Hardware Sizing Guidance¶

When sizing hardware for pfSense® software, required throughput and necessary features are the primary factors that govern hardware selection.

The information on Netgate Store now contains up-to-date specifications and performance data on all hardware sold by Netgate. The data on the Netgate Store is updated as needed and it is always the most accurate and current source of performance data.

Tip

Contact Netgate Sales for personalized help in selecting the most suitable model for any implementation.

Estimating throughput of third party / whitebox hardware is difficult and inaccurate. In some cases, ballpark estimates may be made by comparing hardware specifications with those found on the Netgate Store for comparable models.

Throughput Considerations¶

In real networks the traffic flow will likely contain packets of varying size, not all maximum size packets, but it completely depends on the environment and the type of traffic involved. IMIX testing attempts to approximate a mixture of traffic that more closely resembles real-world environments. Simple IMIX traffic is sets of 7 (40) byte packets, (4) 576 byte packets, 1 (1500) byte packets, plus Ethernet framing overhead.

Note

The Netgate Store entries for hardware include data for both maximum size packet size (“IPERF3”) as well as results for IMIX traffic patterns.

As a general reference, table 500,000 PPS Throughput at Various Frame Sizes lists a few common packet sizes and the throughput achieved at an example rate of 500,000 packets per second.

500,000 PPS Throughput at Various Frame Sizes¶
Frame size	Throughput at 500 Kpps
64 bytes	244 Mbps
500 bytes	1.87 Gbps
1000 bytes	3.73 Gbps
1500 bytes	5.59 Gbps

Performance difference by network adapter type¶

The choice of NIC has a significant impact on performance. Inexpensive, low end cards consume significantly more CPU than better quality cards such as Intel. The first bottleneck with firewall throughput is the CPU. Throughput improves significantly by using a better quality NIC with slower CPUs. By contrast, increasing the speed of the CPU will not proportionally increase the throughput when coupled with a low quality NIC.

Feature Considerations¶

Features, services and packages enabled on the firewall can lower the total potential throughput as they consume hardware resources that could otherwise be used to transfer network traffic. This is especially true for packages that intercept or inspect network traffic, such as Snort or Suricata.

Most base system features do not significantly factor into hardware sizing but a few can potentially have a considerable impact on hardware utilization.

Large State Tables¶

Active network connections through the firewall are tracked in the firewall state table. Each connection through the firewall consumes two states: One entering the firewall and one leaving the firewall. For example, if a firewall must handle 100,000 simultaneous web server client connections the state table must be able to hold 200,000 states.

VPN (all types)¶

The question customers typically ask about VPNs is “How many connections can my hardware handle?” That is a secondary factor in most deployments and is of lesser consideration. That metric is a relic of how other vendors have licensed VPN capabilities in the past and has no specific direct equivalent in pfSense software. The primary consideration in hardware sizing for VPN is the potential throughput of VPN traffic.

Encrypting and decrypting network traffic with all types of VPNs is CPU intensive. pfSense software offers several cipher options for use with IPsec. The various ciphers perform differently and the maximum throughput of a firewall is dependent on the cipher used and whether or not that cipher can be accelerated by the hardware.

See also

The Netgate Store contains VPN performance data for each device sold by Netgate using the most optimal cipher for each device based on its capabilities.

Hardware cryptographic accelerators, such as those found on most Netgate hardware, greatly increase maximum VPN throughput and largely eliminate the performance difference between accelerated ciphers. For IPsec, ciphers may be accelerated by onboard cryptographic accelerators. For example, AES-GCM is accelerated by AES-NI and it is faster not only for that, but because it also does not require a separate authentication algorithm. IPsec also has less per-packet operating system processing overhead than OpenVPN, so for the time being IPsec will nearly always be faster than OpenVPN.

Where high VPN throughput is a requirement for a firewall, hardware cryptographic acceleration is of utmost importance to ensure not only fast transmission speeds but also reduced CPU overhead. The reduction in CPU overhead means the VPN will not lower the performance of other services on the firewall.

The current best available acceleration is available by using pfSense Plus software on hardware with a QAT device, followed by a CPU which includes support for IPsec-MB (SSE, AVX2, AVX512), or failing that, a CPU which includes AES-NI support combined with AES-GCM in IPsec.

Packages¶

Certain packages have a significant impact on hardware requirements, and their use must be taken into consideration when selecting hardware.

Snort/Suricata¶

Snort and Suricata are pfSense software packages for network intrusion detection. Depending on their configuration, they can require a significant amount of RAM. 1 GB should be considered a minimum but some configurations may need 2 GB or more, not counting RAM used by the operating system, firewall states, and other packages.

Suricata is multi-threaded and can potentially take advantage of NETMAP for inline IPS if the hardware offers support.

States	Connections	RAM Required
100,000	50,000	~97 MB
500,000	250,000	~488 MB
1,000,000	500,000	~976 MB
3,000,000	1,500,000	~2900 MB
8,000,000	4,000,000	~7800 MB