This recipe will explain how to determine the throughput requirements, and subsequently the processing and memory requirements needed in our environment.
We’ll want to prepare for determining our requirements by gathering the following information:
Our Internet connection speed.
Our network hardware speed. Will our network be capable of 10, 100, or 1000 Mbps speeds?
What connection speeds will our different types of users be expecting?
Let’s review the general throughput and feature guidelines (available at http://pfsense.com/ at Hardware | Selection & Sizing):
Firewall throughput
Processing power required
Server hardware (PCI-X/PCI-e NICs)
10-20 Mbps
266-MHz CPU
No
21-50 Mbps
500-MHz CPU
No
51-200 Mbps
1-GHz CPU
No
201-500 Mbps
2-GHz CPU
Recommended
501+ Mbps
3-GHz CPU
Recommended
The following table defines any additional system requirements that would be necessary if deploying optional features:
Feature
VPN
A CPU’s encrypted throughput is roughly 20 percent of its unencrypted throughput. If you have a 500-Mhz processor (~50 Mbps unencrypted) and you need more than 10 Mbps encrypted throughput, you’re going to need a faster processor or a separate encryption card.
Captive portal
Environments with a larger number of captive portal users (100+) may need to bump their processing power slightly to achieve the same throughput.
Large state tables
The default state table size of 10,000 entries takes up 10 MB of RAM. Large environments with hundreds of thousands of entries will want to make sure they have the necessary memory available.
Squid Package
It is a package used for caching web content which requires extensive use of a hard disk with a large amount of storage. It is not for use with an embedded installation where writes to the compact flash card are kept to a minimum.
Snort Package
It is a packet sniffer/intrusion prevention and detection system (IPS/IDS). A minimum of 512 MB RAM is required.
NTop Package
A network traffic reporting tool. A minimum of 512 MB of RAM required.
Now, let’s determine our own requirements:
Our medium-sized business, Any Company USA, has 100 typical business users. Our network infrastructure consists of CAT5 cable and 100 Mbps switches. The majority of our traffic is web browsing, e-mails, and small file sharing. Our 100-Mbps Internet connection is ample, and our primary concern is being able to use what we’re paying for.
We want to provide VPN access for employees on the go, but we expect no more than a handful of VPN connections at any given time and throughput for these external users isn’t a primary concern. Of the additional packages available to pfSense, we’ve decided we’d like to use the NTop package to help us analyze our traffic and identify problems.
Lastly, given the money we’re saving using the open source pfSense platform, we’re going to build an additional fail-over firewall to comply with our organization’s redundancy IT policy.
At this point we’ve identified our requirements as:
Throughput is the amount of data that can be processed at any given time. We may have a 100 Mbps fiber-optic Internet connection, but if our firewall’s hardware can only process 20 Mbps, then that’s all we’re going to get.
Firewall throughput is only a factor for traffic passing through the firewall. Internet traffic meets this requirement (LAN <| WAN), as would any traffic between our own networks (LAN <| DMZ). However, traffic between two machines on the same network, 2 PCs in our LAN for example, won’t be bottlenecked by the firewall.
It’s important to remember that certain firewall features have their own hardware requirements. For example, VPN connections require additional processing power and the Squid web-caching package isn’t suitable for an embedded compact flash disk installation.
See Available Packages in Appendix A, Monitoring and Logging
PfSense Official Documentation: Minimum Requirements
http://www.pfsense.org/index.php?option=com_content&task=view&id=45&Itemid=48
PfSense Official Documentation: Selection & Sizing
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49