PFsense Tunning



  • Hi all,

    Is it any good document to help us to tune the pfsense performance? I am trying to do a load test in PFsense in my server (CPU: 6 core x2, RAM: 32G). When the pfsense state tables keep ~23M  records, the pfsense response very very slow. I check the CPU and ram usage are 27% and ~20% representatively. The network traffic have 70 M only. Therefore, I don't know the issue which cause the server response slowly. Do you have any good suggestions for me to debug it.

    Thank you very much.



  • 23 million states is a huge load for any firewall (the biggest Cisco ASA you can buy maxes out at 4 million, for comparison, and that costs as much as a house), some things will be slow with that big of a state table. Mbps is largely irrelevant, performance is about pps and new connections/sec. If your typical use would involve 20+ million simultaneous connections, you don't want to be pushing that traffic through a single firewall of any sort.

    What are you attempting to tune for?



  • Hi,

    In the pfsense website (https://www.pfsense.org/products/), i find the SG-4860 model can support 8M Max Active Connections (Active Connections = State Table records?)

    My testing server (CPU or RAM) hardware is better than the SG-4860. So I suspect my configuration in pfsense is not correct.

    Please advise.



  • There isn't a "go fast button", to offer any advice we'll need to know what you're trying to do. Just because your system's faster doesn't mean it can handle an infinitely large state table. I'm well aware of what the website says.



  • Hi,

    I simulate our system suffering DDoS attack and how many DDoS attack can protect by pfsense.

    Thanks.



  • DDOS protection is a hard problem and PFSense takes the stance of protecting your network from outsiders getting in, but DDOS is not such a problem. As a firewall, PFSense works great, it is not a DDOS solution for state exhaustion.

    You can tune PFSense to kill states faster than the defaults. By default, PFSense holds an unestablished TCP state open for 90 seconds. This default was created decades ago and I reduced mine down to something like 15 seconds, which may or may not work for you. I'm a home user, not a business.



  • a firewall is not the solution to DDOS.



  • @heper:

    a firewall is not the solution to DDOS.

    This.

    If you need DDoS protection there are companies out there that provide it. They are not cheap but they tend to work.


Log in to reply