Hardware Specs for Gbit and 300 Hosts
-
Hi,
i need to build a Firewall HA Solution with pfsense, 1 GBit Connection, about 300 permanent Hosts.
What hardware specs do i need to provide this pfsense ?
-
Can a
Intel Xeon 2-Core E3-1220LV2 2,3GHz 3MB 5GT/s with 8 GB RAM handle this ?
or better take a Intel Xeon 4-Core E3-1265LV2 2,5GHz 8MB 5GT/s
-
You may want to start by reading the obviously titled hardware sizing guidance linked off the pfSense home page, before searching the forum for what other people have experience of.
-
Even the entry level Sandy Bridge processors (G530 G620 etc) can achieve gigabit throughput so I would think you'd have no trouble with the E3-1220. Never tried one personally though. That would be a rating for firewall/NAT only. Use Intel NICs.
The number of users is usually not nearly as important as througput unless you use some application that requires a particularly large number of connections. Assuming, say, 100 connections per user, 30000 states is nothing for pfSense. You could do that with 2GB.
Obviously you'll need two boxes for HA.Steve
-
Can a
Intel Xeon 2-Core E3-1220LV2 2,3GHz 3MB 5GT/s with 8 GB RAM handle this ?
or better take a Intel Xeon 4-Core E3-1265LV2 2,5GHz 8MB 5GT/s
Unless you're using Squid, Snort, etc., the dual-core is likely to be the better choice as many of the components of pfSense are single-threaded. 8GB of RAM is also overkill unless, again, you're using snort or squid, or unless you've got hundreds of thousands of states.
To do HA you're going to need two boxes. They don't need to be identical, but it will probably help you out in the long run if they are. Make sure you plan for a dedicated NIC for traffic between them.
-
Can a
Intel Xeon 2-Core E3-1220LV2 2,3GHz 3MB 5GT/s with 8 GB RAM handle this ?
or better take a Intel Xeon 4-Core E3-1265LV2 2,5GHz 8MB 5GT/s
Unless you're using Squid, Snort, etc., the dual-core is likely to be the better choice as many of the components of pfSense are single-threaded. 8GB of RAM is also overkill unless, again, you're using snort or squid, or unless you've got hundreds of thousands of states.
To do HA you're going to need two boxes. They don't need to be identical, but it will probably help you out in the long run if they are. Make sure you plan for a dedicated NIC for traffic between them.
Also some systems will let you limit active cores and therefore run in turbo mode which can gain you a bit, as well as disabling HT as it typically wont help you on pfSense.
We use E3-1280V2's and they work just fine, with HT disabled as 4 cores is plenty.
