Hey Jim, Thank you for the response it is all good stuff. I would be interested in looking at the pfCenter you mentioned, just to check it out and having an API for pfSense would be awesome.
Joe On Wed, May 21, 2014 at 11:58 PM, Jim Thompson <[email protected]> wrote: > > On May 21, 2014, at 8:44 PM, Adam Thompson <[email protected]> wrote: > > > On 14-05-21 08:27 PM, Joseph H wrote: > >> Hi Everyone, > >> > >> I was having a debate with a new network engineer we have and we were > discussing how pfSense performs and how it would handle 10G network > connections, setup as a transparent firewall, using snort and a few other > packages to help monitor and graph traffic. > >> > >> I was saying that as long as it has plenty of CPU and Memory, plus > Intel NIC's for the 10G then it would not have any problems doing > transparent mode, and there would be no noticeable slowdown or sluggishness. > >> > >> Does anyone have any statistics they would share or what size server to > build, using Intel 10G nic cards? > >> > >> Thanks in advance. > >> > >> Joe > >> > > > > Jim just had this argument with Henning Brauer at BSDCan… > > were you in the room? you should have said ‘HI’. > > I wasn’t so much arguing with Henning as I was asserting that his > statement (that OpenBSD, which is slower than FreeBSD (and thus pfSense) > can forward at 10Gbps rates) was… suspect. > > > at those speeds, bandwidth doesn't really matter, packets-per-second > matters. > > In most normal situations, pfSense can pass almost 10Gbit/sec of traffic. > > As it stands today, on a fast box, pfSense will forward a bit more than > 1Mpps. It’s easy math to get to 10Gbps throughput. If you’re using 1500 > byte frames, then presto: 10Gbps “throughput” > without maxing things out. > > Good news, right? Nope. Not all the world is an FTP session. So it’s > actually an issue, and one that has never really be addressed. So, we’re > addressing it. > pfSense needs to “grow up” from being mostly about people’s home networks, > into a real system that can stand up in the face todays’ high packet rate > cloud environments. > > The dev team behind pfSense spent a lot of time talking at BSDcan about > where we want to go after pfSense 2.2 is released. > > There are two main places we’re going to focus: > - performance (because everyone enjoys doing performance work, and > pfSense has some catching up to do) > - manageability (basically this means that there will be an API > for pfSense, so bolting it into our product (“pfCenter”) as well as various > devops stacks (puppet, chef, salt, ansible, open stack, etc) > becomes possible. > > As I type, to my immediate left, are a pair of Intel i5 NUCs running > pkt-gen between themselves on a nearly dumb switch. They’re passing 1.387 > - 1.388 Mpps between them. > Put pfSense between them, and the throughput drops. How much it drops > depends on how much CPU can be thrown at it, and a subject I’m not willing > to go delve into right now. > Let’s just say “half” in the best scenario, and that a lot of my work @ > home will be spent trying to make the APU (and systems like it) perform > better. > > For larger systems, at work there are a set of about a dozen machines, > with various Intel, Solarflare and Chelsio 10Gbps NICs installed, and a > couple 10Gbps switches, all in the “test rack”. That is, none of this is > in “production”. There is a whole other set of hardware that constitutes > the “production” network. When fully-installed, both clusters of machines > will be running at 10Gbps. > > > … Just so you know where we’re going ... > > (As previously related, we have a pair of 10Gbps links between the office > and the datacenter next door, so we’re prepared to dogfood the results.) > > Jim > > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
