What can my firewall Handle
-
I was recently demonstrating the glorious capabilities of pfSense to a hardcore Cisco Addict. I was told that there is not any chance that a "Linux Base OS" could come close to competing with the ASA line. (that statement is so wrong on so many levels) But not to nit pick. I am looking for a way to measure and prove what he calls "The determining Factors". Basically Throughput, Max Sim Connections Per Second, & Max New Connections Per Second. I s there a chart or tool out there that i can get a fairly accurate number on this if i run it against our firewalls that are currently in production?
-
Just picking one of the high end ASA boxes, ASA 5555-X, it has pretty bad specs.
4Gb/s under ideal conditions
1.5Gb/s of stateful multi-protocol traffic
700Mb/s of VPN
1.1m PPS
1mil sessions$10k for something that amounts to an Intel i3/i5 is willful highway robbery. You're probably paying for a mix of brandname and support. Having someone to point the blame-finger at is a form of job security, even if you pay 10x for it.
-
… and on the other hand, why comparing a more "hardware solution" with a nearly pure "software solution" ?
An influence might be : running pfSense on this : http://store.netgate.com/Desktop-Systems-C83.aspx or something like this : https://pfsense.org/products/product-family.html#c2758
A big difference will be : the knowledge of the admin running it.
Your question isn't really one, it can't answered with a simple reply.
-
Just picking one of the high end ASA boxes, ASA 5555-X, it has pretty bad specs.
4Gb/s under ideal conditions
1.5Gb/s of stateful multi-protocol traffic
700Mb/s of VPN
1.1m PPS
1mil sessions$10k for something that amounts to an Intel i3/i5 is willful highway robbery. You're probably paying for a mix of brandname and support. Having someone to point the blame-finger at is a form of job security, even if you pay 10x for it.
depending on the type of vpn … no simple i3 of i5 will push 700mbit over openvpn easily.
also depending on cpu 4GB/s of throughput isn't all that easy if all that has to be NATTED aswell. (NAT on pf is still singletheaded afaik)so while it shouldnt be all that difficult to build a system for half (or a quarter) the price of you cisco ... i don't see it happening on a cheapo i3
-
Pfsense dies at 1mbit/s ACK traffic…a Linux wont.
Compare Mikrotik or linux based OS with the Cisco.
FreeBSD is currently dead security wise until a core issue is dealt with.
-
Just picking one of the high end ASA boxes, ASA 5555-X, it has pretty bad specs.
4Gb/s under ideal conditions
1.5Gb/s of stateful multi-protocol traffic
700Mb/s of VPN
1.1m PPS
1mil sessions$10k for something that amounts to an Intel i3/i5 is willful highway robbery. You're probably paying for a mix of brandname and support. Having someone to point the blame-finger at is a form of job security, even if you pay 10x for it.
depending on the type of vpn … no simple i3 of i5 will push 700mbit over openvpn easily.
also depending on cpu 4GB/s of throughput isn't all that easy if all that has to be NATTED aswell. (NAT on pf is still singletheaded afaik)so while it shouldnt be all that difficult to build a system for half (or a quarter) the price of you cisco ... i don't see it happening on a cheapo i3
I actually have an i3-2100 box that does incredibly well under those loads (with the exception of the OpenVPN metric, I will test that this week just to see). The CPU barely blips. My specs are in my sig. $400 box.
I know that I can put 4.8M states on the box and set the upper limit to 8M states just for kicks. NAT was enabled.
As Supermule noted, there is an underlying bug somewhere that we are aggressively trying to find. I have my theories and am collecting more data to validate them.
Also, pfSense is based on FreeBSD, which is not Linux.
