PfSense or OpenBSD



  • Hello,

    I'm a network admin of several small offices and after research of open source firewalls I've decided to use the pf firewall. As I understand it, the latest version of the pf firewall is in OpenBSD (5.5), but as the pfSense distribution provides a very nice way of managing the firewall more easily, I'm seriously considering using it. But, stability and feature richness are very important to me as well and I will consider compromising on the user interface if needed. So, my questions are as follows regarding using pfSense vs. using OpenBSD 5.5:

    1. Are the bugs fixes in pf in OpenBSD being ported to pfSense and included in version 2.1.5?
    2. Are there firewall features being supported in OpenBSD that aren't supported in pfSense 2.1.5? (I'm aware that all features will have different user interface and rule syntax, this doesn't bother me)


  • There is functionally no difference between the pf in FreeBSD (plus patches we add) and what's in OpenBSD. Actually we have one feature that Open doesn't, dummynet in pf (limiters).

    2.2 should prove to be significantly more scalable than OpenBSD, since we have SMP-capable pf now, which isn't doable in OpenBSD (and will likely be a number of years until it is). Plus AES-NI, more coming soon.
    https://blog.pfsense.org/?p=1473

    Bug fixes are brought over into FreeBSD from OpenBSD as needed (sometimes by us, sometimes by others), though FreeBSD pf is essentially a fork at this point since making it SMP-capable changed things significantly. It's mostly separately-maintained at this point.



  • Thank you very much.
    I tried looking for performance numbers for pfSense 2.X and didn't manage to find anything updated (only on old CPUs)
    Do you have any performance numbers to share or refer me to some link?
    I am interested in low end (Atom) and high end (i5/i7) processors, and in TCP/UDP session rate, packet rate and throughput numbers, in both pfSense 2.1 and in the coming 2.2 release - but anything you can share will be appreciated.

    Thank you in advance



  • The biggest cause with PFSense "performance issues" is people using RealkTek, USB, PCI NICs, or older Atom CPUs. A dual-core i3 with no HT and Intel PCIe NICs should be a lot of power for non-VPN or enterprise users. If you want stuff like snort or high VPN throughput, you'll need more CPU, and snort eats memory, so plenty of ram.

    Only the newest Intel Atom CPUs are decent CPUs. Prior gen were in-order runts. I would stick with i3/i5 unless you know the CPU in question is good. I think there is a highly recommend low-power motherboard+cpu with integrated NICs floating around in the forums.


  • Netgate Administrator

    What is the task you are setting it?  :)
    If your WAN bandwidth is, say, 20Mbps then an older Atom will have no problems even running some packages or VPN. The APU box has Realtek NICs. It would be nice if it didn't but it fills a price/performance niche with what it has. It is good for 350-400Mbps of firewall/NAT using the onboard Realtek NICs. One user reported ~650Mbps when using a dual port miniPCIe Intel card in it:
    https://forum.pfsense.org/index.php?topic=83284.msg457107#msg457107

    Steve

    Edit: of not or



  • @daemonguy:

    So you are saying that Soekris, PC Engnes and the intel D2500CCE are not up to the task?  not trolling, pre purchase research.

    It depends - what's the task? Got a gigabit Internet connection you're looking to max out and need to sustain several hundred thousand simultaneous connections as a typical peak load? Not gonna do it with any of those. Got a ~200 Mb or less connection with a typical SMB or home network, they'll be more than enough. Between that, "it depends."

    @daemonguy:

    And let me tell you, making my head spin with all these options.  Especially since pfsense bags on realtek in their faqs, but on the same page recommends and states their primary sponsor is netgate who repurposes pc engines apu boards that have realtek nics.  very confusing.  Soekris looks good but is too expensive for 2 year old+ tech, the new version keeps getting delayed and I have read to many negative reviews on the pc engines and edgerouter light.  The D2500CCE seems like my only shot on this, but not sure as everyone in ps/pf land loves the pc engines despite the realtek cards.

    There's a difference between some random Realtek NIC someone pulled out of a dumpster, and those built into appliances. Though the NICs in the APU aren't the best, and PC Engines plans to use Intel NICs on their next gen board because of hardware bugs in the Realtek, the APU is still a reliable system for most everything (only if you have a requirement to disable Ethernet autonegotiation are you going to have a problem, likely). The APU is still a solid choice at the low end.



  • Next-Gen PC Engines (later this year) has a better CPU (quad core 1GHz, supports AES-NI) and Intel NICs.

    Why do you think there is all the emphasis from the developers of pfSense on multi-core, AES-NI and Intel NICs?



  • @stephenw10:

    If your WAN bandwidth is, say 20Mbps, then an older Atom will have no problems even running some packages or VPN.

    Likely well beyond that too, even the oldest Atom CPUs should be good for 100+ Mbps Internet connection.

    Harvy66's comment on old Atoms is a bit confusing without more context, I think he's referring to people who were expecting to push, say a gigabit wire speed through an old Atom (probably with Realtek NICs while they were at it).



  • @cmb:

    @stephenw10:

    If your WAN bandwidth is, say 20Mbps, then an older Atom will have no problems even running some packages or VPN.

    Likely well beyond that too, even the oldest Atom CPUs should be good for 100+ Mbps Internet connection.

    Harvy66's comment on old Atoms is a bit confusing without more context, I think he's referring to people who were expecting to push, say a gigabit wire speed through an old Atom (probably with Realtek NICs while they were at it).

    I'm rocking a Atom D510 @ 1.66GHz and have no issues with my 100Mbps connection. Grant it, i'm using this for home use but no hiccups when i'm downloading a few torrents, streaming 2-3 movies… CPU usage stays pretty low, example downloading right now at 18Mps 4% usage. When I have snort or suricata enabled, CPU will max out at 100% but it doesn't affect my download/upload speed from what I can tell


  • Netgate Administrator

    Is that at 100Mbps or 18Mbps with Snort?



  • @stephenw10:

    Is that at 100Mbps or 18Mbps with Snort?

    Just ran a speedtest from my ISP.. The connection is a cable modem 100/5 but i've seen it go up to 115Mps
    Without Suricata
    99.7Mps CPU to up 18%

    With Suricata
    112.Mps CPU from 60% to 100%


  • Netgate Administrator

    Useful numbers, thanks.  :)
    Would you agree that Securicata is considerably less resource heavy than Snort?

    Steve



  • I agree… but they both push my little atom to its max...



  • I can max out my 80/20Mb connection on an Atom 510 board using dual Intel NICs. I am very happy with it. My VPN connection is always limited by the rubbish remote wifi I am on.
    For home use, older atoms (if you can find them) are fantastic.


Log in to reply