Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFsense Tunning

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 5 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tomli
      last edited by

      Hi all,

      Is it any good document to help us to tune the pfsense performance? I am trying to do a load test in PFsense in my server (CPU: 6 core x2, RAM: 32G). When the pfsense state tables keep ~23M  records, the pfsense response very very slow. I check the CPU and ram usage are 27% and ~20% representatively. The network traffic have 70 M only. Therefore, I don't know the issue which cause the server response slowly. Do you have any good suggestions for me to debug it.

      Thank you very much.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        23 million states is a huge load for any firewall (the biggest Cisco ASA you can buy maxes out at 4 million, for comparison, and that costs as much as a house), some things will be slow with that big of a state table. Mbps is largely irrelevant, performance is about pps and new connections/sec. If your typical use would involve 20+ million simultaneous connections, you don't want to be pushing that traffic through a single firewall of any sort.

        What are you attempting to tune for?

        1 Reply Last reply Reply Quote 0
        • T
          tomli
          last edited by

          Hi,

          In the pfsense website (https://www.pfsense.org/products/), i find the SG-4860 model can support 8M Max Active Connections (Active Connections = State Table records?)

          My testing server (CPU or RAM) hardware is better than the SG-4860. So I suspect my configuration in pfsense is not correct.

          Please advise.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            There isn't a "go fast button", to offer any advice we'll need to know what you're trying to do. Just because your system's faster doesn't mean it can handle an infinitely large state table. I'm well aware of what the website says.

            1 Reply Last reply Reply Quote 0
            • T
              tomli
              last edited by

              Hi,

              I simulate our system suffering DDoS attack and how many DDoS attack can protect by pfsense.

              Thanks.

              1 Reply Last reply Reply Quote 0
              • H
                Harvy66
                last edited by

                DDOS protection is a hard problem and PFSense takes the stance of protecting your network from outsiders getting in, but DDOS is not such a problem. As a firewall, PFSense works great, it is not a DDOS solution for state exhaustion.

                You can tune PFSense to kill states faster than the defaults. By default, PFSense holds an unestablished TCP state open for 90 seconds. This default was created decades ago and I reduced mine down to something like 15 seconds, which may or may not work for you. I'm a home user, not a business.

                1 Reply Last reply Reply Quote 0
                • H
                  heper
                  last edited by

                  a firewall is not the solution to DDOS.

                  1 Reply Last reply Reply Quote 0
                  • A
                    antillie
                    last edited by

                    @heper:

                    a firewall is not the solution to DDOS.

                    This.

                    If you need DDoS protection there are companies out there that provide it. They are not cheap but they tend to work.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.