Connection throughput



  • Hi,

    Before getting a pfSense machine, I have a few questions.

    I'm not sure about the difference between rated and actual connection speeds, see https://pfsense.org/hardware/index.html#sizing
    If I wanted to get a throughput of 100 Mbps, as per the pfSense link above, would a 1.0 GHz CPU give an actual or rated connection speed of 51 to 200 Mbps?

    Thanks in advance!


  • Netgate Administrator

    The shiny new website still seems to be using the old data points for hardware guidelines which are a bit outdated now. I know the dev team have been testing hardware to get good numbers for the new book though.
    Really it depends on what services you are running. For straight firewall and NAT some useful data points are:

    Alix box, 500MHz AMD Geode: 85Mbps
    Atom D510: ~500Mbps
    Celeron G530: >1Gps

    If you are running close to those maximums the choice of NIC starts to make a difference. Choose Intel NICs if you can.
    If you want to run Squid or Snort the throughput will be significantly reduced. Too many variables to make a good guess though.

    Steve



  • Thanks for the detailed answer, Steve!

    Would this product be suitable for 80 or 100 Mbps: http://www.ebay.com/itm/200839113376

    It uses an Intel Atom N2500 CPU, and the NIC is 2x Intel 82574L. Should the NIC be changed to an Intel Pro/1000, and is that even possible on this product?

    The hardware guide mentions in "CPU Selection", that "All of the following numbers also assume no packages are installed."

    If Squid, Snort, ntop and OpenVPN are installed, I would presume maybe the aforementioned product isn't suitable? Would it maybe support some of these?



  • @Orly:

    Thanks for the detailed answer, Steve!

    Would this product be suitable for 80 or 100 Mbps: http://www.ebay.com/itm/200839113376

    It uses an Intel Atom N2500 CPU, and the NIC is 2x Intel 82574L. Should the NIC be changed to an Intel Pro/1000, and is that even possible on this product?

    The hardware guide mentions in "CPU Selection", that "All of the following numbers also assume no packages are installed."

    If Squid, Snort, ntop and OpenVPN are installed, I would presume maybe the aforementioned product isn't suitable? Would it maybe support some of these?

    The D2500 will be good for 500Mbps+ of simple firewall/ NAT without the other packages.  The onboard 82574L are very decent NICs, there is no need to "change" those.

    For OpenVPN, you can expect 50-60Mbps throughput depending on whether you're using Blowfish or AES-256.

    For snort and squid, the configuration matters and no real hard figures can be given except that you'll definitely see a drop in throughput.


  • Netgate Administrator

    Yep. One user achieved >650Mbps with some minor tweaking on a similar board. So will running Snort reduce your throughput by a factor of 6? Probably not but it does depend on what rule sets you have loaded, how many interfaces you're listening on etc.
    Squid is a different matter. If you are using squid to proxy and filter http traffic then it's not going to slow you down much if you're running a download test (depending on the test  ;)). Nor will it slow a large ftp download for example. If you're opening lot's of web pages and hence many http connections then yes it will slow you down but will you notice in that situation? Will it slow down but a factor of 6? Again probably not. Running both Squid and Snort and throw in some CPU hungry VPN and there are just too many variables to make any sort of reliable guess.
    What are you doing with this box?

    Steve



  • Mainly we would like to have more control of the network with the use of these packages:

    Squid + SquidGuard - Mainly to filter the network (i.e. blacklist some websites, possibly block ads, and traffic shaping. It's not necessary with caching).
    Snort - for security.
    ntop - NetFLow/sFlow: do they run when you've installed ntop?
    OpenVPN - Encrypt all network traffic.

    • some firewall rules and a captive portal will be used.

    I'm thinking I maybe will not want to use Squid + SquidGuard.

    The network will be used for usual browsing, and downloading (i.e. torrent, Usenet).

    Does that help, Steve?


  • Netgate Administrator

    @Orly:

    OpenVPN - Encrypt all network traffic.

    If you really want to encrypt all traffic then you are going to need something a lot more powerful.

    The Atom will max out at ~50-60Mbps of VPN traffic and that's without anything else running. If you want to see 100Mbps of VPN with Snort and Squid you will have to step up to an I3 or similar. Again the actual numbers are hard to define.

    Steve



  • Is there anywhere I could buy a ready-made pfSense machine which matches the requirements? Even http://store.pfsense.org/FW-7541/ doesn't have an i3. However it seems http://store.pfsense.org/R200/ matches what I'm looking for, though refurbished and it uses Dual Broadcom NIC. Is Dual Broadcom BCM95721 Gigabit Ethernet NICs more than stable and good, like Intel's NICs?. With the latter pfSense box, it would need a server rack it seems.

    I'm lost when it comes to choosing the hardware, especially if making a pfSense box on your own.


  • Netgate Administrator

    The Broadcom NICs are well regarded. Only Intel NICs are preferred. As you say the Dell R200 is rack mounted and will be big and loud!
    Do you need 100Mbps of VPN traffic?

    Steve



  • The pfSense box would need, at a minimum, around 70~80 Mbps. Do you have any suggestions other than the Dell server? With the Dell server it would need a rack, and I don't know what sort of rack would eventually fit + how noisy is it? I would like, if possible, to keep the costs at a minimum while still being able to deliver the requirements for such a system. It would seem the pfSense store is overpricing the server if compared to eBay prices.

    Sorry for being such a newbie!


  • Netgate Administrator

    For a lot of people, for home sue at least, the choice of hardware comes down to what you have at hand. Try something convenient, if it's doesn't meet then requirements then upgrade.

    If you need 70-80Mbps of VPN traffic then you're going to need something more powerful than an Atom. There are several builds people have detailed using a miniITX board with a low end Sandy/Ivy bridge CPU. That will easily meet your requirements whilst not necessarily being much more expensive than an Atom either to but or run.

    The Intel DQ77KB with a Celeron 1610 is a good and tested combination but that board is becoming very hard to get hold of, and isn't the cheapest. Have a look through the forum, avoid the latest Haswell chips and boards that may not be supported.

    Steve



  • It isn't cheap to test and try, but I'll try to make an informed decision. If the desired product isnt good enough, it'll take time before another product can be bought. I've asked in the Hardware part of the forum, maybe they can help: https://forum.pfsense.org/index.php/topic,71875.0.html



  • Would a Realtek RTL8111E fit the requirements? It's not an Intel NIC, however, as long as it can keep up with the requirements, it seems OK.


  • Netgate Administrator

    It will easily pass the 100Mbps you originally stated. I wouldn't expect to see any sort of restriction until you try to pass, say, >800Mbps. The real issue with Realtek NICs is that they aren't as reliable as others. There are many people (most people) using them who never see any issues.
    A lot of the bad reputation that Realtek have is due to the old 10/100 NICs, which were really bad, but their Gigabit NICs are much better.

    Steve



  • @stephenw10:

    It will easily pass the 100Mbps you originally stated. I wouldn't expect to see any sort of restriction until you try to pass, say, >800Mbps.

    100 Mbps down/up through OpenVPN is more than good with the realtek network card?


  • Netgate Administrator

    The Realtek card doesn't care what's in the traffic it's passing it just sends and receives Ethernet frames. It has no knowledge of the encrypted connection and is not affected by it.

    Steve