Is pfsense right for me?



  • I need a new router badly…

    Yep, a newbie with simple questions, but maybe not so simple as it seems...

    I'll try and be brief:

    Features that I use on our current router:
    Dual Wan
    3 separate LAN segments (protected Lan, Guest Wifi, and DMZ)
    Nat
    Firewall
    Port forwarding
    logs/emailed daily reports
    Qos
    Bridging-A little more detail here; I bridge one of the Wans with one LAN segment for the purpose of placing public IP devices BEHIND the router to limit bandwidth to/from those devices.

    We currently have about 100 users, 200 total network devices.  Our current router is a ZyXel USG200 for reference if anyone is aware of those.

    The problem is they recently decided to start hosting our own streaming audio content without asking if our current equipment could handle the load.  Now my router's CPU usage pretty much pegs at 100% during business hours, which of course is causing issues.

    We currently have about 200 listeners, and expect potentially more.

    I have seen the hardware recommendation guide, but should I count those listeners as if they were part of the number of lan users for figuring the right sized hardware?

    Thanks,

    -Alan


  • Netgate Administrator

    Sounds like it is yes. Of course I'm not biased!  ;)

    Total throughput, what packages you're running and whether you need VPNs are what counts for hardware selection. Give us some numbers and we can make some suggestions.

    That Zyxel box does UTM type duties that you haven’t mentioned, do you use that?

    Steve



  • I agree - pfsense will be great.

    But on the bridging, isn't there a better way to accomplish that?  Maybe with VLANs?



  • Total throughput is 20/20 on one Wan, 50/10 on the other.  However, there are times when there is lan to lan traffic as well (protected network accessing public devices in the DMZ segment such as FTP).

    Yes, the USG is a UTM device, however, we don't subscribe to any subscription services-no antivirus, content filtering, IDP, or anything like that.  Actually in our business, content filtering will never be used.

    We do not currently use VPN, but site to site VPN is something I would like to investigate some day.  I have never set up a VPN before but it sure would be nice if some of our remote sites was available at the main office as if they were on the local lan.

    As far as a better way to throttle bandwidth on public devices…I'm sure with separate boxes it could be done, but my goal was to have the router in charge of everything, including "governors" on bandwidth for both private, and public devices.

    I have got bitten in the past with "bufferbloat", so although we rarely max out our connections, it does happen on occasion, therefore I limit my total throughput to the WANs to a value slightly less than the actual speed for both upstream and downstream.  Example, our 20/20 fiber connection at no time is ever allowed to exceed about 18/18 from any combination of traffic.  That coupled with prioritization, helps keep real time data flowing....at least until the CPU hits 100% LOL.

    Thanks for the input!

    -Alan


  • Netgate Administrator

    Almost any hardware you care to choose is capable of 100Mbps total throughput. Most will be capable of >50Mbps of VPN.
    Do you need full Gigabit line speed between internal networks?

    Steve



  • @stephenw10:

    Almost any hardware you care to choose is capable of 100Mbps total throughput. Most will be capable of >50Mbps of VPN.
    Do you need full Gigabit line speed between internal networks?

    Steve

    Honestly, I guess this is where I get a little confused.  Disclaimer:  I'm a self-taught networking guy, so I still have much to learn.

    My current router is capable of 150Mbps throughput as well, but we only use a fraction of that with a 20/20 Wan and a 50/10 Wan.  My problem is the number of clients and NAT/Firewall rules, not so much the traffic.  Our current router can hit 100% CPU usage, even when not maxing out its throughput.

    I guess that is where I get a little lost-ONE device consuming 20mbit of traffic is a whole lot less demanding on the router than say 200 devices consuming .1mbit simultaneously.

    -EDIT-  Even during max load, our session table is nowhere NEAR what our router is supposed to handle.  I've never seen more than 10,000 sessions, yet this thing is supposed to be capable of 40K IIRC.

    -Alan


  • Netgate Administrator

    No, not really. Outside the number of sessions at least which is only limited by RAM.
    You'll probably find that that maximum throughput rating is for, say, 1000byte packets or some other optimised value.
    There is a massive difference between PPS, packets per second, and bits per second.
    All manufacturers like to put the biggest numbers in their marketing as possible so they often optimise the tests for their devices.

    Steve



  • Comparing a ZyXel USG200 to pfsense is abit like comparing a DD-WRT router with a 450MHZ processor and gigabit ports to pfsense….

    There isn't much of a comparison.  Pfsense is far and away more capable unless you cripple yourself with too little processor or ram.


  • LAYER 8 Netgate

    A better way to do the public IPs than a bridge would be assigning a routed subnet to an inside interface and turning off NAT.

    If your ISP gives you, say, just a /27 instead of a /27 routed to a /30 you're pretty much stuck with bridging if you don't want NAT (and who does).

    What I've never tested is how much limiting/shaping you can do on a WAN interface bridge member.  Especially inbound connections since the traffic completely bypasses the WAN rules.


  • Netgate Administrator

    Only if you've disabled filtering on the bridge members. You can limit and shape on bridged interfaces as far as I'm aware. Bit old but for example:
    http://blog.davidvassallo.me/2012/10/23/traffic-shaping-pfsense/

    There are some restrictions though, such as: https://redmine.pfsense.org/issues/3824
    And more importantly in 2.2: https://redmine.pfsense.org/issues/4405

    Steve


Log in to reply