next »

[s_265_925]

hi all!
i have an isp and i only need restriction for my users in some services and filter some ports ...
i have about 10 Gb in and 10 Gb out traffic!
what hardwares should i use for best performance for this amount of traffic?
what is your idea ?

[stephenw10]

10Gigabits per second in and out?  

I'm not sure there is any hardware that can do that in a single box. Due to the way pfSense works and the current performance of CPUs I believe the best possible throughput is 4-5Gbps. I could be wrong though.

Following this thread with interest.

Steve

[allpoints]

BIG Linux core switches:

http://www.aristanetworks.com/

 

[s_265_925]

thanks all for replay  ! but i need cpu -ram- lan details ! can i use a multiprocessor server ?!  i need solution !! any idea ?
before that ! is it possible to do this with this amount of traffic 

[stephenw10]

It hadn't even occurred to me that you might not be asking about pfSense. 

You probably could do this with pfSense but not with one machine. You would need to split your 10Gb connection across a number of boxes, say five each firewalling 2Gb.

This is way out of my league to be honest. If you're serious about doing this I'm sure BSD perimeter could sort you out.

Steve

[s_265_925]

first thanks for helping!
i think you are right splitting is the best way  ! now with your experience what do you think for 2 Gb traffic in and out what should i use ! i mean what hardwares can do that for me without hanging and other problems  .

[dhatz]

10Gigabits per second in and out?  
I'm not sure there is any hardware that can do that in a single box. Due to the way pfSense works and the current performance of CPUs I believe the best possible throughput is 4-5Gbps. I could be wrong though.

Following this thread with interest.

There was a topic on this sub-forum How Far Have You Scaled Your PFS Box?, but most posts are from the 2008/2009 era. It'd be interesting to hear about recent pfSense deployments, considering that newer FreeBSD supports several 10G cards.

Based on what I read here http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html there is also some effort underway to create an SMP-friendly version of PF for FreeBSD

[stephenw10]

Ah, interesting reading. Interesting that this is a FreeBSD effort and not OpenBSD.
Also particularly happy to see that this is very much current.

SMP to one side it should be possible to beat the old records with modern hardware. What do you think is now possible?

Steve

[s_265_925]

SO WHAT ?    POSSIBLE OR NOT ? 

[s_265_925]

what do you think about this ?!
http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-furious-hd-rack-edition-19-pfsense-appliance.html

[stephenw10]

It is possible, yes.  

I've never tested anything at these speeds personally so I can't give you any recommendations. As we discussed the currect, and likely near future, versions of pfSense are restricted by the fact that pf(4) does not multithread. Therefore to get the greatest throughput you need a machine with a high cpu clock speed per core rather than multiple cores at a lower speed. There is very little point in using a 16core xeon server for example.

Steve

Edit: The applianceshop hardware looks nice and you are guaranteed that it will all work with pfSense.   Perhaps drop them a line and ask about maximum throughput.

Edit: They state 9.5Gbps in the brochure. But is that for a single connection or the total of many connections?

[s_265_925]

thanks for helping