PfSense Server Hardware

Building a pfSense low energy machine - pfSense - Zomers Knowledgebase
The following hardware sizing guide was written initially and primarily for the product pfSense®.
However, it is possible to extend these concepts also for Zeroshell, IPCop, ipFire, and in part also to monowall.
Then we will dwell on the technical concepts to explain and motivate our conclusions set out in the instant sizing table.
If the browser did not want to read all the technical can immediately jump to: .

Here you can find the link to the NEW HARDWARE CONFIGURATOR of our devices: Hardware device configurator

When sizing hardware for use with pfSense®, two main factors need to be considered:

  1. Throughput required
  2. Features that will be used

These 2 factors affecting mainly RAM, CPU, mass memory and amounts of NIC. In the below we will provide our expertise in hardware sizing.

1. Throughput Considerations

If you require less than 10 Mbps of throughput, you can get by with the minimum requirements. For higher throughput requirements we recommend following these guidelines, based on our extensive testing and deployment experience. These guidelines offer a bit of breathing room because you never want to run your hardware to its full capacity.
If less than 10 Mbps are required it is possible to use the minimum hardware requirements. For higher throughput strongly recommend you follow the scaling suggested by the following table, based on actual tests performed on the field. The table below is designed to avoid reaching the maximum load level hardware, so as not to run into problems.

Minimum system requirements for pfSense® from 2.0 onwards:

CPU No less than 100 MHz
RAM 128 MB
Installation on Hard Disk 1 GB
Embedded Compact Flash da 512 MB

Sizing pfSense® - Throughput

(*) Power Cluster and APUTM with Intel I7 CPU have a Medium noise level only if submitted to strong and continuous workloads.

2. Feature Considerations

Most features do not factor into hardware sizing, though a few have significant impact on hardware utilization.

VPN: Heavy use of any of the VPN services included in pfSense® will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive. The number of connections is much less of a concern than the throughput required.

  • A 266 MHz CPU will max out at around 4 Mbps of IPsec throughput
  • A 500 MHz CPU can push 10-15 Mbps of IPsec
  • I7 CPU or Xeon new generation support 100 Mbps of IPsec traffic
Supported encryption cards, such as several from Hifn, are capable of significantly reducing CPU requirements.

Squid – Squidguard – outgoing traffic control through proxy: both packages rely heavily both the CPU and disk writes. It is therefore strongly recommended to use with the Entry level and the use of AUTM and AUTM2 with DOM devices.
For this kind of work is strongly recommended to use AUTM, AUTM2 and Microcluster with SSD or classics disks.
However, it is also possible the optimized use with only the squid package on the entry level as long as you turn off any kind of writing on the disk media and strong expense of performance.

Captive Portal: While the primary concern is typically throughput, environments with hundreds of simultaneous captive portal users (of which there are many) will require slightly more CPU power than recommended above.

Large state tables: state table entries require about 1 KB of RAM each. The default state table, when full at 10, 000 entries, takes up a little less than 10 MB RAM. For large environments requiring state tables with hundreds of thousands of connections, ensure adequate RAM is available.

Packages: some of the packages increase RAM requirements significantly. Snort and ntop are two that should not be installed on a system with less than 512 MB RAM.

Version of pfSense® to install

We must emphasize the difference between the two types of installations that you can do with pfSense® on the different devices:
  • The embedded solution (firewall Entry Level) does NOT allow the writing of log files on the memory (CF or DOM) and in any case it is strongly discouraged. This version is not possible to install some additional packages of pfSense®.
  • The solution that installs on your hard disk (usually on the UTM Appliance solutions or above) has the ability to save logs in it. On this version you can install all additional packages provided for pfSense®.

3. In-depth analysis of Network Cards' chipset

The choice of a network card is essential for anyone who is planning a system for medium / large dimensions.

As you can see from the products' descriptions, we always specify with accuracy if the devices incorporate an internal Intel or Realtek chipset.

The Realtek chipset is less powerful than Intel Chipset and is mainly suitable for workloads less intense. However, for a company that does not require high throughputs (as 85% of Italian companies), is always the ideal choice.

The Intel chipset, on the other hand, offers better performances in heavy traffic: it offers several advanced features such as queue management and, from the 2.2 version of pfSense®, it also improved the multi-core support. This means an higher throughput and a reduced load on the CPU.

In this regard, we published a study about the optimization of the Intel NIC through the tuning of the driver and settings. We specify, however, that our appliances don’t need this kind of optimization until now. We include it anyway, in order to give you a full picture.

4. Sizing according to the noise of the devices

To provide the most suitable product, you need to think about where the firewall will be placed.
If the device will be located close to people who are working, you will need to choose a device with a low level of noise or you will need to purchase the relative kit silent!
Below is a table in which are provided indicative data on the noise of our devices: Notes of the designers on the noise:
a device that dissipates heat well will surely last longer and will be more stable and reliable!
That's why our high-end devices are designed so that the airflow invest and cool internal components.

5. When should I use the Microcluster?

A Cluster system is a solution composed of a system having two completely independent hardware. There are 3 versions of Cluster solutions, one for a small office, one for a SME or small data center and the other for heavy traffic and / or for medium / large structures.
The Small Cluster and the Power Cluster are 2U device, consisting of 2 drawers hosting, each, a hardware system totally independent.
In particular, by means of pfSense® you can get a real Cluster active passive configured to obtain the high reliability between 2 drawers that become to all the effects of the cluster nodes.
The other S.O. not have (hopefully only for now) such as a function of the CARP pfSense® but may be otherwise configured in such a way that the user can manually turn off one of the two systems and turn on the other. We can therefore say that it is a system that in case of Cluster pfSense® is automatic and in the case of other O.S. is manual. This system should be used in environments where high reliability is required.

6. Instant sizing

Based on our experience we have established a classification of installations that we have followed over the years. This classification is not only the result of experience gained during the installation of the firewall, but also the technological evolution that requires the user to the device during the years of use.
QOTOM QOTOM-Q330G4 Black home router with pc/hardware firewall router/wifi router wifi marketing router core I3(8G Kingston RAM,500G HDD,300M WIFI)
Personal Computer (QOTOM)
  • CPU:Intel Core I3-4005U Processor (3M Cache, up to 2.7 GHz, Broadwell)
  • Configuration:8G Kingston RAM, 500G HDD,NO WIFI,300M WIFI(BCM 43225)
  • Main Port: HD Video Port, 4 Gigabit LAN, 2 USB2.0, 2 USB3.0, COM, SIM card slot
  • Perfect fit for a LAN or WAN router, firewall, proxy, WiFi access point, VPN appliance, DHCP Server, DNS Server, etc.
  • We pre-install Unactivated Windows 7 for test and we DO NOT provide any Windows license. If you prefer to other OS, please contact us
Inctel Technology Co., Ltd Partaker 4 Lan Intel Atom D2550 Dual Core Network Server with 4g RAM 16g SSD
Personal Computer (Inctel Technology Co., Ltd)
  • X86 platform: Takes minimal 200 plus users
  • Internet optimization
  • Network security
  • Multi line load
  • Traffic control
Inctel Technology Co., Ltd Partaker Security 4 Gigabit Firewall Hardware Router with D2550 Processor Enterprise Bypass ROS 2g RAM 8g SSD
Personal Computer (Inctel Technology Co., Ltd)
  • X86 platform: Takes minimal 200 plus users
  • Internet optimization
  • Network security
  • Multi line load
  • Traffic control
Inctel Technology Co., Ltd Partaker Intel Atom D525 Processor 4 Lan Small Firewall Router with 4g RAM 64g SSD
Personal Computer (Inctel Technology Co., Ltd)
  • X86 platform: Takes minimal 200 plus users
  • Internet optimization
  • Network security
  • Multi line load
  • Traffic control
Inctel Technology Co., Ltd Partaker 6 Gigabit Lan 2 SFP 82580db 16g RAM 120g SSD Firewall Hardware Router with H67 Chipset
Personal Computer (Inctel Technology Co., Ltd)
  • X86 platform: Takes minimal 200 plus users
  • Internet optimization
  • Network security
  • Traffic control
  • Multi line load

Related posts: