10G Router options

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

blinkenlights

Active Member
May 24, 2019
157
65
28
I did not say it wasn't possible. But using TOE cards also have their own problems. Per pfsense documentation from netgate:
Sure, familiar with Netgate's guidance on offload functions breaking the end-to-end model and causing little children to cry. I disabled everything (TSO/LRO/checksums) on my original Intel 82575eb and i350 firewall builds. I enabled everything on my latest Chelsio (2x T520, T540) build and no one has complained about the internet breaking (yet) ;) I can even get 9.7-9.8 Gbps sustained, no-drop between VLAN segments using an older E5 Xeon.

Happy to be corrected by someone more in the know, but I think the Netgate guidance is either outdated or specific to certain drivers (igb, ix). Found this from last year, using T6 cards on 12-STABLE - Acceptable performance of cxgbe(4), and TOE almost didn’t crash the system – Trond's place
 

Lost-Benji

Member
Jan 21, 2013
424
23
18
The arse end of the planet
So, here is my little bit:
After recently playing around again with pfSense, it was determined that it hasn't improved since I last used it. Now, I am not a network genius but I know enough to survive and get through my day while keeping my clients happy. Sadly, PF has the same issue as MicroTik and other brands, too many options and too many ways to screw it resulting in a lot of time to get it working correctly without side-effects and headaches. I see the whole thread stuck on bloody PF without any options of other platforms as there are bucket loads of other options out there that are not stuck on the past like PF. Yes, out of the box, it works but is lacking IPS and filtering as well as GeoIP which ALL should be standard in this day and age of bullshit traffic coming from Russia, Netherlands and China.

Moving 10G (assuming you actually get a real 10G/10G) is going to take balls, I see quite a few posts about PF going to struggle and I agree.
 

blinkenlights

Active Member
May 24, 2019
157
65
28
After recently playing around again with pfSense, it was determined that it hasn't improved since I last used it. Now, I am not a network genius but I know enough to survive and get through my day while keeping my clients happy.
Sure, but pfSense Community Edition was not meant for people like you. I am not being condescending - if you are being paid by clients to deliver line-rate 10 Gbps firewalls, either pony up for a commercial contract with Netgate and their hardware (make achieving real 10G/10G their problem, not yours) or prepare to shell out megabucks to one of the big networking names (and make it their problem). No, it will not work out of the box - but it was never intended to.

If you want to get true line-rate performance out of pfSense and FreeBSD in general, be prepared to read up on the subject and reach out to people who have it working in real deployments:
I found this for another thread, but it's worth posting here as a reminder: https://2019.eurobsdcon.org/slides/...the FreeBSD Network Stack - Drew Gallatin.pdf

Netflix has been serving ~100 Gbps of TLS encrypted content from individual FreeBSD servers since 2016 and nearly hit 200 Gbps on both AMD and Intel platforms six months ago. Yes, they heavily tweaked FreeBSD... but that is the cost of doing business.
 

Lost-Benji

Member
Jan 21, 2013
424
23
18
The arse end of the planet
Sure, but pfSense Community Edition was not meant for people like you. I am not being condescending - if you are being paid by clients to deliver line-rate 10 Gbps firewalls, either pony up for a commercial contract with Netgate and their hardware (make achieving real 10G/10G their problem, not yours) or prepare to shell out megabucks to one of the big networking names (and make it their problem). No, it will not work out of the box - but it was never intended to.
I should have written my post better. I don't use PF for my clients, see a few of my compitition doing so and fail miserably. I have/was using it in my own lab / DC as here in Aus, I have a faster connection than most of 100/100 (screaming hey.... NOT) Client side, most struggle to get 25-50Mbps thanks to bullshit like the NBN crap. Comerical products work. Some, I use Endian as it does work and work very well, out of the box.

As for the topic and general feel of this thread, commerical support not likely.
 
  • Like
Reactions: blinkenlights