Feedback on a large pfsense deployment



  • Hello,
    We are a University with approximatively 30 000 users.
    Today, we have  2 cisco FWSM with the following specifications :

    • 500 NAT rules
    • 2000 filter rules
    • 2 Gbit/s of bandwidth
      We plan to change our  edge Internet Firewall with a Pfsense installation with Snort.
      Does anyone  have a feedback on such installation ?
      And in this case what kind of hardware is supported and what are the technical limits in term of bandwidth.

    Thank you for your help.


  • Banned

    :D I think you should hire a professional for this job. :)



  • We have already in production :

    • 2 pfsense 2.1 in failover mode for Eduroam network https://www.eduroam.org/  with 1000 simultaneous users (200 Mbit/s)
    • 2 pfsense 2.1 in failover mode for one department with inter-vlan filtering and in dual-stack (v4/v6)
    • 1 pfsense 2.1 with captive portal and snort enable

    Does anyone have a feedback ?

    Thank you for your help.



  • On other threads which discusses hardware requirements for such a deployment it seems that CPU load ist not always the "problem". You probably need an up to date server CPU to handle 2GBit/s but important could be how many simultaneous connections/states the firewall needs to handle. In your enviroment this will probably need much memory. So perhaps provide some information about the states.

    As far as I know on pfsense 2.1 the firewall rules/states can still be handled by one CPU only this means that a multicore CPU will not improve perform,ance focused on NAT/firewall but it will probably help you to handle the snort processes.

    This is probably something you read:

    http://doc.pfsense.org/index.php/Hardware_requirements#High_Throughput_Environments
    
    http://www.pfsense.org/index.php@option=com_content&task=view&id=52&Itemid=49.html
    

    So probably a server CPU with more than 3GHz and quality server network cards.
    For RAM this could be a calculation basis:

    10,000 entries, takes up a little less than 10 MB RAM

    So probably you still knew this but I just want to make sure you got these information.



  • @ucbn.dsi:

    We are a University with approximatively 30 000 users.
    Today, we have  2 cisco FWSM with the following specifications :

    • 500 NAT rules
    • 2000 filter rules
    • 2 Gbit/s of bandwidth
      We plan to change our  edge Internet Firewall with a Pfsense installation with Snort.

    The bandwidth requirement can certainly be met, with a little googling you can find many reports of people doing it e.g.

    _We use Pfsense to push 6+GBps most of the working day. Not a big deal - pair of Supermicro E3 boxes with Intel 10 gig-e and off to the races. They are in a HA pair and simply just work. We use the excellent Pfblocker package to blacklist a bunch of known scumbags.

    Pfsense has saved us $10's of thousands in retiring 5580's and SMARTNet.

    http://arstechnica.com/civis/viewtopic.php?f=10&t=1173665_

    However, since the pf packet filter is still under GIANT-LOCK under FreeBSD 8.3 (used by pfSense 2.1), depending on the how expensive your NAT and firewall rules are, you may have to put Snort on a different system.

    pfSense 2.2 will be based on FreeBSD10 and SMP-pf.



  • Snort is a beast in itself and something at large scale better done on separate systems (and also in combination with related tools for full scale NSM - see Security Onion). Especially since at large scale it can tend to run away with all the hardware resources of the box it's running on, so keeping it separate prevents it from dragging down your entire network.

    There are plenty of people doing similar to what you're looking at there. I'd just run Security Onion rather than Snort on the firewall.



  • @cmb:

    I'd just run Security Onion rather than Snort on the firewall.

    I guess he's trying to achieve some sort of IPS-like functionality, where the triggering of a Snort rule not only creates an alert but also dynamically adds the offending IP(s) to the firewall's block-list, similar to what is (at long last ;-) offered by pfSense's Snort-package.


Log in to reply