pfSense RAM and CPU

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

brianmc

New Member
Jun 25, 2018
29
7
3
What's the going assumption on RAM for pfSense.

I am not doing IDS, just as a VPN and NAT gateway. I'm upgrading to Xeon D1508 and Xeon D-1518

Do I need dual channel RAM or can I get away with single channel?

8GB x 1 or 8GB x 2 enough or should I use 16GB DIMMs?
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Your question really needs more context - some info on how may links and what data rates or packet-per-second rates you expect would help a lot getting you a good answer.

That said, in its basic form as a simple firewall/NAT and VPN endpoint, pfSense is not memory hungry at all. Even 8GB would be overkill for that, though in a Xeon D you probably want to use 2x4GB to get there just to keep the memory channels populated (it probably won't make much difference in performance though).

If you start to add a bunch of add-ins like Suricata or other things then memory usage might climb. But probably not much.
 

brianmc

New Member
Jun 25, 2018
29
7
3
Thanks. I'm not sure what they'll be for pps. Bandwidth no more than 100mbps which is why I'm staying low in the Xeon D range. That's really helpful and I appreciate you taking the time to answer.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
you can't buy a new computer slow enough that firewalling 100mpbs would be a problem, nor can you buy a new computer with a small enough RAM configuration to find the lower limit. a xeon d is tremendous overkill, but if it's what you want it will work fine.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,729
3,082
113
33
fohdeesha.com
Insane overkill - my largest pfsense instance has 2GB of ram, and I've never seen it use more than 700MB. using an ancient i3 and it has no problem routing and firewalling 1gbps. xeon is crazy fammmm
 

brianmc

New Member
Jun 25, 2018
29
7
3
My reason for Xeon D is that I'm going to have it on my 10G network LAN side. WAN is no more than 100mb but LAN might be more.

I'd also pay to avoid having to upgrade soon.
 

Nizmo

Member
Jan 24, 2018
101
17
18
37
I use 8GB DDR4 and 8 Cores (E5-2699 V4) on a Virtual Machine for PfSense for 10Gb connections bonded to 20Gb.

I see up to 75% CPU loads and 30-50% mem loads.

Although I am using IDS (Snort, VPN, Multi-WAN)
 

Biznatch

New Member
Mar 20, 2017
15
5
3
41
Insane overkill - my largest pfsense instance has 2GB of ram, and I've never seen it use more than 700MB. using an ancient i3 and it has no problem routing and firewalling 1gbps. xeon is crazy fammmm
Enable pfblockerng and ntopng and that will no longer be the case. My VM has 4GB and is using like 90% at all times. Well worth it, for pfblocker at least. Gets rid of almost all ads/malware through community DNS block lists at the firewall. Hell even the video ads on the Roku app don't queue up anymore, it's great.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,729
3,082
113
33
fohdeesha.com
Enable pfblockerng and ntopng and that will no longer be the case. My VM has 4GB and is using like 90% at all times. Well worth it, for pfblocker at least. Gets rid of almost all ads/malware through community DNS block lists at the firewall. Hell even the video ads on the Roku app don't queue up anymore, it's great.
Sure, you can load up plenty of different packages that drastically alter spec requirements, however OP clearly stated he would be doing none of that. As far as DNS and ntop, I prefer handling those outside of pfsense for various reasons, but I understand the ease of use having them bundled

also, nice thread necro :)
 

dswartz

Active Member
Jul 14, 2011
610
79
28
Sure, you can load up plenty of different packages that drastically alter spec requirements, however OP clearly stated he would be doing none of that. As far as DNS and ntop, I prefer handling those outside of pfsense for various reasons, but I understand the ease of use having them bundled

also, nice thread necro :)
That's nothing, bro! Earlier this year, in a different forum, I saw a necro of a 7-yr old thread!
 
  • Like
Reactions: Sleyk and fohdeesha

ljvb

Member
Nov 8, 2015
97
32
18
47
Zombie thread resurrection.. as I don't particularly want to start a new one.

I upgraded this past weekend from 150/150 to gig (FIOS). Router throughput was absolutely abysmal. 300 to 400Mbit between my gateway and my AWS server which VZ peers with directly, so random latency congestion through multiple networks is not the issue. Over the VPN link, it is even worse, around 80 to 100Mbit.

Current setup is a Supermicro C2558 with 16GB using the built in nics. I know I should be seeing much better rates.. watching the cpu, it does peg when running iperf over the VPN link, and that is with cryptodev.

I have an unused older dual L5640 with 32GB (DL180G6) which even with it's age should be overkill, which I might try.

As far as the VPN, at least while at work today (I cannot change the settings for my pfsense gateway remotely because.. work.. stupid filters (I could have done ssh forwarding, but I figured I would just do command line testing for now). Spun up a new fbsd 12 AWS instance (1 CPU, 1GB, 40GB disk), ran openvpn from the command line, and then did the same on my PFSEnse gateway from the console. playing with MTUs I managed to get it up to 200Mbit across teh VPN with basic settings, cryptodev and aes268cbc cipher.. but that is still pretty damn slow....

I currently am playing with it on my VM server (16 gig 8 cores assigned to the VM.. the machine is a DL380P G8 with 128GB and 2 8 core E5.. I know, small by most peoples count.. at least here). I noticed an improvement on the non VPN speed test using speedtest-cli, getting around 750mbit down 500ish up.... PFsense, Sophos, generic linux and freebsd, but still not seeing full or even reasonably close to gig speeds.

Looking for any insights anyone may have.. I really think the C2558 should be more than enough for just