Yet another hardware recommendation thread

gharris

After doing a ton of digging, I've figured out a few things, been scared by a few others, and generally ended up more confused overall.

Setup basics:
20 Mb/s Dual WAN
1 Gb/s switches with 10 Gb/s uplinks for LAN
About 10 VLANs in the LAN
Internal VOIP server
A few, less than 10, OpenVPN clients at a time
Clients and servers are on separate VLANs, with rules between
CARP setup

Basic question:
What do I need to have hardware wise to ensure 1 Gb/s routing between the multiple VLAN's?  (Only four VLAN's are expected to have enough traffic fill a 1 Gb/s pipe.)

From reading, the pfSense store boxes peg the CPU before getting to 1 Gb/s, so they couldn't route even 1Gb/s between two VLANs.  Firebox X1250e boxes apparently suffer the same consequences, even though there are 8x1Gb/s NICs.

Apparently pfSense 2.2 will do multi-threading.  So, do I really need to have a 12+ core 2.0+ GHz box with at least two PCIe x16 bus expansion slots holding two 4 port i210 or better cards?

Anybody got a good recommendation?

fibrewire

All Core-e and Peak-e boxes are mostly identical internally, albeit missing some connectors on the lower priced models. I use a x750e with a 2.13GHz Pentium M CPU ($7 on ebay with free shipping) and two 1GB Hynix memory modules, and I can push about 150MBit of internet traffic on a speed test, and only hit about 30% CPU usage. I'm looking to move the same 1Gb/s across VLANs soon, so my sights are set on the newer model, an XTM5 series box from WatchGuard. Again, these boxes are largely unchanged from the first model to their current offering, but I'm guessing they should be more than adequate in their current configuration to move that kind of traffic.

gharris

Either I'm not configuring something right, I'm not understanding how something is working, or I'm not explaining something correctly.  With the setup above, it is realistic that there could be 4-6 Gb/s of traffic passing between the different VLANs at any given point in time, with a very small portion going out the WAN.  However, that is 4-6 Gb/s hitting the processor, right?  When I tested a file copy between two VLAN's the processor usage decidedly increased and as soon as I stopped the file transfer, processor usage immediately dropped.  With 150 Mb/s you hit 30%, so, at 450 Mb/s you will be approaching 90%.  (Assuming that there is some overhead in the 30% figure that wouldn't increase.)  So, even with a dual core, you still can't hit 1 Gb/s.  To carry 4 Gb/s you need about 10 cores minimum, right?

fibrewire

If it were only the CPU doing the work, then yes. Firebox has some nice hardware to handle TCP traffic. http://en.wikipedia.org/wiki/TCP_offload_engine

gharris

Ok, so that's good news.  For the most part, I think, especially since the heavy traffic should almost all be TCP.  That little line about Linux and QoS is a bit disconcerting though, as QoS is absolutely essential in this instance.  Have you, or anyone else, seen any numbers on what to expect on the Firebox devices?  Something even basic like the charts on the store devices would be really helpful.

Shonky

pfSense is not Linux based.

gharris

Why do I just want to scream TROLL!!!!

Seriously, by all reasonable accounts the Wiki page referenced seems to be referring to any variant of *NIX, including any of the BSD variants.  Are you going to write out every variant of *nix every time you reference this stuff?  Your posts will end up two miles long on the first mention.

Now, if you have specific knowledge as to why this particular issue is not an issue with BSD variants, or pfSense in particular, I'd love to hear it.