Advice on HW & PPS-performance for datacenter HA pair

    Hi there,

    Thanks MikeX for his post, as cmb answered quite a few interesting things that were also on my mind (->,58780.0.html)
    Perhaps he can once again pour his knowledge into this thread, as I didn't want to capture Mikes.

    We are currently evaluating our new Firewall at our datacenter location. ATM those are a pair of Junipers, but as most of you know, they charge quite a lot and for that money I'd get a pair of very decent sized DELL/IBM/HP servers to run pfSense on it. My boss is extremely interested in the project and is on the edge of going the PFS way (even considering commercial subscription) but there are a few points bugging him, so I thought, maybe you guys could give some insights:

    • He read that the packet filter still runs on only a single core and isn't multi-threaded. As I was researching that fact, I haven't found any clue if that's still the case in 2.0 or 2.1 (FreeBSD8.3).

      • If that's still the case, what would be a decent choice of server hardware for a scenario of dual HA datacenter pair connected to 2x 1GBit/s uplinks and filtering quite a few VLANs as internal gateway?
      • Or said otherwise: Is it possible to run around 300.000 pps (packets per second) without sweating too much and still having a bit of power left in case it gets heavy (DDOS or anything)

      He was thinking along the lines of a IBM System x3550 M4. ATM they don't have to handle BGP for our IP range(s) but it would be a nice addition if they could handle that, too.

      Any numbers for me to play around with my boss? Would be really appreciated!


    Any help on the numbers? Or advise on  systems, that have nearly the number of power to compete with Junipers SRX550s?

  • A new server will perform at least comparably, and significantly better in some specs, than a SRX550. One of the most important specs for a datacenter setup, maximum connections, is only 375K with a SRX550. With just 4 GB RAM with pfSense you're an order of magnitude more scalable than the Juniper, 3.75 million vs. 375K simultaneous connections.

    The rest in general I explained in the linked thread.

    Hi Chris,

    thank you very much for your response. The connection issue is one side, but as I lined out, my boss is more concerned of the maximum pps (packets per second) value, our pfSense setup can push, than the number of connections (but also important, so thanks for the math). That's why I'm a bit afraid about the single-core dependency and Mikes report about only getting around 70k pps, as a friend of mine tested the juniper pair with around 500k.
    Yes it always depends on the scenario and hardware, but I was hoping you (or someone else) could throw in a few numbers they measured with new(er) hardware themselves.

    Nevertheless thanks for all the hard work!


  • The most CPU-intensive part of pf until we're on a FreeBSD 10.x base is giant locked. Many other parts of the OS and system use other cores, there is a significant benefit to SMP even today. That benefit will get a lot bigger in the next year. A few hundred Kpps is no problem, I've seen systems into over a million Mpps with today's stable releases. Granted that can vary from one hardware combination to another.

    I think that covers quite a few things which is great. As we are steering towards decision-making time, me thinks a mail to your commercial support with project details is following soon. IMHO the migration plan from the current Juniper setup and a few detail questions about setup and functionality as well as a potential reseller subscription are things best covered there.

    Many thanks!

