Can PfSense run in network intensive environment
-
Hello,
I am in the online games business (3D MMORPGs)and am considering using PfSense everywhere in my networks, not only in the offices.
The thing is that the game servers make intensive usage of the network, I am currently running 12 servers (6000 average clients connected on each) behind an expensive Juniper firewall.I plan to use instead one PfSense box for each server.
The hardware is :
Poweredge 1950 III
2x Xeon Quad 2.3Ghz
4 Gb DDR2
2x SAS 73Gb
Intel PRO/1000 Dual Ports
Cat 6a cable
1 Gb/s WAN LinkThe only services needed are Firewalling with a block all rule and 4 ports open, Virtual IP, NAT 1:1 and SNMP.
The problem is that I am not sure that PfSense can handle that much connections without any troubles.Any advices ?
Thanks
-
I think this might interrest you: http://forum.pfsense.org/index.php/topic,7668.0.html
-
According to some feedbacks, it can handle quite a lot of connections, but I am particularly afraid of the latencies because unlike webservers and databases online games are very sensible to latency and they generate a lot more packets exchange.
-
If you're not convinced by comments made to this post or documentation found in this forum I believe you will have to perform a test, preferably side by side with your current solution.
Start with a decent piece of hardware with Intel NICs (KISS). This link can help you define "decent piece of hardware" http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49. Make changes to the config to align with your goals, and add services one at a time to assess impact on performance. Decide on redundancy etc and incorporate into your tests. If your then convinced make a decision to standardize on hardware and config for your deployment.
Weather I think it will work or not is irrelevant, you have to be convinced.
–Seth
-
Will try it anyway, but just wanted to get some feedbacks from people that deployed similar architecture.
Will keep you updated on how it works, if those can replace my 50k$ Juniper currently used, I will throw some serious donations to speed up the FreeBSD7 build, as it look quite promising.Thanks for answers
-
I have successfully tested 450 SIP clients through pfSense 1.2 with a total througput of 750mb/s for approximately 10 minutes (the call got a little boring after that). Voice quality was great, no jitter according to the call manager monitor and zero issues on the firewall (memory, cpu, etc). Not exactly what you do but I believe it was a valid test.
Curtis
-
I couldn't install it on my servers due to the chipset not being supported (PERC/6i) will get some SAS/6i in a couple of days I would like to give a try. The required drivers are in FreeBSD7 anyway so I hope that 1.3 version is coming fast.
-
PERC 6/i should be supported in FreeBSD 6.3 and 7.0; I have a PowerEdge 2950 III cthat has a PERC 6/i in my development setup at the moment.
I suspect that you're trying to use pfSense 1.2-RELEASE, which is based around FreeBSD 6.2. The version of mfi(4) in FreeBSD 6.2 is too old to have PERC 6/i support. I think you may be unlucky with a SAS 6/iR card as well unless you use a FreeBSD 6.3 or 7.0 based build - though I haven't checked the CVS logs for the mpt(4) driver.
As my 2950 III has a DRAC 5 in it, it was trivial to try booting it with the pfSense 1.2 image based on FreeBSD 6.3 found at http://cvs.pfsense.org/~sullrich/testing_images/6/FreeBSD_RELENG_6_3/pfSense_RELENG_1_2/ - I downloaded pfSense.iso.gz and ran it through WinZip to ungzip it. I then set the DRAC 5 to use this image as a virtual floppy and used the F11 menu to boot from the virtual CD-ROM. The PERC 6/i and its arrays were recognised just fine.
This image is working well for me in production on a PowerEdge R200 - FreeBSD 6.2 is too old to support the ICH9 SATA controllers, but this image works without problems.
pfSense 1.2.1 will be with us fairly soon - that will be a pfSense release based around FreeBSD 6.3 as this image is, with some of the bugs in 1.2-RELEASE fixed as well.
-
Thanks for tip, I've been trying to use the FreeBDS 7 based version but I couldn't log in the webinterface, after entering infos and clicking ok it was doing nothing so I gave up.
As it is going to run in an intensive production environment I am waiting for stable release tought, I ordered more powerful servers also just to be sure : 2 x Quad Xeon 3Ghz.
-
Hopefully pfSense 1.2.1 won't be too far away.
Only the developers can speak for sure, but I believe the image I posted the link to is regarded as production grade - albeit to be used only if your hardware requires a later OS than FreeBSD 6.2-RELEASE. It's pfSense 1.2-RELEASE built on top of FreeBSD 6.3-RELEASE rather than 6.2-RELEASE.
It's working well in production here, as I said - current uptime is 28.5 days.