Re: [pfSense] pfsense performance
Hey Jim, Thank you for the response it is all good stuff. I would be interested in looking at the pfCenter you mentioned, just to check it out and having an API for pfSense would be awesome. Joe On Wed, May 21, 2014 at 11:58 PM, Jim Thompson j...@smallworks.com wrote: On May 21, 2014, at 8:44 PM, Adam Thompson athom...@athompso.net wrote: On 14-05-21 08:27 PM, Joseph H wrote: Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe Jim just had this argument with Henning Brauer at BSDCan… were you in the room? you should have said ‘HI’. I wasn’t so much arguing with Henning as I was asserting that his statement (that OpenBSD, which is slower than FreeBSD (and thus pfSense) can forward at 10Gbps rates) was… suspect. at those speeds, bandwidth doesn't really matter, packets-per-second matters. In most normal situations, pfSense can pass almost 10Gbit/sec of traffic. As it stands today, on a fast box, pfSense will forward a bit more than 1Mpps. It’s easy math to get to 10Gbps throughput. If you’re using 1500 byte frames, then presto: 10Gbps “throughput” without maxing things out. Good news, right? Nope. Not all the world is an FTP session. So it’s actually an issue, and one that has never really be addressed. So, we’re addressing it. pfSense needs to “grow up” from being mostly about people’s home networks, into a real system that can stand up in the face todays’ high packet rate cloud environments. The dev team behind pfSense spent a lot of time talking at BSDcan about where we want to go after pfSense 2.2 is released. There are two main places we’re going to focus: - performance (because everyone enjoys doing performance work, and pfSense has some catching up to do) - manageability (basically this means that there will be an API for pfSense, so bolting it into our product (“pfCenter”) as well as various devops stacks (puppet, chef, salt, ansible, open stack, etc) becomes possible. As I type, to my immediate left, are a pair of Intel i5 NUCs running pkt-gen between themselves on a nearly dumb switch. They’re passing 1.387 - 1.388 Mpps between them. Put pfSense between them, and the throughput drops. How much it drops depends on how much CPU can be thrown at it, and a subject I’m not willing to go delve into right now. Let’s just say “half” in the best scenario, and that a lot of my work @ home will be spent trying to make the APU (and systems like it) perform better. For larger systems, at work there are a set of about a dozen machines, with various Intel, Solarflare and Chelsio 10Gbps NICs installed, and a couple 10Gbps switches, all in the “test rack”. That is, none of this is in “production”. There is a whole other set of hardware that constitutes the “production” network. When fully-installed, both clusters of machines will be running at 10Gbps. … Just so you know where we’re going ... (As previously related, we have a pair of 10Gbps links between the office and the datacenter next door, so we’re prepared to dogfood the results.) Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfsense performance
Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense performance
On 14-05-21 08:27 PM, Joseph H wrote: Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe Jim just had this argument with Henning Brauer at BSDCan... at those speeds, bandwidth doesn't really matter, packets-per-second matters. In most normal situations, pfSense can pass almost 10Gbit/sec of traffic. However, in a DDOS - or VoIP - scenario, its limited PPS rates (compared to stupidly expensive hardware-accelerated appliances) rapidly will become a bottleneck. Depending on your traffic patterns, you will probably max out on PPS long before you max out on bandwidth. Transparent mode vs. routed mode probably won't make all that much difference at the scales you're talking about, but I admit I've never tried transparent mode at 1Gbps. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense performance
Hi Adam, Thanks for the response, I wonder if I setup a pfsense and use a packet generator maybe I can find out an answer. Once I get a couple of servers freed up which has dual 10G nics, I might give this a try. I have a couple of HP servers with I think 48 cores and 128G of ram being decommed from their current role in the next month, so I might use them to test this before we reload and redeploy them. Joe On Wed, May 21, 2014 at 9:44 PM, Adam Thompson athom...@athompso.netwrote: On 14-05-21 08:27 PM, Joseph H wrote: Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe Jim just had this argument with Henning Brauer at BSDCan... at those speeds, bandwidth doesn't really matter, packets-per-second matters. In most normal situations, pfSense can pass almost 10Gbit/sec of traffic. However, in a DDOS - or VoIP - scenario, its limited PPS rates (compared to stupidly expensive hardware-accelerated appliances) rapidly will become a bottleneck. Depending on your traffic patterns, you will probably max out on PPS long before you max out on bandwidth. Transparent mode vs. routed mode probably won't make all that much difference at the scales you're talking about, but I admit I've never tried transparent mode at 1Gbps. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list