pfsense setup

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,289
441
83
does the CPU or the RAM affect the performance for PFsense?
<insert facetious answer> ;)

I think the question you're actually asking is "how much CPU and RAM do you need not to be bottlenecked"...? Which itself is one of those "how long is a piece of string" questions, dependent mostly on how much bandwidth you're going to be using, how many individual connections, and what advanced features like IDS, VPN and encryption you're running.

As far as RAM goes, even 4GB is quite probably overkill - network appliances'll generally just shunt stuff out one NIC and forget about it, it's only resident things like IDS databases (snort or securicata for example) that you'll need to keep in memory. CPU-wise is a whole other story; generally speaking a low-power Atom will be fine for most deployments. I'm trialling a J1900 for mine and it barely breaks a sweat on the VPN - max throughput on that is only in the region of 1.5MB/s though.

If you take a gander at the pfsense hardware page you can see that they rate their Atom-based stuff for routing at gigabit levels. These Italian dudes have a more detailed rundown on what requirements you can expect from some of the features.

In a nutshell: yes, CPU and RAM matter, but generally if you chuck slightly more power than a pocket calculator at it you're liable to get good performance. If you've got a 100Mb/s or higher WAN, fifty hojillion users all using seven different VPNs through a captive portal then you'll likely need to consider more carefully.
 
  • Like
Reactions: Hank C

mephisto

Member
Nov 6, 2013
36
3
8
London
I've got a datacentre infra structure with 60 VMs, a 300/300Mbit connection and openvpn tunnels to 10 branches. 1 core (xeon 5600 series) and 1GB ram does the job without any problem for my pfsense VM
 
  • Like
Reactions: niekbergboer

Hank C

Active Member
Jun 16, 2014
644
66
28
thanks for all the feedback.

now on to the NIC, which quad port NIC do you all use that will work?
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,289
441
83
Pretty much any NIC supported by BSD will work, but the preference is usually for Intel chipsets since they tend to have the highest quality drivers. If you're looking to buy a quad-port you're into server-level gear in any case, there are plenty of QP cards out there based on the Intel i350 chipset which is probably the current gold standard for gigE, cheapest source of these is normally from server pulls. Quick shufti found me a new one in the UK for about £250 retail, dare say the US and/or ebay will be much cheaper.
 

RTM

Active Member
Jan 26, 2014
581
209
43
thanks for all the feedback.

now on to the NIC, which quad port NIC do you all use that will work?
There are many decent NICs, I would definitely go for something that is Intel based, like the 1000 PT(do not get the full height version though, which is a 2x2 port controller + PCIe "bridge"), 1000 ET/ET2, I340 or I350.

Keep in mind, that if you want to have the ports for computers in the same subnet, a switch may be preferrable, as using multiple ports in the same subnet will require the use of bridge mode in pfsense, which will mean passing packets by the CPU (which is slow).

Pretty much any NIC supported by BSD will work, but the preference is usually for Intel chipsets since they tend to have the highest quality drivers. If you're looking to buy a quad-port you're into server-level gear in any case, there are plenty of QP cards out there based on the Intel i350 chipset which is probably the current gold standard for gigE, cheapest source of these is normally from server pulls. Quick shufti found me a new one in the UK for about £250 retail, dare say the US and/or ebay will be much cheaper.
It should be noted that eBay and Amazon are flooded with cheap chinese knockoffs, if possible I would try to avoid those and do as EffrafaxOfWug suggested and find something that was a server pull, preferrably from a trusted reseller.
 

niekbergboer

Active Member
Jun 21, 2016
119
39
28
43
Switzerland
I've got a datacentre infra structure with 60 VMs, a 300/300Mbit connection and openvpn tunnels to 10 branches. 1 core (xeon 5600 series) and 1GB ram does the job without any problem for my pfsense VM
I am in a somewhat more modest situation (150/40 Mbit/s on a home network, 2 VPN tunnels). My pfSense is a VM (yes, really) with 1 GB of RAM and 2 cores, running on VirtIO networking, and it fills the pipe without breaking a sweat.

Edit: Those are >= Haswell cores (or Skylake, depending on which of the physical machines the VM happens to be scheduled), so they do have AES-NI.
 

dswartz

Active Member
Jul 14, 2011
445
37
28
I've run pfsense in vmware for several years. Works fine, so I at least don't think you're weird :)
 

xbliss

Member
Sep 26, 2015
68
0
6
43
Are there any Tiny/ Mini/ Pico Distros that support/ manage Wireless AC with a Radius Server?
In when added in conjunction to firewall/ UTMs (PFSense/ Sophos UTM 9 on Hyper V/ VM) to manage the Wireless?

I'd like to add a tiny VM to manage the Wireless access on the device.

PS: Zotact Nano C1323
 
Last edited: