much, I do know that the first thing I do with a pfSense box is set the states table to 10-25x the default value, and set the state timeout to conservative. This ensures that all 'not-well-behaved' protocols and apps still work properly. Also, since I always use 1GB of ram minimum, this is completely acceptable.
-
Just a thought, could those massively delayed packets be retransmits caused by the state table in your firewall overflowing? (well technically just filling up and waiting for connections to timeout in the state table).