Firewall throughput - what does it mean to internal network?



  • Hi there,

    I'm running pfSense nano on WG x550e, with a reported FW throughput of 390 Mbps.

    http://www.watchguard.com/products/core-e/compare.asp?p1=x550e&p2=x750e&p3=x1250e

    I have gigabit internal network with 4 VLANs and FW a few FW rule to allow traffic between them. I also have QNAP (sitting in its own VLAN) and quite lot of data in and out there. Is it enough for internal network transfer seed? Can any one explain a bit to me please? Best!



  • I guess it's about the NAT throughput?



  • So, that x550e is not suitable for gigabit internal network at all? Or am I talking/thinking just nonsense?



  • Can anyone shade some light on this - like what I'm missing with 390 Mbps FW throughput or is there any advantages for me to go with one say, 1Gbps throughput? Best!



  • When a vendor says that a firewall is rated for X mpbs throughput they mean just that. The firewall can generally process and forward traffic at that rate. Whatever X is, 390 mpbs in your case, will be shared between all interfaces on the firewall. So if ports 1 and 2 have 200 mbps of traffic traveling between them then that leaves 190 mbps of capacity left for the large file transfer going between ports 3 and 4.

    Whether or not you actually get the rated throughput is a bit more complex and has a lot to do with the nature of the traffic the firewall is processing and how you are asking the firewall to process it. Filtering by IPs and port numbers at layers 3 and 4 is much faster than filtering by HTTP URL at layer 7 with a regex for example. Packet and header sizes and even TCP window sizes can also come into play.

    Most of the vendor stated throughput ratings on commercial grade firewalls are gotten using a testing method that is often somewhat specific to that vendor. Sometimes the testing method is a good measure of real world performance, sometimes it isn't.

    The other question is how much firewall throughput do you actually need. Are you actually fully saturating that gig port on the firewall? Or are you only pushing 100 mbps most of the time with occasional spikes to 300 mbps? Most customers I see who have gigabit LAN speeds don't actually use or even need the full 1000 mbps. Some do though, and they need true gigabit capable hardware, the rest use cheaper stuff with gig ports.



  • Well, maybe I'm not really saturating the full gig all the time but I do transfer large files (~6G) back and forth between the QNAP and various devise. The most used data transfer is the recording data (@1080p) from 4 security-camera 24/7 to QNAP. And also very high bit-rate 1080P movie streaming, which I struggle to do with 10/100 fast Ethernet. The Cameras, QNAP, and other servers are all on the same switch but in different VLANs and the WiFi AP is connect to a different port on a separate VLAN. So all the signals go through the the FW. Although I do understand TCP/IP and the OSI stack fairly well but not a code networking person. So trying to figure out if I really need to upgrade the FW to get the full advantages of my internal gigibit network.



  • Since you say you're already running the stuff, instead of relying on performance numbers achieved in an unknown way on a different software, why not simply test it yourself to see if performance is "enough" for your needs?


Log in to reply