- Docs »
- pfSense® software »
- Hardware
- Give Feedback
Next
Memory Management
When sizing hardware for pfSense® software, required throughput and necessaryfeatures are the primary factors that govern hardware selection.
The information on Netgate Store now contains up-to-date specifications andperformance data on all hardware sold by Netgate. The data on the Netgate Storeis updated as needed and it is always the most accurate and current source ofperformance data.
Tip
Contact Netgate Sales for personalized help in selecting the most suitablemodel for any implementation.
Estimating throughput of third party / whitebox hardware is difficult andinaccurate. In some cases, ballpark estimates may be made by comparing hardwarespecifications with those found on the Netgate Store for comparable models.
Throughput Considerations¶
In real networks the traffic flow will likely contain packets of varying size,not all maximum size packets, but it completely depends on the environment andthe type of traffic involved. IMIX testing attempts to approximate a mixture oftraffic that more closely resembles real-world environments. Simple IMIX trafficis sets of 7 (40) byte packets, (4) 576 byte packets, 1 (1500) byte packets,plus Ethernet framing overhead.
Note
The Netgate Store entries for hardware include data for both maximum sizepacket size (“IPERF3”) as well as results for IMIX traffic patterns.
As a general reference, table 500,000 PPS Throughput at Various Frame Sizes lists a few commonpacket sizes and the throughput achieved at an example rate of 500,000 packetsper second.
Frame size | Throughput at 500 Kpps |
---|---|
64 bytes | 244 Mbps |
500 bytes | 1.87 Gbps |
1000 bytes | 3.73 Gbps |
1500 bytes | 5.59 Gbps |
Performance difference by network adapter type¶
The choice of NIC has a significant impact on performance. Inexpensive, low endcards consume significantly more CPU than better quality cards such as Intel.The first bottleneck with firewall throughput is the CPU. Throughput improvessignificantly by using a better quality NIC with slower CPUs. By contrast,increasing the speed of the CPU will not proportionally increase the throughputwhen coupled with a low quality NIC.
Feature Considerations¶
Features, services and packages enabled on the firewall can lower the totalpotential throughput as they consume hardware resources that could otherwise beused to transfer network traffic. This is especially true for packages thatintercept or inspect network traffic, such as Snort or Suricata.
Most base system features do not significantly factor into hardware sizing but afew can potentially have a considerable impact on hardware utilization.
Large State Tables¶
Active network connections through the firewall are tracked in the firewallstate table. Each connection through the firewall consumes two states: Oneentering the firewall and one leaving the firewall. For example, if a firewallmust handle 100,000 simultaneous web server client connections the state tablemust be able to hold 200,000 states.
See also
States are covered further in Firewall.
Firewalls in environments which require large numbers of simultaneous statesmust have sufficient RAM to contain the state table. Each state takesapproximately 1 KB of RAM, which makes calculating the memory requirementsrelatively easy. Table Large State Table RAM Consumption provides aguideline for the amount of memory required for larger state table sizes. Thisis solely the memory used for the state tracking. The operating system itselfalong with other services will require at least 175-256 MB additional RAM andpossibly more depending on the features used.
States | Connections | RAM Required |
---|---|---|
100,000 | 50,000 | ~97 MB |
500,000 | 250,000 | ~488 MB |
1,000,000 | 500,000 | ~976 MB |
3,000,000 | 1,500,000 | ~2900 MB |
8,000,000 | 4,000,000 | ~7800 MB |
It is safer to overestimate the requirements. Based on the information above, agood estimate would be that 100,000 states consume about 100 MB of RAM, or that1,000,000 states would consume about 1 GB of RAM.
VPN (all types)¶
The question customers typically ask about VPNs is “How many connections can myhardware handle?” That is a secondary factor in most deployments and is oflesser consideration. That metric is a relic of how other vendors have licensedVPN capabilities in the past and has no specific direct equivalent in pfSensesoftware. The primary consideration in hardware sizing for VPN is the potentialthroughput of VPN traffic.
Encrypting and decrypting network traffic with all types of VPNs is CPUintensive. pfSense software offers several cipher options for use with IPsec.The various ciphers perform differently and the maximum throughput of a firewallis dependent on the cipher used and whether or not that cipher can beaccelerated by the hardware.
See also
The Netgate Store contains VPN performance data for each device sold byNetgate using the most optimal cipher for each device based on itscapabilities.
Hardware cryptographic accelerators, such asthose found on most Netgate hardware, greatly increase maximum VPN throughputand largely eliminate the performance difference between accelerated ciphers.For IPsec, ciphers may be accelerated by onboard cryptographic accelerators. Forexample, AES-GCM is accelerated by AES-NI and it is faster not only for that,but because it also does not require a separate authentication algorithm. IPsecalso has less per-packet operating system processing overhead than OpenVPN, sofor the time being IPsec will nearly always be faster than OpenVPN.
Where high VPN throughput is a requirement for a firewall, hardwarecryptographic acceleration is of utmost importance to ensure not only fasttransmission speeds but also reduced CPU overhead. The reduction in CPU overheadmeans the VPN will not lower the performance of other services on the firewall.
The current best available acceleration is available by using pfSense Plussoftware on hardware with a QAT device, followed by a CPU which includessupport for IPsec-MB (SSE, AVX2, AVX512), or failing that, a CPU which includesAES-NI support combined with AES-GCM in IPsec.
Packages¶
Certain packages have a significant impact on hardware requirements, and theiruse must be taken into consideration when selecting hardware.
Snort/Suricata¶
Snort and Suricata are pfSense software packages for network intrusiondetection. Depending on their configuration, they can require a significantamount of RAM. 1 GB should be considered a minimum but some configurations mayneed 2 GB or more, not counting RAM used by the operating system, firewallstates, and other packages.
Suricata is multi-threaded and can potentially take advantage of NETMAP forinline IPS if the hardware offers support.