What limits the number of states that pfSense can handle?



  • I'm seeing that all of my pfSense boxes have a fixed number of states that it can handle, which is 10,000.

    What sets this number?  Is it an arbitrary limit?  Kernel limitation?  Driver limitation?

    I have an environment I'm looking to put 2 or more pfSense firewalls into place to share the load, and I think they have the horsepower to handle far more than a WRAP box can, but they are both limited to this 10,000 number.  What establishes this limit?



  • It's adjustable: system>advanced, maximum states.
    Btw, this has been answered before: http://forum.pfsense.org/index.php?topic=35.0



  • @Numbski:

    I'm seeing that all of my pfSense boxes have a fixed number of states that it can handle, which is 10,000.

    What sets this number?  Is it an arbitrary limit?  Kernel limitation?  Driver limitation?

    I have an environment I'm looking to put 2 or more pfSense firewalls into place to share the load, and I think they have the horsepower to handle far more than a WRAP box can, but they are both limited to this 10,000 number.  What establishes this limit?

    The 10K states is an arbitrary default set by pf.  Each state eats approx. 1K of RAM so 10K states could potentially eat 10MBytes - the pf (note, I'm not talking about pfsense) developers chose 10K due to a desire to have pf work out of the box on low memory platforms.  We've chosen to keep that limit, however, as hoba pointed out, this is changable in System->Advanced.  At some point, I may choose to make this a dynamic dynamic default based on system memory, but 10K is actually a halfway decent default that most users won't exceed.

    –Bill


Log in to reply