Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Connection throughput

    General pfSense Questions
    3
    16
    2558
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Orly last edited by

      Hi,

      Before getting a pfSense machine, I have a few questions.

      I'm not sure about the difference between rated and actual connection speeds, see https://pfsense.org/hardware/index.html#sizing
      If I wanted to get a throughput of 100 Mbps, as per the pfSense link above, would a 1.0 GHz CPU give an actual or rated connection speed of 51 to 200 Mbps?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        The shiny new website still seems to be using the old data points for hardware guidelines which are a bit outdated now. I know the dev team have been testing hardware to get good numbers for the new book though.
        Really it depends on what services you are running. For straight firewall and NAT some useful data points are:

        Alix box, 500MHz AMD Geode: 85Mbps
        Atom D510: ~500Mbps
        Celeron G530: >1Gps

        If you are running close to those maximums the choice of NIC starts to make a difference. Choose Intel NICs if you can.
        If you want to run Squid or Snort the throughput will be significantly reduced. Too many variables to make a good guess though.

        Steve

        1 Reply Last reply Reply Quote 0
        • O
          Orly last edited by

          Thanks for the detailed answer, Steve!

          Would this product be suitable for 80 or 100 Mbps: http://www.ebay.com/itm/200839113376

          It uses an Intel Atom N2500 CPU, and the NIC is 2x Intel 82574L. Should the NIC be changed to an Intel Pro/1000, and is that even possible on this product?

          The hardware guide mentions in "CPU Selection", that "All of the following numbers also assume no packages are installed."

          If Squid, Snort, ntop and OpenVPN are installed, I would presume maybe the aforementioned product isn't suitable? Would it maybe support some of these?

          1 Reply Last reply Reply Quote 0
          • D
            dreamslacker last edited by

            @Orly:

            Thanks for the detailed answer, Steve!

            Would this product be suitable for 80 or 100 Mbps: http://www.ebay.com/itm/200839113376

            It uses an Intel Atom N2500 CPU, and the NIC is 2x Intel 82574L. Should the NIC be changed to an Intel Pro/1000, and is that even possible on this product?

            The hardware guide mentions in "CPU Selection", that "All of the following numbers also assume no packages are installed."

            If Squid, Snort, ntop and OpenVPN are installed, I would presume maybe the aforementioned product isn't suitable? Would it maybe support some of these?

            The D2500 will be good for 500Mbps+ of simple firewall/ NAT without the other packages.  The onboard 82574L are very decent NICs, there is no need to "change" those.

            For OpenVPN, you can expect 50-60Mbps throughput depending on whether you're using Blowfish or AES-256.

            For snort and squid, the configuration matters and no real hard figures can be given except that you'll definitely see a drop in throughput.

            1 Reply Last reply Reply Quote 0
            • stephenw10
              stephenw10 Netgate Administrator last edited by

              Yep. One user achieved >650Mbps with some minor tweaking on a similar board. So will running Snort reduce your throughput by a factor of 6? Probably not but it does depend on what rule sets you have loaded, how many interfaces you're listening on etc.
              Squid is a different matter. If you are using squid to proxy and filter http traffic then it's not going to slow you down much if you're running a download test (depending on the test  ;)). Nor will it slow a large ftp download for example. If you're opening lot's of web pages and hence many http connections then yes it will slow you down but will you notice in that situation? Will it slow down but a factor of 6? Again probably not. Running both Squid and Snort and throw in some CPU hungry VPN and there are just too many variables to make any sort of reliable guess.
              What are you doing with this box?

              Steve

              1 Reply Last reply Reply Quote 0
              • O
                Orly last edited by

                Mainly we would like to have more control of the network with the use of these packages:

                Squid + SquidGuard - Mainly to filter the network (i.e. blacklist some websites, possibly block ads, and traffic shaping. It's not necessary with caching).
                Snort - for security.
                ntop - NetFLow/sFlow: do they run when you've installed ntop?
                OpenVPN - Encrypt all network traffic.

                • some firewall rules and a captive portal will be used.

                I'm thinking I maybe will not want to use Squid + SquidGuard.

                The network will be used for usual browsing, and downloading (i.e. torrent, Usenet).

                Does that help, Steve?

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  @Orly:

                  OpenVPN - Encrypt all network traffic.

                  If you really want to encrypt all traffic then you are going to need something a lot more powerful.

                  The Atom will max out at ~50-60Mbps of VPN traffic and that's without anything else running. If you want to see 100Mbps of VPN with Snort and Squid you will have to step up to an I3 or similar. Again the actual numbers are hard to define.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • O
                    Orly last edited by

                    Is there anywhere I could buy a ready-made pfSense machine which matches the requirements? Even http://store.pfsense.org/FW-7541/ doesn't have an i3. However it seems http://store.pfsense.org/R200/ matches what I'm looking for, though refurbished and it uses Dual Broadcom NIC. Is Dual Broadcom BCM95721 Gigabit Ethernet NICs more than stable and good, like Intel's NICs?. With the latter pfSense box, it would need a server rack it seems.

                    I'm lost when it comes to choosing the hardware, especially if making a pfSense box on your own.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10
                      stephenw10 Netgate Administrator last edited by

                      The Broadcom NICs are well regarded. Only Intel NICs are preferred. As you say the Dell R200 is rack mounted and will be big and loud!
                      Do you need 100Mbps of VPN traffic?

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • O
                        Orly last edited by

                        The pfSense box would need, at a minimum, around 70~80 Mbps. Do you have any suggestions other than the Dell server? With the Dell server it would need a rack, and I don't know what sort of rack would eventually fit + how noisy is it? I would like, if possible, to keep the costs at a minimum while still being able to deliver the requirements for such a system. It would seem the pfSense store is overpricing the server if compared to eBay prices.

                        Sorry for being such a newbie!

                        1 Reply Last reply Reply Quote 0
                        • stephenw10
                          stephenw10 Netgate Administrator last edited by

                          For a lot of people, for home sue at least, the choice of hardware comes down to what you have at hand. Try something convenient, if it's doesn't meet then requirements then upgrade.

                          If you need 70-80Mbps of VPN traffic then you're going to need something more powerful than an Atom. There are several builds people have detailed using a miniITX board with a low end Sandy/Ivy bridge CPU. That will easily meet your requirements whilst not necessarily being much more expensive than an Atom either to but or run.

                          The Intel DQ77KB with a Celeron 1610 is a good and tested combination but that board is becoming very hard to get hold of, and isn't the cheapest. Have a look through the forum, avoid the latest Haswell chips and boards that may not be supported.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • O
                            Orly last edited by

                            It isn't cheap to test and try, but I'll try to make an informed decision. If the desired product isnt good enough, it'll take time before another product can be bought. I've asked in the Hardware part of the forum, maybe they can help: https://forum.pfsense.org/index.php/topic,71875.0.html

                            1 Reply Last reply Reply Quote 0
                            • O
                              Orly last edited by

                              Would a Realtek RTL8111E fit the requirements? It's not an Intel NIC, however, as long as it can keep up with the requirements, it seems OK.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10
                                stephenw10 Netgate Administrator last edited by

                                It will easily pass the 100Mbps you originally stated. I wouldn't expect to see any sort of restriction until you try to pass, say, >800Mbps. The real issue with Realtek NICs is that they aren't as reliable as others. There are many people (most people) using them who never see any issues.
                                A lot of the bad reputation that Realtek have is due to the old 10/100 NICs, which were really bad, but their Gigabit NICs are much better.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • O
                                  Orly last edited by

                                  @stephenw10:

                                  It will easily pass the 100Mbps you originally stated. I wouldn't expect to see any sort of restriction until you try to pass, say, >800Mbps.

                                  100 Mbps down/up through OpenVPN is more than good with the realtek network card?

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10
                                    stephenw10 Netgate Administrator last edited by

                                    The Realtek card doesn't care what's in the traffic it's passing it just sends and receives Ethernet frames. It has no knowledge of the encrypted connection and is not affected by it.

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post

                                    Products

                                    • Platform Overview
                                    • TNSR
                                    • pfSense
                                    • Appliances

                                    Services

                                    • Training
                                    • Professional Services

                                    Support

                                    • Subscription Plans
                                    • Contact Support
                                    • Product Lifecycle
                                    • Documentation

                                    News

                                    • Media Coverage
                                    • Press
                                    • Events

                                    Resources

                                    • Blog
                                    • FAQ
                                    • Find a Partner
                                    • Resource Library
                                    • Security Information

                                    Company

                                    • About Us
                                    • Careers
                                    • Partners
                                    • Contact Us
                                    • Legal
                                    Our Mission

                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                    Subscribe to our Newsletter

                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                    © 2021 Rubicon Communications, LLC | Privacy Policy