pfSense RAM and CPU

Discussion in 'FreeBSD and FreeNAS' started by brianmc, Jun 25, 2018.

  1. brianmc

    brianmc New Member

    Joined:
    Jun 25, 2018
    Messages:
    29
    Likes Received:
    7
    What's the going assumption on RAM for pfSense.

    I am not doing IDS, just as a VPN and NAT gateway. I'm upgrading to Xeon D1508 and Xeon D-1518

    Do I need dual channel RAM or can I get away with single channel?

    8GB x 1 or 8GB x 2 enough or should I use 16GB DIMMs?
     
    #1
  2. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,705
    Likes Received:
    1,060
    Your question really needs more context - some info on how may links and what data rates or packet-per-second rates you expect would help a lot getting you a good answer.

    That said, in its basic form as a simple firewall/NAT and VPN endpoint, pfSense is not memory hungry at all. Even 8GB would be overkill for that, though in a Xeon D you probably want to use 2x4GB to get there just to keep the memory channels populated (it probably won't make much difference in performance though).

    If you start to add a bunch of add-ins like Suricata or other things then memory usage might climb. But probably not much.
     
    #2
  3. brianmc

    brianmc New Member

    Joined:
    Jun 25, 2018
    Messages:
    29
    Likes Received:
    7
    Thanks. I'm not sure what they'll be for pps. Bandwidth no more than 100mbps which is why I'm staying low in the Xeon D range. That's really helpful and I appreciate you taking the time to answer.
     
    #3
  4. mstone

    mstone Active Member

    Joined:
    Mar 11, 2015
    Messages:
    481
    Likes Received:
    111
    you can't buy a new computer slow enough that firewalling 100mpbs would be a problem, nor can you buy a new computer with a small enough RAM configuration to find the lower limit. a xeon d is tremendous overkill, but if it's what you want it will work fine.
     
    #4
  5. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    973
    Likes Received:
    714
    Insane overkill - my largest pfsense instance has 2GB of ram, and I've never seen it use more than 700MB. using an ancient i3 and it has no problem routing and firewalling 1gbps. xeon is crazy fammmm
     
    #5
  6. brianmc

    brianmc New Member

    Joined:
    Jun 25, 2018
    Messages:
    29
    Likes Received:
    7
    My reason for Xeon D is that I'm going to have it on my 10G network LAN side. WAN is no more than 100mb but LAN might be more.

    I'd also pay to avoid having to upgrade soon.
     
    #6
  7. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    973
    Likes Received:
    714
    The lan traffic will never touch your router assuming it's on the same subnet
     
    #7
  8. Nizmo

    Nizmo Member

    Joined:
    Jan 24, 2018
    Messages:
    101
    Likes Received:
    17
    I use 8GB DDR4 and 8 Cores (E5-2699 V4) on a Virtual Machine for PfSense for 10Gb connections bonded to 20Gb.

    I see up to 75% CPU loads and 30-50% mem loads.

    Although I am using IDS (Snort, VPN, Multi-WAN)
     
    #8
  9. Biznatch

    Biznatch New Member

    Joined:
    Mar 20, 2017
    Messages:
    15
    Likes Received:
    2
    Enable pfblockerng and ntopng and that will no longer be the case. My VM has 4GB and is using like 90% at all times. Well worth it, for pfblocker at least. Gets rid of almost all ads/malware through community DNS block lists at the firewall. Hell even the video ads on the Roku app don't queue up anymore, it's great.
     
    #9
  10. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    973
    Likes Received:
    714
    Sure, you can load up plenty of different packages that drastically alter spec requirements, however OP clearly stated he would be doing none of that. As far as DNS and ntop, I prefer handling those outside of pfsense for various reasons, but I understand the ease of use having them bundled

    also, nice thread necro :)
     
    #10
    CreoleLakerFan and dswartz like this.
  11. dswartz

    dswartz Active Member

    Joined:
    Jul 14, 2011
    Messages:
    350
    Likes Received:
    26
    That's nothing, bro! Earlier this year, in a different forum, I saw a necro of a 7-yr old thread!
     
    #11
    Sleyk and fohdeesha like this.
  12. Sleyk

    Sleyk Active Member

    Joined:
    Mar 25, 2016
    Messages:
    671
    Likes Received:
    142
    7 years! damn! That's not necromancy, thats Egyptian mummy type resurrection! Lol!

    I agree with my man Fodeesh, overkill with crossbows and machine guns :cool:

    I'm actually running an old supermicro x8sil board with x 2 chelsio 10gb cards and a 4 port intel 1Gb ethernet card for gigabit networking and a old 1156 xeon (x3440) in a simple 2u case and it runs great. I can transfer internally at 9.8Gbits no prob. (Tested with iperf and real world with 2 x ssd's in raid0)

    I use 4 ddr3 2GB sticks for a total of 8GB and I have several packages installed (snort, squid, squidguard, etc) and I never go past 2GB, and that's with normal usage + with dedicated ram space set for squid cache.

    8GB is all you need my peep! :.)
     
    #12
    dswartz likes this.
  13. ljvb

    ljvb Member

    Joined:
    Nov 8, 2015
    Messages:
    73
    Likes Received:
    7
    Zombie thread resurrection.. as I don't particularly want to start a new one.

    I upgraded this past weekend from 150/150 to gig (FIOS). Router throughput was absolutely abysmal. 300 to 400Mbit between my gateway and my AWS server which VZ peers with directly, so random latency congestion through multiple networks is not the issue. Over the VPN link, it is even worse, around 80 to 100Mbit.

    Current setup is a Supermicro C2558 with 16GB using the built in nics. I know I should be seeing much better rates.. watching the cpu, it does peg when running iperf over the VPN link, and that is with cryptodev.

    I have an unused older dual L5640 with 32GB (DL180G6) which even with it's age should be overkill, which I might try.

    As far as the VPN, at least while at work today (I cannot change the settings for my pfsense gateway remotely because.. work.. stupid filters (I could have done ssh forwarding, but I figured I would just do command line testing for now). Spun up a new fbsd 12 AWS instance (1 CPU, 1GB, 40GB disk), ran openvpn from the command line, and then did the same on my PFSEnse gateway from the console. playing with MTUs I managed to get it up to 200Mbit across teh VPN with basic settings, cryptodev and aes268cbc cipher.. but that is still pretty damn slow....

    I currently am playing with it on my VM server (16 gig 8 cores assigned to the VM.. the machine is a DL380P G8 with 128GB and 2 8 core E5.. I know, small by most peoples count.. at least here). I noticed an improvement on the non VPN speed test using speedtest-cli, getting around 750mbit down 500ish up.... PFsense, Sophos, generic linux and freebsd, but still not seeing full or even reasonably close to gig speeds.

    Looking for any insights anyone may have.. I really think the C2558 should be more than enough for just
     
    #13
Similar Threads: pfSense
Forum Title Date
FreeBSD and FreeNAS pfSense2.4.3(FreeBSD11.1) support the intel 82599EB 10-Gigabit ? Sep 21, 2018
FreeBSD and FreeNAS FreeBSD/pfSense guest 10GbE SR-IOV VF successes? Aug 30, 2018
FreeBSD and FreeNAS Small pfSense compatible box w/ wifi Dec 31, 2017
FreeBSD and FreeNAS Pfsense VM Sep 28, 2017
FreeBSD and FreeNAS How does PfSense number the network interfaces? May 26, 2017

Share This Page