Hardware Sizing Guidance

When sizing hardware for pfSense, required throughput and necessary features are the primary factors that govern hardware selection.

Throughput Considerations

The minimum requirements are enough if less than 100 Mbps of unencrypted throughput is required. For higher throughput requirements, follow these guidelines based on extensive testing and deployment experiences.

The hardware referenced in this section is available from the pfSense Store. The general specifications of the hardware can be found in Table pfSense Hardware.

pfSense Hardware
Model CPU Clock Cores RAM NIC Speed
SG-1000 TI ARM Cortex-A8 AM3352 600 MHz 1 512 MB 2x1G
SG-2220 Intel Rangeley Atom C2338 1.7 GHz 2 2 GB 2x1G
SG-2440 Intel Rangeley Atom C2358 1.7 GHz 2 4 GB 2x1G
SG-4860 Intel Rangeley Atom C2558 2.4 GHz 4 8 GB 6x1G
SG-8860 Intel Rangeley Atom C2758 2.4 GHz 8 8 GB 6x1G
XG-2758 Intel Rangeley Atom C2758 2.4 GHz 8 16 GB 2x10G, 4x1G
C2758 Intel Rangeley Atom C2758 2.4 GHz 8 8 GB 4x1G +2x10G
XG-1540 Intel Xeon-DE D-1541 2.0 GHz 8 16-32 GB 2x10G, 2x1G

The Table Maximum Throughput by CPU - 1400 Byte Packets compares throughput between several hardware models. The table contains throughput in Mbit/s for TCP. A packet size of 1400 bytes was used for this test.

Warning

The numbers below are sample results of ongoing testing and do not accurately reflect the full potential throughput of each device.

Maximum Throughput by CPU - 1400 Byte Packets
Model TCP - 1400 Byte Packets
Mbit/s
SG-1000 306
SG-2220 939
SG-2440 939
SG-4860 939
SG-8860 939
XG-2758 4550
C2758 4630
XG-1540 4900

In real networks the traffic flow will likely contain packets of varying size, not all this large, but it completely depends on the environment and the type of traffic involved. Table 500,000 PPS Throughput at Various Frame Sizes lists a few common packet sizes and the throughput achieved at an example rate of 500,000 packets per second.

500,000 PPS Throughput at Various Frame Sizes
Frame size Throughput at 500 Kpps
64 bytes 244 Mbps
500 bytes 1.87 Gbps
1000 bytes 3.73 Gbps
1500 bytes 5.59 Gbps

Performance difference by network adapter type

The choice of NIC has a significant impact on performance. Inexpensive, low end cards consume significantly more CPU than better quality cards such as Intel. The first bottleneck with firewall throughput is the CPU. Throughput improves significantly by using a better quality NIC with slower CPUs. By contrast, increasing the speed of the CPU will not proportionally increase the throughput when coupled with a low quality NIC.

Feature Considerations

Features, services and packages enabled on the firewall can lower the total potential throughput as they consume hardware resources that could otherwise be used to transfer network traffic. This is especially true for packages that intercept or inspect network traffic, such as Snort or Suricata.

Most base system features do not significantly factor into hardware sizing but a few can potentially have a considerable impact on hardware utilization.

Large State Tables

Active network connections through the firewall are tracked in the firewall state table. Each connection through the firewall consumes two states: One entering the firewall and one leaving the firewall. For example, if a firewall must handle 100,000 simultaneous web server client connections the state table must be able to hold 200,000 states.

See also

States are covered further in Firewall.

Firewalls in environments which require large numbers of simultaneous states must have sufficient RAM to contain the state table. Each state takes approximately 1 KB of RAM, which makes calculating the memory requirements relatively easy. Table Large State Table RAM Consumption provides a guideline for the amount of memory required for larger state table sizes. This is solely the memory used for the state tracking. The operating system itself along with other services will require at least 175-256 MB additional RAM and possibly more depending on the features used.

Large State Table RAM Consumption
States Connections RAM Required
100,000 50,000 ~97 MB
500,000 250,000 ~488 MB
1,000,000 500,000 ~976 MB
3,000,000 1,500,000 ~2900 MB
8,000,000 4,000,000 ~7800 MB

It is safer to overestimate the requirements. Based on the information above, a good estimate would be that 100,000 states consume about 100 MB of RAM, or that 1,000,000 states would consume about 1 GB of RAM.

VPN (all types)

The question customers typically ask about VPNs is “How many connections can my hardware handle?” That is a secondary factor in most deployments and is of lesser consideration. That metric is a relic of how other vendors have licensed VPN capabilities in the past and has no specific direct equivalent in pfSense. The primary consideration in hardware sizing for VPN is the potential throughput of VPN traffic.

Encrypting and decrypting network traffic with all types of VPNs is CPU intensive. pfSense offers several cipher options for use with IPsec. The various ciphers perform differently and the maximum throughput of a firewall is dependent on the cipher used and whether or not that cipher can be accelerated by the hardware.

Hardware crypto accelerators greatly increase maximum VPN throughput and largely eliminate the performance difference between accelerated ciphers. Table VPN Throughput by hardware model, all values are Mbit/s illustrates the maximum throughput for various hardware available from the pfSense store when using IPsec and OpenVPN.

For IPsec, AES-GCM is accelerated by AES-NI and it is faster not only for that, but because it also does not require a separate authentication algorithm. IPsec also has less per-packet operating system processing overhead than OpenVPN, so for the time being IPsec will nearly always be faster than OpenVPN.

Warning

The numbers below are sample results of ongoing testing and do not accurately reflect the full potential throughput of each device.

VPN Throughput by hardware model, all values are Mbit/s
Model OpenVPN / AES-128+SHA1 IPsec / IKEv2+AES-GCM
TCP 1400B TCP 1400B
SG-1000 17 22
SG-2220 65 322
SG-2440 65 325
SG-4860 73 418
SG-8860 73 445
XG-2758 68 435
C2758 143 556
XG-1540 166 780

Where high VPN throughput is a requirement for a firewall, hardware crypto acceleration is of utmost importance to ensure not only fast transmission speeds but also less CPU overhead. The reduction in CPU overhead means the VPN will not lower the performance of other services on the firewall. The current best available acceleration is available by using a CPU which includes AES-NI support combined with AES-GCM in IPsec.

Packages

Certain packages have a significant impact on hardware requirements, and their use must be taken into consideration when selecting hardware.

Snort/Suricata

Snort and Suricata are pfSense packages for network intrusion detection. Depending on their configuration, they can require a significant amount of RAM. 1 GB should be considered a minimum but some configurations may need 2 GB or more.

Suricata is multi-threaded and can potentially take advantage of NETMAP for inline IPS if the hardware offers support.

Squid

Squid is a caching HTTP proxy server available as a pfSense package. Disk I/O performance is an important consideration for Squid users since it determines cache performance. In contrast, disk speed is largely irrelevant for most pfSense firewalls since the only significant disk activity is boot time and upgrade time; it has no relevance to network throughput or other normal operation.

Even for Squid any hard drive will suffice in small environments. For 200+ user deployments, a high-quality SSD from a Tier-1 OEM is a must-have. A low-quality SSD may not be able to endure the numerous writes involved with maintaining cached data.

The size of the squid cache also factors into the amount of RAM required for the firewall. Squid consumes approximately 14MB of RAM per 1GB of cache on amd64. At that rate, a 100GB cache would require 1.4GB of RAM for cache management alone, not counting other RAM needs for squid.