Book Image

pfSense 2.x Cookbook - Second Edition

By : David Zientara
Book Image

pfSense 2.x Cookbook - Second Edition

By: David Zientara

Overview of this book

pfSense is an open source distribution of the FreeBSD-based firewall that provides a platform for ?exible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options, which makes determining requirements a little more difficult and a lot more important compared to other offerings. pfSense 2.x Cookbook – Second Edition starts by providing you with an understanding of how to complete the basic steps needed to render a pfSense firewall operational. It starts by showing you how to set up different forms of NAT entries and firewall rules and use aliases and scheduling in firewall rules. Moving on, you will learn how to implement a captive portal set up in different ways (no authentication, user manager authentication, and RADIUS authentication), as well as NTP and SNMP configuration. You will then learn how to set up a VPN tunnel with pfSense. The book then focuses on setting up traffic shaping with pfSense, using either the built-in traffic shaping wizard, custom ?oating rules, or Snort. Toward the end, you will set up multiple WAN interfaces, load balancing and failover groups, and a CARP failover group. You will also learn how to bridge interfaces, add static routing entries, and use dynamic routing protocols via third-party packages.
Table of Contents (18 chapters)
Title Page
Copyright and Credits
About Packt

Determining our throughput requirements

In this section, we will understand the throughput requirements, and subsequently the processing and memory requirements needed for our environment.

We'll want to prepare for determining our requirements by gathering the following information:

  • Our internet connection speed
  • Our network hardware speed (10/100/1000 Mbps)
  • The connection speeds different users will be expecting

Let's begin by considering the throughput guidelines provided on the official pfSense website:

Firewall throughput

Processing power required

Hardware (PCI-X/PCI-e NICs)

21-50 Mbps

500 MHz CPU


51-200 Mbps


Recommended (for 100 Mbps and faster)

201-500 Mbps



501+ Mbps




The following table defines any additional system requirements that would be necessary if deploying optional features.


Additional requirements


A CPU's encrypted throughput is roughly 20 percent of its unencrypted throughput. If you have a 500 MHz processor (50 Mbps unencrypted) and you need more than 10 Mbps encrypted throughput, you need a faster processor, or a separate encryption card.

Captive portal

Environments with a larger number of captive portal users (100+) may need to bump their processing power up slightly to achieve the same throughput.

Large state tables

The default state table size of 10,000 entries takes up 10 MB of RAM. Large environments with hundreds of thousands of entries will want to make sure they have the necessary memory available. It may  require you to have at least 2 GB of RAM.

Squid package

This is a package used for caching web content, and this requires extensive use of a hard disk with a large amount of storage. It is not for use with an embedded installation where writes to the compact flash card are kept to a minimum.

Snort package

This is a packet sniffer/intrusion prevention and detection system (IPS/IDS). A minimum of 512 MB RAM is required.

NTop package

This is a network traffic reporting tool. A minimum of 512 MB of RAM is required.


Now, we need to determine our requirements:

  • Our small business rarely has more than a dozen users on the LAN, but all the PCs in the department have GB Ethernet NICs, and the switches are all Gigabit or faster. The internet connection is only about 100 Mbps, so our network hardware is actually much faster than what we need for using the internet. Nevertheless, Gigabit Ethernet ensures that we get fast, reliable transfer times when accessing resources over the local network.
  • We want to provide VPN access for remote employees, but we do not anticipate more than a few VPN users at any given time.
  • We have also decided that we want to install Ntop to diagnose network traffic problems.
  • Finally, since we are saving money by using pfSense, we have decided to reinvest some of the savings into added redundancy. To this end, we will implement a CARP failover group on our network.

At this point, we have identified our minimum requirements as:

  • 1 Gbps network hardware (cables and switches)
  • Unencrypted throughput of 100 Mbps (bound by speed of Internet connection)
  • Encrypted throughput (VPN) of 20 Mbps
  • 1 GHz CPU, 1 GB RAM
  • A second, identical machine to be used as a failover.

Throughput is the amount of data that can be processed at any given time. For example, we might have a 100 Mbps broadband connection, but if the WAN interface on our firewall can only handle 10 Mbps, that's all we're going to get. Conversely, if we have a Gigabit Ethernet adapter for the WAN interface, but we still only have a 100 Mbps broadband connection, now our internet connection has become the bottleneck.    

Firewall throughput is only a factor for traffic passing through the firewall. Internet traffic meets this requirement (LAN <| WAN), as would any traffic between our own networks (LAN <| DMZ). However, traffic between two computers on the same network (for example, the LAN) will not be processed by the firewall and, therefore, the firewall will not be a bottleneck in that scenario.


You should remember that certain firewall features have their own hardware requirements. For example, VPN connections require additional processing power and the Squid web caching package is not suitable for an embedded compact flash disk installation.

With the release of pfSense 2.4, many obsolete packages have been removed from the Package Manager and many new packages are now available. To view available packages, navigate to System | Package Manager | Available Packages.

Read more about the minimum hardware requirements here: