Pfsense hardware lacking important info



  • I am curious as to why there is no mention as to the vpn throughput for the firewalls or the wan speed capabilities?  Actually initially there was basic info but then it was removed and now there is no reference to its capabilities.  I called a couple of times and was told that they had not tested it yet but that was several months ago. I would expect that a product be fully tested and include details of the system performance if selling it as a viable solution to compete with other firewall vendors.

    Understand I think pfSense is a incredible opensource firewall solution so I am not trying to bash it in any way.  In fact I have purchased from the store for a client.  But when you compare to other solutions they include what type of ipsec or vpn performance you can expect.

    And for those arguing that the answer is not simple due to not being able to control other factors such as routes between A and B then even just a test showing the performance with just a switch between them would be fine.  I hope someone eventually provides this information as I am hesitant to move forward with purchasing any additional products

    :o :o :o



  • What device you were buying and from where?
    You can build your own appliance that is delivering much more power and/or IPSec throughput.

    Intel Atom C2758
    Intel Xeon D-1540
    Intel Xeon E3-12xxvx
    Intel Xeon E5-16/26-xx

    And by the way all depends on your configuration and or all other running services or installed packets
    so if you want to get out the most of your IPSec connection you could also try out to set up a dedicated
    VPN server, we have done this for many of our branch offices and the central by using CentOS & SoftEtherVPN
    as a VPN server with a decompression / compression card and a VPN crypto accelerator from Comtech AHA.
    Placed in a DMZ this would be not the real problem as I see it right.

    So if the pfSense firewall will be freed from some tasks or services the firewall is more powerful.



  • Yes I understand that I can build my own but pfsense is now selling the firewall as a complete solution just like Cisco and other firewall mfg's.  If a company is going to sell a solution they should provide details with regards to its capabilities.


  • Banned

    I honestly appreciate NOT publishing bullshit figures. If you need marketing nonsense, perhaps you are not in the right place.



  • @kapara:

    . . . for those arguing that the answer is not simple due to not being able to control other factors such as routes between A and B then even just a test showing the performance with just a switch between them would be fine.  I hope someone eventually provides this information as I am hesitant to move forward with purchasing any additional products

    I agree.  Performance/capacity/capability should be published for default/basic config.



  • If a company is going to sell a solution they should provide details with regards to its capabilities.

    Perhaps if they are willing to give then numbers out for each box like this ones;

    • LAN throughput
    • WAN throughput
      With AES-NI:
    • IPSec (AES128 & AES256) throughput
    • OpenVPN throughput
      Without AES-NI:
    • IPSec (AES128 & AES256) throughput
    • OpenVPN throughput

    And then someone is getting not so much out with the same box and the trouble begins?
    Which config should be run during the test, is this config file able to download for all peoples also?
    What you think the peoples will do if they can´t get the same numbers out, they will all RMA the units
    and then? This should be a project where all customers can be sure to get 100% working hardware out
    and the project will be financed by side. The pfSense team is not Cisco or Juniper and makes the big
    business with this machines as some would be imagine. And by the way inside of Cisco or Juniper
    firewalls, routers, or any other kind of appliances they are using code that is pushed by ASIC/FPGAs
    that they reach those kinds of numbers.



  • @doktonortor… LOL. Grow up

    It is important to know what a device's capabilities before you buy it.  Not after so were not talking about bullshit marketing but actual throughput results.  Of course it is not going to be perfect but understanding that a device is capable of 500mbit IPSec or 10mbit IPSec is pretty important.  It does not sound like you know what it is like to sell products to companies or implement solutions for companies.  No intelligent person would sell or deploy a solution without first knowing whether or not the device is capable of providing the level of service they require.



  • @kapara:

    @doktonortor… LOL. Grow up

    It is important to know what a device's capabilities before you buy it.  Not after so were not talking about bullshit marketing but actual throughput results.  Of course it is not going to be perfect but understanding that a device is capable of 500mbit IPSec or 10mbit IPSec is pretty important.  It does not sound like you know what it is like to sell products to companies or implement solutions for companies.  No intelligent person would sell or deploy a solution without first knowing whether or not the device is capable of providing the level of service they require.

    For me, the allure of the official pfSense hardware is streamlined support for any problems, software or hardware. I never saw it as a "we need X to serve 100Mbit VPN in a week" kinda product.

    It is what it is. I would like to see guaranteed performance as well, but I understand why it does not exist.

    I am just some networking noob, but can you not make an accurate guess about the device's worst-case performance? Surely the device would be cheaper than Cisco (I hope…), if that is your concern. It is good to have varied choices. :)


  • Banned

    @kapara:

    It is important to know what a device's capabilities before you buy it.  Not after so were not talking about bullshit marketing but actual throughput results.  Of course it is not going to be perfect but understanding that a device is capable of 500mbit IPSec or 10mbit IPSec is pretty important.

    Dude, if you cannot figure that out from HW specs with this sort of "precission", perhaps you shouldn't be the person doing the purchase decisions? As for your "actual throughput results", that's the exact problem. The ESF "actual" ain't going to match your "actual". Because that's not how real world works.



  • is not going to be perfect but understanding that a device is capable of 500mbit IPSec or 10mbit IPSec is pretty important.

    And then? You have 100% surely not the same set up as the test procedure and then? You comes back
    closer to the point that you must expect or imagine once more, what now this device is able to do for you
    but with your configuration and your set up!

    It does not sound like you know what it is like to sell products to companies or implement solutions for companies.

    You can be sure that this hardware will be 100% supported by pfSense
    You will be able to get once more again your hands on the same hardware.
    I am pretty sure there is more something in likes the cost per each year of writing code for pfSense
    is at $$$ and how we can get some money to feed this project or keep them alive or make it better running.
    You will be sure to find many more persons using this hardware to find out problems here in the forum
    It makes more sense to write code or add functions likes the Intel QuickAssist if you know there are many
    peoples with the same hardware specs.

    No intelligent person would sell or deploy a solution without first knowing whether or not the device is capable of providing the level of service they require.

    And on the other hand you must only add your favourite packets to narrow down this tech. specs.
    or only using massively Layer7 DPI tasks to come closer to absolutely other numbers.

    For me, the allure of the official pfSense hardware is streamlined support for any problems,software or hardware.

    This can be a really nice by side effect that comes with this type of hardware assembled together, but
    might not be the real goal you get from.

    I never saw it as a "we need X to serve 100Mbit VPN in a week" kinda product.

    VPN is a both ended and placed story, so if one side is really wicked and right sorted with hardware
    and the other end is a "lame duck" it will be also not representing the "real world situation".

    And if they (pfSense team) are taking then two XG-1540 machines and let them doing a VPN test
    the most of the peoples want to see it compared against all the other SG-xxx units also, or thinking
    they (pfSense team) will now that you go buying two of this devices.

    It is what it is. I would like to see guaranteed performance as well, but I understand why it
    does not exist.

    In fact there will be some number that should be announced but for a deeper knowledge the pfSense
    team can also be called by phone or contacted by email to discuss exactly your needs or config or kind
    of usage.



  • Bottom line is there should be estimated calculations on performance.  Netgate even had it for the ALIX and it was pretty accurate to what I got for VPN between 2 alix boxes.  But those were machines that I built and installed the OS.  When buying a system that has been purpose built just like Cisco, Juniper etc..  a company should give statistics on what the box is capable of.  Again everyone states these are estimates but generally those estimates are pretty accurate.

    Say what you want but the bottom line is I cannot risk my business on a solution that when it comes to the systems performance has a bunch of ??????.

    Don't misunderstand where I am coming from.  I have been using both m0n0wall and pfsense for over 10 years now.  I have been building them for customers for this entire time and have more than 50 units in production environments.  I want to support the pfSense project buy buying their products rather than building my own which building my own is much more profitable.  But if I am going to do that then I need a complete solution and it should include what the machine is capable of.