Enterprise Solution



  • I've been exploring this program recently and have found it to not only be rather powerful, but also that many of the people who have successfully set it up seem to think it's amazing.  I work at a local, and poor, community college, and have such been tasked with finding a solution to replace our current firewall and UTM product, which is a set of stacked Astaro 425's.  As I said, we're a very poor college, so we aren't able to afford a whole lot, and the 425's are no longer enough for our needs. They are continuously pegged at 100% CPU usage and this causes degradation of the performance of internet accessibility for students and staff/faculty members alike.  It really only happens during peak hours, but we're never able to utilize the full bandwidth of our 100meg link given to us by our ISP.

    I believe the problem with the current Astaro system is that the 425's can not handle the thousands of simultaneous connections that are had between students and community members on the campus. I think 525's would work for our situation as they were tested before I started in my position and they were more then enough for the given situation.  My question is, does anyone have success working with PFsense on such an enterprise scale? I'm sure that it's been done before, but I'm looking for experiences in the enterprise environment to see what other pitfalls people may have found before me. The Astaro is also set up to use PPTP (I know), NAT masquerading, Site-to-Site VPN's, all of which I believe are built into PFsense, but I figured I would just ask to see what kind of success enterprise level sysadmins have encountered with this before trying to commit time to it.

    Thank you to anyone who has any advice for this and I hope that this does prove to be a solution for us.



  • Probably you have found the sizing guide on the pfsense page:
    http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

    It will probably tell you what CPU is needed and how much RAM the firewall state table will consume.
    Using any VPN solution will increase the need of a faster CPU.

    I am sorry that I cannot give you any hints on such an environment but perhaps it will give you a point to start to find the correct hardware.
    Perople here are often using Alix Boards to acomplish their needs.



  • I run multiple pfsense machines in some schools.

    One of them being a highschool with around 200 desktop computers.

    -There is a remote access openvpn for staff
    -There is a WiFi captive portal linked to the Active Directory, providing students with free wifi, using their AD login. (around 60 simulatanious wifi users at any given time)
    -There is also a squid with around 1GB of ram caching.
    -We have no layer3 capable switches, so the Pfsense handles all inter-vlan routing.
    It runs on a VM on Esxi5 on a Dell R310 system with a 2.2GHZ quad Xeon, 8GBram, a quadport intel-adapter.
    The host machine has some other VM's running without too much load (some network monitoring, lamp for development purposes etc etc).

    The cpu usage (measured in the Esxi console) rarely goes over 25% (this when pushing 1Gbit from one vlan to another).

    If you want more performance with lesser hardware then you should run it baremetal instead of virtualized.



  • The nice thing about pfSense is that it runs on standard PC hardware. You can try it out with an "old piece of junk" (just plug in another NIC, or whatever number you think you'll need) - or even cour current PC, using the Live CD. Preconfigure it, ten swap network cables from your 425.

    For a 100MBit line, i use an Atom D2500CC with Intel GbE NICs. With 2GB of RAM it can handle lots of concurrent connections…I think the default state table size for this amount of RAM is 197000, but it can be increased (with the deafult setting, total memory usage it at 10%, I think).

    I so not know which IPSec/PPTP throughput the D2500CC will achieve - for me, the limit is 10Mbit connection on the other side, CPU load appears to be insignificant at this speed.

    There might of course be other requirement on your side which result in increased hardware demands. Do you, for example, need Layer7 filtering?



  • You don't give many details, but pfsense does offer similar functionality to Astaro (and quite a bit more in certain areas). Where pfsense lags compared to most commercial "UTM" offerings is that the latter typically offer an integrated content-filter / antivirus functionality.

    Have a look at the following presentations about PF scaling (note: for OpenBSD)
    http://www.openbsd.org/papers/lca2011-dlg.pdf by David Gwynne (pf firewalls used at University of Queensland AU)
    http://www.alba.st/docs/bakeca_ddos.pdf



  • @Nachtfalke:

    Probably you have found the sizing guide on the pfsense page:
    http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

    It will probably tell you what CPU is needed and how much RAM the firewall state table will consume.
    Using any VPN solution will increase the need of a faster CPU.

    I am sorry that I cannot give you any hints on such an environment but perhaps it will give you a point to start to find the correct hardware.
    Perople here are often using Alix Boards to acomplish their needs.

    Thanks for the information! I did see the table, and I believe anything we put it on that we have currently should be able to handle the load. We'd probably look to purchase a brand new server to house this anyways. Again, thanks for the info!

    @heper:

    I run multiple pfsense machines in some schools.

    One of them being a highschool with around 200 desktop computers.

    -There is a remote access openvpn for staff
    -There is a WiFi captive portal linked to the Active Directory, providing students with free wifi, using their AD login. (around 60 simulatanious wifi users at any given time)
    -There is also a squid with around 1GB of ram caching.
    -We have no layer3 capable switches, so the Pfsense handles all inter-vlan routing.
    It runs on a VM on Esxi5 on a Dell R310 system with a 2.2GHZ quad Xeon, 8GBram, a quadport intel-adapter.
    The host machine has some other VM's running without too much load (some network monitoring, lamp for development purposes etc etc).

    The cpu usage (measured in the Esxi console) rarely goes over 25% (this when pushing 1Gbit from one vlan to another).

    If you want more performance with lesser hardware then you should run it baremetal instead of virtualized.

    I think we'd be looking at a baremetal installation to help with the performance. Does your unit do layer 7 filtering for your sites? Or anything UTM for that matter?

    @Klaws:

    The nice thing about pfSense is that it runs on standard PC hardware. You can try it out with an "old piece of junk" (just plug in another NIC, or whatever number you think you'll need) - or even cour current PC, using the Live CD. Preconfigure it, ten swap network cables from your 425.

    For a 100MBit line, i use an Atom D2500CC with Intel GbE NICs. With 2GB of RAM it can handle lots of concurrent connections…I think the default state table size for this amount of RAM is 197000, but it can be increased (with the deafult setting, total memory usage it at 10%, I think).

    I so not know which IPSec/PPTP throughput the D2500CC will achieve - for me, the limit is 10Mbit connection on the other side, CPU load appears to be insignificant at this speed.

    There might of course be other requirement on your side which result in increased hardware demands. Do you, for example, need Layer7 filtering?

    We'd probably want Layer7 filtering, though I'm actually not sure if we have it on the current Astaro setup. It would really depend on if it's currently in our Astaro firewall or not. If it's not, we'd probably look into it, but wouldn't find it necessary if it came to it. Do you use it? If so, how well does it work?

    @dhatz:

    You don't give many details, but pfsense does offer similar functionality to Astaro (and quite a bit more in certain areas). Where pfsense lags compared to most commercial "UTM" offerings is that the latter typically offer an integrated content-filter / antivirus functionality.

    Have a look at the following presentations about PF scaling (note: for OpenBSD)
    http://www.openbsd.org/papers/lca2011-dlg.pdf by David Gwynne (pf firewalls used at University of Queensland AU)
    http://www.alba.st/docs/bakeca_ddos.pdf

    Sorry about that! I just don't wanna get in 'trouble' for saying something I shouldn't I suppose, not that I think any of the information I really would say is 'confidential.' We do have about 3,000 users on the campus split amongst faculty, staff, students, and 'special cases.'  I think that there would never be more then 700 people on at any given time, and that's still quite the overestimation in regards to what I believe is actually used.  I'm not sure if you have the time, but could you give a brief description of the comparison that a corporate product like Astaro's UTM would have against PFsense? Thank you for the links as well! I shall be looking at them as soon as I get the chance.



  • Ensure your wireless APs are not the bottleneck. Maybe they are part of the problem. I would recommend you do some analysis on the wireless end of your network.

    For 700+ concurrent users I presume you are looking for IDS, Squid..etc. Go for a Xeon processor with 16-24GB RAM to start with.



  • @asterix:

    Ensure your wireless APs are not the bottleneck. Maybe they are part of the problem. I would recommend you do some analysis on the wireless end of your network.

    For 700+ concurrent users I presume you are looking for IDS, Squid..etc. Go for a Xeon processor with 16-24GB RAM to start with.

    We'd probably be looking at dual Xeon's with 24 gigs of RAM being the low end of what we would actually purchase, so it's good to hear that it 'should' work for us with those specs.  Do you have any suggestions for how to anaylze the wireless portion as you have suggested? I ask because, unfortunately, the wireless solution for this campus is that we have a bunch of WAP's around the campus that are not really connected to each other in any way, they're just sorta there and giving wireless over their own VLAN. We're looking for a better enterprise solution, possibly one completely on our ISP's end that they would take care of, but again money has been the deciding factor here.



  • no, no layer7.

    what do you want todo with layer7 ? I gave up trying to block certain apps with layer7, students will find a way to get passed it. (setting up vpn tunnels / paid proxies / …)
    what i do is set a fixed bandwidth/user for my student-wifi, so it won't slow down everything else that really matters.

    on the devices we manage ourself, we restrict the machines themselfs and not try to find a way todo the same with layer7 filtering.



  • @meatwad819:

    We'd probably be looking at dual Xeon's with 24 gigs of RAM….

    I'm sorry, I gotta go, but I've seen a turkish admin here on the forum handling 7500 students with a comparable server.



  • U need to deploy Cisco Aironet 1140 or 1240 series APs. You will get them cheap on eBay. You can control them centrally through a WLAN controller and run reports on their activity.

    Add in a managed switch for multiple VLANs and provide separate VLANs for students and faculty. This was you can monitor the network activity and control network bandwidth where needed.



  • I agree with asterix. While the Aironet APs are not the most admin-friendly on the market (I vaguely remember issues with setting up roaming correctly), they work reliably. Unlike the "Linksys by Cisco" AP stuff, which reliably fails.

    Concerning Layer7 filtering: it increases CPU usage, but does little to increase security. I prefer not to use it, but your bosses might have a different point of view. If management decides that they want Layer7 filtering, your hardware requirements will rise by order of magnitude.

    In my opinion, overly restrictive firewalls will only teach better "hacking skills". Especially in an school/university environment, where information about circumvention of restrictions are commnicated very efficiently (among the users, not towards the administration).

    Virus scanners on the firewall doesn't make sense if users are allowed to bring their own hardware into the network. If there has to be traffic between the Guest WiFi network and the "production network", you should concentrate you efforts on this interface. However, this access path doesn't really need to be more hack-proof than from the public internet.


Log in to reply