Minimum requirements for 100 users



  • For a lan party we are considering running pfSense on a separate desktop pc to serve as our router. We expect around a total of 100 players, all playing simultaneously. We will use it as a load balancer for 2 connections to our ISP (2x 100mbit), and as a traffic shaper/firewall/…

    The desktop has the following specifications:

    Intel i3 2100
        4/8gb DDR3 1333mhz
        3x gigabit PCI ethernet cards
        pfSense on USB3 or Raptor drive

    Last lan party we had problems with our network because we could not simulate this kind of traffic. Is there anyone that has experience with pfSense and this number of users? Or that could give us advice on how to test this software router? Will this hardware be able to handle the traffic?



  • I regularly go to a LAN with about 400 users that uses pfSense on a commodity box to load balance between 2x 100Mb Comcast connections.  I don't know the exact hardware they use, but I'm pretty sure it's nothing exotic, although probably half way decent older server gear.

    We're actually having the LAN this coming weekend, I'll check with the network team to see what exactly their hardware is.

    I do know that Sonicwalls (fairly large ones) and a number of other hardware routers have all failed with the load we place on them.  They also had some other Linux based router that was closest to working, but couldn't load balance the uplinks.  Switching to pfSense has been great.

    I also know that they not only try to block P2P, but will actively kick users (MAC addresses) found to be torrenting, and that includes game updates that look like torrenting.  We keep a local server with as many patches as we can reasonably be aware of.



  • Well for a company i setup that has more than 100 users a Watchguard X700 was more than capable. and thats only a Celeron 1.2 Ghz 256MB PC133.

    So anything higher would be a bonus!

    http://forum.pfsense.org/index.php/topic,7458.0.html



  • How watchguard is handling with 100 users with 1.2ghz celeron when my celeron from pfsense pc based has 1.7ghz and is overcloked to 1.85ghz, when i download with one client from torrent with 6-7mb/s it has a 80-90% utilization and another 2 clients are in idle…. i think is too less for 100 users...



  • @craigduff:

    Well for a company i setup that has more than 100 users a Watchguard X700 was more than capable. and thats only a Celeron 1.2 Ghz 256MB PC133.

    So anything higher would be a bonus!

    http://forum.pfsense.org/index.php/topic,7458.0.html

    No offence, but employees at a standard company have different internet needs/habits than gamers at a LAN party.


  • Netgate Administrator

    Agreed. 100 LAN party users are probably going to max. out your connection what ever it is. Really the number of users is no where near as important as the bandwidth of your WAN when it comes to hardware sizing.

    @bmironb I assume you mean 6-7 Mega Bytes per second? Even so that seems quite poor performance for an X700. Torrents are more demanding than other traffic due to the high number of connections. Are you running packages?
    It would not cope in this scenario though.

    In reply to the original question, an i3 2100 should be fine.

    Steve



  • Yes 6-7mbps , i was just made ​​the difference…between processors, i agree with the sistem that will be used from first post.

    Thanks.



  • Thanks for the replies guys. So what I have learned up till now is:

    • CPU should be fine
    • The more ram, the more for Squid to cache
    • High load handling would depend on the NICs?

    I was not planning on buying any expensive NICs, I thought of buying these: http://www.intel.com/products/desktop/adapters/pro1000gt/pro1000gt-overview.htm

    I have read a lot about great Intel NICs but I don't think they meant these cheap ones :)

    Are there any other suggested packages to install other than squid?


  • Netgate Administrator

    I would expect the majority of your traffic will be non-cachable. The stuff you could usefully cache with squid would be game updates, windows updates, AV updates etc. However those are often special cases requiring some custom tuning of Squid. Make sure that is working if you are going to run Squid otherwise it may just be an overhead you don't need.
    You will almost certainly have to consider some traffic shaping with that many users. It's beyond my expertise. Probably worth a separate question in the traffic shaping subforum.

    Steve



  • @ordos:

    Thanks for the replies guys. So what I have learned up till now is:

    • CPU should be fine
    • The more ram, the more for Squid to cache
    • High load handling would depend on the NICs?

    I was not planning on buying any expensive NICs, I thought of buying these: http://www.intel.com/products/desktop/adapters/pro1000gt/pro1000gt-overview.htm

    I have read a lot about great Intel NICs but I don't think they meant these cheap ones :)

    Are there any other suggested packages to install other than squid?

    The problem with the ProGT's is not the card itself, it's when you try to put multiple of them on a single PCI Bus.  The PCI Bus has a theoretical maximum of 133MB/s, but you won't see that.  More like 60MB/s max.  That would be fine if you're just using those cards for the uplinks to your 100Mb/s internet uplinks.  Of course, at that point, you could probably be fine with 10/100 PCI cards.

    I would assume your i3 motherboard has onboard network, and if it's decent, try that.  Otherwise, get a fairly inexpensive PCI-Express Intel card, even a desktop style Intel card can push a lot of data.

    The main difference that I usually see with the server end of Intel cards is taking care of more of the data handling rather than offloading that to the processor.  That can be handy with lower powered machines, but probably not so much an issue with what you're trying to do.  But, again, the price difference between a Desktop Gigabit PCI-Express card and a Server version of the same card is about $50 ($35 Vs. $84 on Newegg, or $88 if you want a pretty box.)

    Or, look on Ebay for Quad Port, PCI-Express, Intel Gigabit cards, you can usually find 'em for less than $150.  Or a couple Dual Port Gigabit Intel PCI-Express cards for even cheaper.

    You've got a lot of options, but I certainly wouldn't put your Gigabit LAN interface on a PCI Bus shared with 2 others.

    If it were me, I'd probably see what the onboard Network is like on the board and go to my local computer parts recycler and pick up a 3 or 4 cheap, used Intel 10/100 PCI cards (extra, in case one's DOA).  Use the 10/100's for 2x WAN uplinks, use the onboard for the LAN side.  If the onboard sucks, pick up a cheap PCI-Express Intel Gigabit card (or, pick one up anyway, 'cause it'll be hard to test to much before the LAN.)



  • I did not know the PCI express cards where better! Thanks a lot, I will probably buy this one of these

    Will the difference in price be worth the performance difference?



  • @ordos:

    I did not know the PCI express cards where better! Thanks a lot, I will probably buy this one of these

    Will the difference in price be worth the performance difference?

    Only you can tell us that, and it might be only after testing that you'll know.  It's right at the point where it's not a whole lot in sheer dollars, but we also don't know what kind of budget you're looking at.  If there's a certain amount of budget for CYA expenditures, it might be worth it for the peace of mind.

    Back to the original question, though, an i3 is probably fine.  I was talking to our guys here and while they're running a server with Dual Sockets of Quad Core procs, they're currently seeing 16,000 session states and they're running at about 20% processor utilization, that's with 400 LAN seats, a bunch of phones and such on wireless, and 20+ consoles (xbox, playsation, etc.)

    In theory, your i3 should have about 1/4 the processing power, but it also sounds like you're looking to support 1/4 the number of users we're seeing.  I'd think you'd be ok if you're not trying to do a bunch with it.  We do some traffic shaping, but no caching.



  • Thank your for your reply! We have a limited budget, and the costs for the router are actually coming out of my own pocket :p

    I have looked in the traffic shaping page of pfSense, but found it hard to figure out to actually do traffic shaping :s All I want to do is block most ports accept the ones we are using, and then prioritize every gaming port over port 80.



  • Blocking/allowing can be done easily, just create two port aliases and name those respectively "allowed"/"blocked" or something and add those ports what you need.

    After that goto firewall-rules and add rules with aliases.

    Modifying of already made Traffic shaping rules were done from Floating-rules



  • @ordos:

    Will the difference in price be worth the performance difference?

    I think the CT is a newer card that replaced the PT. I don't know what, if any difference you will see. I have a PT and it works fine.

    As for throughput, the i3 should have no problem pushing gigabit speeds in a real-world scenario, as long as you're not trying to do encrypted tunnels or snort.

    Having large numbers of users or states will increase your RAM needs, but not to the extent you might expect. I have over 300 users on my system (although not concurrent users, admittedly), my state table size peaks over 40,000 daily, and my reported memory usage has never hit 20% on a 4GB system.

    If you go with squid then you'll want more RAM. If you're doing this out of pocket for a LAN party then my advice is to skip squid and settle for 1 or 2 GB of RAM and a low-cost i3.



  • Some type of NIC aggregation might be appropriate here too.

    Enough of these will saturate your FSB, even though they are PCIx cards:

    http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=251084127667


Locked