Firebox x5500e: hardware for a Gigabit Firewall Throughput?



  • Hi all,

    I need to setup a firewall with +/- 1Gbps Firewall throughput (in fact between DMZ and LAN) and minimum 6 Gigabit interfaces.
    As Watchguard is claiming their Firebox Peak x5500e can achieve 2Gbps, can we assume it will achieve the same using pfSense 2.1.4?
    If yes, will it need any upgrade such as memory or CPU?
    If no, what hardware would you recommend?
    I was thinking maybe about a Celestix MSA5000 can match but I need something not too noisy so don't think it will appropriate solution.
    Other alternative is to build my own appliance but which configuration choosing?
    Thanks in advance for your advice :)

    PM


  • Netgate Administrator

    @mortem:

    ..can we assume it will achieve the same using pfSense 2.1.4?

    No. The Watchguard OS is tuned for that one platform so gets a better throughput that a vanilla Linux distro which itself would probably be faster than vanilla FreeBSD. Also their numbers are marketing so they're tweaked to give the best results. That said you should get close to Gigabit throughput with an X5500e. There are some great numbers here:
    http://www.copyerror.com/2012/10/27/watchguard-firebox-core-x550ex750ex1250e/4/

    @mortem:

    If yes, will it need any upgrade such as memory or CPU?

    The CPU in the X-Peak-e is already the 2GHz Pentium-M which is close to the fastest that the board can run. However it is a 533MHz FSB model which is not supported as well as the 400MHz FSB types. You will be paying a big premium to get an X-Peak-e but for pfSense there is not much advantage. You'd be better off getting an X750e and upgrading the CPU.
    You probably won't need to upgrade the RAM unless you want to run Squid or Snort but that will reduce the throughput.

    Steve



  • Thanks for the info. I was thinking the x5500e was using a celeron-M.
    So with pfSense on this or a x750e, do you this a 1Gbps firewall throughput can be achieve (I don't intent to use snort or squid on this setup)?
    If not, what would be the recommendation?
    I think throughput is very dependant of CPU and NIC chipset but if I can have some ruff estimation, it would be very helpful :)

    Thanks


  • Netgate Administrator

    This thread gives some numbers with an upgraded X750e. The CPU used there is about the fastest possible.
    https://forum.pfsense.org/index.php?topic=66049.0
    Notice that the 4 msk interfaces are faster than the sk interfaces. You won't ever see Gigabit throughput using more than 1 sk interface because they share a PCI bus.

    Some rough numbers for other hardware using the single threaded pf in 2.1.4 (2.2 will be multithreaded) for firewall/NAT only:
    Atom D525 ~ 500Mbps
    Celeron G530 >1Gbps (but not much)

    Steve



  • Hummm… so if I understand well, having multicore CPU will be (sort off) useless we use 2.2 version.
    So, in 2.2, either Atom with 2 cores should be much faster.
    In that case, we may suspect stuffs like D525 or D2550 would have much improved performance (double?) than single core setup like Firebox.
    If my asumption is correct, better to setup a multicore (with HT?!?) such as Atom D2550, Core2Duo, etc... to take advantage of the multithreading capability of the future release.
    What do you think?

    Thanks again


  • Netgate Administrator

    The pf process which does all the firewalling, NATing, port forwarding etc is currently, in 2.1.4 and earlier, single threaded so the limiting factor on firewall throughput is the CPUs single thread capability. That's not to say that multicore CPUs don't help because there are many other processes running which can be shared across all the cores. That's particularly true if you're running other heavy processes like Squid or Snort. I would expect to see an increase in throughput on any system with >2 cores once 2.2 is released. Currently anything over 4 cores does not help much. Machines that should really start to shine are those with many cores like the new 8 core Rangley Atoms. In contrast to all that the firebox with it's Pentium-M will not see any improvement, but it is cheap!  ;)

    Steve



  • Thanks for those useful information :)
    As I stated, I will use this system purely (at least in the begginning) for Firewall Throughput, so pf will be mostly used.
    So pf will improve in multithreading when 2.2 will be released so definitely I will have to think about multicore setup.
    I had to setup multiple pfSense systems in the past, but always with lower throughput requirement, around 100-200 Mbps, so nothing difficult to size. But setup of a Gigabit capability is another challenge.
    In that case, I will rethink twice before using a firebox system.
    I think I will more likely setup a multicore Mini-ITX system with additional PCIe 4-port Intel Gigabit NIC to match my needs.

    Thanks again :D