In this section, we will understand the throughput requirements, and subsequently the processing and memory requirements needed for our environment.
We'll want to prepare for determining our requirements by gathering the following information:
- Our internet connection speed
- Our network hardware speed (10/100/1000 Mbps)
- The connection speeds different users will be expecting
Let's begin by considering the throughput guidelines provided on the official pfSense website:
Firewall throughput | Processing power required | Hardware (PCI-X/PCI-e NICs) |
21-50 Mbps | 500 MHz CPU | No |
51-200 Mbps | 1 GHz CPU | Recommended (for 100 Mbps and faster) |
201-500 Mbps | 2 GHz CPU | Recommended |
501+ Mbps | 3 GHz CPU | Recommended |
The following table defines any additional system requirements that would be necessary if deploying optional features.
Feature | Additional requirements |
VPN | A CPU's encrypted throughput is roughly 20 percent of its unencrypted throughput. If you have a 500 MHz processor (50 Mbps unencrypted) and you need more than 10 Mbps encrypted throughput, you need a faster processor, or a separate encryption card. |
Captive portal | Environments with a larger number of captive portal users (100+) may need to bump their processing power up slightly to achieve the same throughput. |
Large state tables | The default state table size of 10,000 entries takes up 10 MB of RAM. Large environments with hundreds of thousands of entries will want to make sure they have the necessary memory available. It may require you to have at least 2 GB of RAM. |
Squid package | This is a package used for caching web content, and this requires extensive use of a hard disk with a large amount of storage. It is not for use with an embedded installation where writes to the compact flash card are kept to a minimum. |
Snort package | This is a packet sniffer/intrusion prevention and detection system (IPS/IDS). A minimum of 512 MB RAM is required. |
NTop package | This is a network traffic reporting tool. A minimum of 512 MB of RAM is required. |
Now, we need to determine our requirements:
- Our small business rarely has more than a dozen users on the LAN, but all the PCs in the department have GB Ethernet NICs, and the switches are all Gigabit or faster. The internet connection is only about 100 Mbps, so our network hardware is actually much faster than what we need for using the internet. Nevertheless, Gigabit Ethernet ensures that we get fast, reliable transfer times when accessing resources over the local network.
- We want to provide VPN access for remote employees, but we do not anticipate more than a few VPN users at any given time.
- We have also decided that we want to install Ntop to diagnose network traffic problems.
- Finally, since we are saving money by using pfSense, we have decided to reinvest some of the savings into added redundancy. To this end, we will implement a CARP failover group on our network.
At this point, we have identified our minimum requirements as:
- 1 Gbps network hardware (cables and switches)
- Unencrypted throughput of 100 Mbps (bound by speed of Internet connection)
- Encrypted throughput (VPN) of 20 Mbps
- 1 GHz CPU, 1 GB RAM
- A second, identical machine to be used as a failover.
Throughput is the amount of data that can be processed at any given time. For example, we might have a 100 Mbps broadband connection, but if the WAN interface on our firewall can only handle 10 Mbps, that's all we're going to get. Conversely, if we have a Gigabit Ethernet adapter for the WAN interface, but we still only have a 100 Mbps broadband connection, now our internet connection has become the bottleneck.
Firewall throughput is only a factor for traffic passing through the firewall. Internet traffic meets this requirement (LAN <| WAN), as would any traffic between our own networks (LAN <| DMZ). However, traffic between two computers on the same network (for example, the LAN) will not be processed by the firewall and, therefore, the firewall will not be a bottleneck in that scenario.
Note
You should remember that certain firewall features have their own hardware requirements. For example, VPN connections require additional processing power and the Squid web caching package is not suitable for an embedded compact flash disk installation.
With the release of pfSense 2.4, many obsolete packages have been removed from the Package Manager and many new packages are now available. To view available packages, navigate to System | Package Manager | Available Packages.
Read more about the minimum hardware requirements here: https://www.netgate.com/docs/pfsense/book/hardware/minimum-hardware-requirements.html.