What impacts performance?



  • I know the amount of packages you're using affects the performance (throughput) you can expect, but on a hardware-level, what performance can you expect from what kind of hardware? Overall it's really hard to find any performance numbers on pfSense-boxes, like some kind of sizing-guide…
    I have found http://www.firewallhardware.it/en/pfsense_selection_and_sizing.html which is an interesting read, but there's a big difference between for example their UTM4 (INTEL® Atom Dual-Core Processor D525 (45nm,1.80GHz,1024MB L2 Cache)) and their Power UTM (INTEL® Core™ i7-3740QM Processor (6M Cache, up to 3.70 GHz)): performance numbers are about 50% higher, but the CPU has double the amount of cores running at double the speeds.

    My box has gigabit NICs, but what does affect the attainable speeds? The CPU? The amount of CPU-cache or cores or clockspeed? The RAM: the amount or the clockspeed? Running from CF vs HDD vs SSD?

    In my setup, there are two WAN-connections (up to 100mbit) connected to my pfSense box, there will be NATting, port forwarding, WAN loadbalancing and failover and some rules to direct traffic through one or another WAN-link. On the internal side, connected to a gbit switch there are some internal VLANs defined with firewall rules between them. I assume that's nothing exotic. Can I expect to reach that 1gbit speed internally?
    What if I want to do IPSec in the future: are VPN-cards still the way to go, or are AES-NI-capable CPU's a better way?



  • Lots of questions…

    Question 1: What affects speed -After sufficient memory/gbit network cards: feature support and instructions per clock cycle. Feature support like AVX/AES-NI and quickassist(soon) make a big difference to speed. Hard drive/ssd speed is only an issue if you use cache such as squid.

    Question 2: Are VPN cards the way to go? - Generally not. Intel chips can do about 1-2 GB/s per core if they have AES-NI and they run @ about 2ghz - this far exceeds the speed of most VPN cards.

    Hope this helps



  • I know the amount of packages you're using affects the performance (throughput) you can expect, but on a hardware-level, what performance can you expect from what kind of hardware?

    This is owed on so many points that it is really hard for someone to answer this question right now!
    Which packets are you running and what is your config? You have no need of massively DPI usage
    but I am using this and so we both have a 100 MBit/s Internet connection up and running and I am
    running a Intel Xeon E3-1286v3 @3,4GHz and you only an Intel Atom D525 and we both gets around
    ~60 MBit/s - 80 MBit/s throughput, but on my side the DPI is running and on yours not!!!! Thats it.
    Please have a closer look at pfSense hardware

    Overall it's really hard to find any performance numbers on pfSense-boxes, like some kind of sizing-guide…
    I have found http://www.firewallhardware.it/en/pfsense_selection_and_sizing.html which is an interesting read, but there's a big difference between for example their UTM4 (INTEL® Atom Dual-Core Processor D525 (45nm,1.80GHz,1024MB L2 Cache)) and their Power UTM (INTEL® Core™ i7-3740QM Processor (6M Cache, up to 3.70 GHz)): performance numbers are about 50% higher, but the CPU has double the amount of cores running at double the speeds.

    A router is not a firewall and a firewall is not a UTM device!
    Comparing them against is like;

    • pfSense only and 1 GBit/s WAN connection = Intel Celeron G3260T is sufficient
    • pfSense SPI/NAT/Firewall only = Intel Atom C2358 is sufficient
    • pfSense & Squid & SquidGuard & Snort = Intel Atom C2758 would be sufficient
    • pfSense & Squid & SquidGuard & Snort & HAVP (ClamAV) = Intel Xeon E3-12xxv3 would be sufficient

    Each firewall rule, each DPI usage, each IDS/IPS usage and HTTP-Proxy or AV Scan on top
    is slowing down the entire pfSense firewall.

    My box has gigabit NICs, but what does affect the attainable speeds? The CPU? The amount of CPU-cache or cores or clockspeed?

    All together want to make it a round thing!

    The RAM: the amount or the clockspeed?

    Unix, BSD and Linux cant have enough RAM, if you install much packets and activating much services
    and then you feed it with multiple GB WAN connections, both is really urgent.
    The best at these days is to go with ECC RAM at 1600MHz or 1866MHz
    2 GB Firewall only
    2 GB - 4 GB Firewall & IDS
    2 GB - 8 GB Firewall & IDS & Proxy
    8 GB - 16 GB Firewall & IDS & AVScan & highing up the mbuf size & using a greater amount for Squid
    16 GB - 32 GB all above and massively VPN connections from road warriors.

    Running from CF vs HDD vs SSD?

    CFCard = read only = more secure
    HDD = cheap + huge storage and fast
    SSD = more storage and super fast

    In my setup, there are two WAN-connections (up to 100mbit) connected to my pfSense box, there will be NATting, port forwarding, WAN loadbalancing and failover and some rules to direct traffic through one or another WAN-link.

    Dual WAN & Load balancing

    • service based
    • session based
    • policy based

    An Intel Celeron G3260 @3,2GHz, 1 SSD, Intel Quad Port  server adapter and 2 x 4 GB
    should do the job fine, perhaps snort on top will also running smooth and liquid.

    On the internal side, connected to a gbit switch there are some internal VLANs defined with firewall rules between them. I assume that's nothing exotic. Can I expect to reach that 1gbit speed internally?

    For hwo many and what art of clients this must be running? How many data will be pumped through!?
    Why not buying a Cisco SG300-28/48 switch and let him do it in wire speed? Why all the firewall or
    router must do it? This on top and the Celeron G3260T is not able to do as I see it right!

    What if I want to do IPSec in the future: are VPN-cards still the way to go, or are AES-NI-capable CPU's a better way?

    This is quite and still easy to answer for you and me and the most peoples here in the forum it will be
    the AES-NI solution, at work we were starting setting up VPN servers based on CentOS & SoftEtherVPN
    with de-compression cards and VPN crypto accelerators to get the last bit out of any connection.

    So if I see it right you should go with an
    Intel Xeon E3-1231 or 1241

    • with Intel Quad Port Server adapter
      Intel Core i5 but then the greatest you can get your hands on
    • with Intel Quad Port Server adapter
      Intel Atom C2558 or C2758

    The SG-xxxx units from the pfSense store could also something for you!