Big Pfsende firewall

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Muller2000

New Member
Mar 30, 2015
1
0
1
44
Hi there
Is there a max performance limit for the Pfsense firewall ?

Im planning to use it for a big wireless network.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
I would assume the answer for wireless no.
People use it at 10G speeds on LAN so anything wireless I assume is going to be fine.

Disclaimer: I have only ever used it at upto a full 1G pipe.
 
  • Like
Reactions: T_Minus

Monoman

Active Member
Oct 16, 2013
408
160
43
with a lot of wireless I'm guessing the state table will be the limit

So I'm assuming you're wanting to just do standard network level features, (DHCP/NAT) a high clock speed CPU with plenty of ram and intel NICs would be ideal. RAM is good here, more the better. Use this to help calculate your state table size

How can I increase the state table size - PFSenseDocs
 
  • Like
Reactions: T_Minus

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
"Big" is different for everyone so I urge you to get specific, what is "big" ? Is it big as-in geographic location, big as-in server sizes/vms using it, big as-in 100 APs?
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
FreeBSD kicks Linux in the tail for network performance, especially if you require support for firewall. Berkeley Packet Filters (BPF) run as a pre-complied filter rules inside the kernel so much faster than Linux IPtables it isn't even a contest (which is why, as of kernel 4.10, BPF is being integrated into the Linux mainline, though the current code quality is a bit nascent).

Do note that the Netflix example is a "one way transmit" of 90gbps data outbound from a file store (media cache). It is an impressively optimized application, but it is also much simpler than would be required on a firewall. They are able to enqueue traffic to the NIC at PCIe speeds and let the NIC send them as fast as possible.

Much like my response in a different thread, for a FW application you have to get the bits in, look at them, and then send them back out. In a purpose-built firewall, once each "flow" is established and a rule is applied they will handle further packets on the same flow (simplest case, a matching 5-tuple) through a "fastpath" that acts much more like a switch than a router. This is fairly difficult to emulate on a general purpose CPU. In the pure CPU-based firewall, regardless of how fast your PF engine works, you end up inserting a large inter-packet latency. At 1Gbe and lower speeds this might be a small performance hit, at 10Gbe it could be a 50% performance loss, and at 100Gbe it is absolutely devastating. I imagine this is what may have led to @BackupProphet's comment "But if you are using PFSense, I guess high performance isn't a top priority".
 
  • Like
Reactions: gigatexal

bds1904

Active Member
Aug 30, 2013
271
76
28
I am interpreting a "big wireless network" as a WISP. If that's the case you should be designing your network so that each router handles 1-2Gbit of throughput at most. Realistically, unless you own or rent a lot of dark fiber going back to one central point you will only have 2-3 "backhaul" links going to a fiber site. Renting multiple spaces on a single tower gets real expensive, not to mention you start dealing with wireless congestion really quickly. Each of those will be no more than 1Gb max and I doubt will see peak throughput of 600Mb worst case scenario.

To actually answer your question, pfSense will route 3-5Gb pretty easily, even over multiple links or even BGP. What'll kill the performamce is your state table. Fast processors (yes, 2) and as much ram as you can throw in the boxes (yes, 2 servers), 32GB each. Intel NIC's for 1Gb and Chelsio for 10Gb. Get new servers from dell, hp, etc. So you can have a hardware contract.

If this is a "really big" wireless network you need to be running 2 servers Master/Slave configuration to handle any failure based downtime and software upgrades.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
To echo what @PigLover said about CPU, simply look at the latency difference on the fortinet ft-50e vs fg-60g, the latter being a dedicated SoC/asic, way way lower latency.

Somebody suggested WISP when talking about large, well that's a whole different problem I imagine, my thoughts on large was a large office of hundreds of people and a good amount of WAP's
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
To echo what @PigLover said about CPU, simply look at the latency difference on the fortinet ft-50e vs fg-60g, the latter being a dedicated SoC/asic, way way lower latency.

Somebody suggested WISP when talking about large, well that's a whole different problem I imagine, my thoughts on large was a large office of hundreds of people and a good amount of WAP's
Yeah - getting the definition of "large" is really important. To me a "large" FW has 4x 100gb IO and supports over 8million active IPs and 100million flows...and to Google/FB that would be a toy.