PFsense 10Gbs experience anyone?



  • Hi all

    We are thinking of implementing PFsense as a firewall on a 10Gbs internet connection.
    But before we do, we would like to know if this have been done before.
    Is there anyone in here who is running a setup like that ? And who is willing to share their experience ?

    Hope to here from a lot of you  :)


  • Netgate Administrator

    I suspect you won't hear from a 'a lot' because not that many of us has access to a 10Gbps connection, myself included. There have been a number of threads regarding this though. I'll see if I can find one….

    Steve


  • Banned

    Yes. No issues and great performance.


  • Netgate Administrator

    Ah, just spent a while reading old threads and though there's plenty of 10GbE talk there's no hard numbers I could find.
    Supermule, what hardware are you using and what bandwidth can it push? Just firewall/NAT?

    Steve


  • Banned

    Just FW/NAT with no Squid but running Snort.

    Intel X520-T2 and pushing 4,3Gbit/s.



  • Supermule

    Do you have any idea about what is the limiting factor  in you setup ? Do you have a clear bottle-neck (cpu, network etc) or is 4,3 Gbit the limit of pfSense ?

    /Jakob



  • I have also read a lot of threads about this, in various forums around the net. But no facts.

    @Supermule
    Can you tell more about what it is used for. Is it in a Educational environment, or in front of a datacenter of a kind ?

    If you don't want to go public with it, is it perhaps possible to contact you by phone or e-mail ?

    I'm located in Denmark, and it looks like you are too :-)

    KR

    Jan


  • Banned

    Its one of a dozen frontends in a datacenter connected to DIX.

    PM me with your contact details.



  • @Supermule:

    Its one of a dozen frontends in a datacenter connected to DIX.

    PM me with your contact details.

    I'm interested in the hardware details so I sent you a PM.  I'm potentially looking to do 10Gbe routing + firewall on my internal network due to some bad experiences and high cost when handling it with L3 switches.


  • Netgate Administrator

    A real number!  ;)
    Could you say what CPU you're using and how hard it's working? 4.3Gbps with Snort is impressive.

    Steve



  • Gotta be a liquid nitrogen cooled i7 clocked at a quadrillion GHZs or something….



  • @stephenw10:

    A real number!  ;)
    Could you say what CPU you're using and how hard it's working? 4.3Gbps with Snort is impressive.

    Steve

    That number is very similar to what hacom claims is the firewall performance for an E3-1275 V2, which for single-threaded apps (pfSense still uses pf for the main filters, right?) is just about the fastest x86 CPU you can get at any reasonable price.  The 1280 and 1290 are a few ticks faster but double or triple the CPU price budget, and the V3 chips might add a few percent more, but it's looking like 5Gb/s might be about what you get with the current crop of hardware available.



  • No idea, I do not have much experience with pfsense, nor how it works.

    But as far I know you can use pf_ring with snort to use multi cores.

    Why not give it a try, if you have 10gbit stuff laying around.

    https://www.google.nl/search?q=pfring+snort&oq=pfring+snort&aqs=chrome.0.69i57j0l3j69i62.1732j0&sourceid=chrome&ie=UTF-8#fp=aba73ede39cbb7b9&q=pf_ring+snort&safe=off&spell=1


  • Netgate Administrator

    Interesting. In fact there's a load of posts about running Snort at 10Gbps on FreeBSD even a few years ago on older hardware. However not using pf_ring because it's available as a Linux kernel module.

    Steve



  • I'm also interested on some hardware details and about the load of the system under real conditions



  • @jancolle:

    Hi all

    We are thinking of implementing PFsense as a firewall on a 10Gbs internet connection.
    But before we do, we would like to know if this have been done before.
    Is there anyone in here who is running a setup like that ? And who is willing to share their experience ?

    Hope to here from a lot of you  :)

    Is this a 10Gb/s dedicated or lease line or a shared 10Gb/s line?



  • @onlineph:

    @jancolle:

    Hi all

    We are thinking of implementing PFsense as a firewall on a 10Gbs internet connection.
    But before we do, we would like to know if this have been done before.
    Is there anyone in here who is running a setup like that ? And who is willing to share their experience ?

    Hope to here from a lot of you  :)

    Is this a 10Gb/s dedicated or lease line or a shared 10Gb/s line?

    Well, does that matter? in the end it is 10 gbit.



  • I hear lots of people going on about hardware that can't hit 1GB throughput.  It will be interesting to see if someone does get 10GB throughput though something that doesn't cost a fortune.



  • @ilaurens:

    No idea, I do not have much experience with pfsense, nor how it works.

    But as far I know you can use pf_ring with snort to use multi cores.

    Why not give it a try, if you have 10gbit stuff laying around.

    https://www.google.nl/search?q=pfring+snort&oq=pfring+snort&aqs=chrome.0.69i57j0l3j69i62.1732j0&sourceid=chrome&ie=UTF-8#fp=aba73ede39cbb7b9&q=pf_ring+snort&safe=off&spell=1

    Interesting.  Would this work with FreeBSD?  If so, I'd be in for a bounty on anyone who would be willing to integrate this into the pfSense package for Snort.  I'm actually less interested in this for 10Gbe speeds than I am for running on low-power hardware with multiple cores.

    Anyway, I think I've decided to go with a pair of Cisco Nexus 5548UP switches with the L3 modules to solve my routing issue.  I've talked to a few people who have installed them and they've all had solid experiences.



  • @Jason:

    @ilaurens:

    No idea, I do not have much experience with pfsense, nor how it works.

    But as far I know you can use pf_ring with snort to use multi cores.

    Why not give it a try, if you have 10gbit stuff laying around.

    https://www.google.nl/search?q=pfring+snort&oq=pfring+snort&aqs=chrome.0.69i57j0l3j69i62.1732j0&sourceid=chrome&ie=UTF-8#fp=aba73ede39cbb7b9&q=pf_ring+snort&safe=off&spell=1

    Interesting.  Would this work with FreeBSD?  If so, I'd be in for a bounty on anyone who would be willing to integrate this into the pfSense package for Snort.  I'm actually less interested in this for 10Gbe speeds than I am for running on low-power hardware with multiple cores.

    Anyway, I think I've decided to go with a pair of Cisco Nexus 5548UP switches with the L3 modules to solve my routing issue.  I've talked to a few people who have installed them and they've all had solid experiences.

    I did read something about SnortSP Beta

    Shell-based user interface with embedded scripting language
    Native IPv6, MPLS and GRE support (This feature is now included in 2.9.x)
    Native support for inline operation (This feature is now include in 2.9.x)
    More subsystem plugin types such as data acquisition modules, decoders and traffic analyzers
    Multithreaded execution model - multiple analysis engines may operate simultaneously on the same traffic (There are certain subsystems of 2.9.x that are now multi-threaded)
    Performance increases

    The purpose of this program is to

    Source: http://www.snort.org/snort-downloads/snortsp/


Log in to reply