Tuesday, June 09, 2015

pfSense Firewall CPU load estimate

According to the pfSense dashboard, I have:

Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
2 CPUs: 1 package(s) x 2 core(s)

When running a quick speed test, "top" shows about 5% system load at 60Mbps.  That gives a rough upper-end of around 1200Mbps (1.2Gbps) for switching speed.  At a guess, that might be closer to only 1Gbps performance under heavy traffic.

1Gbps of capacity is plenty for the moment where I have:

- 50/50 Mbps service from Verizon FIOS (seems to peak at 60/60)
- 802.11 b/g/n (11-54Mbps)
- 802.11ac (tops out at around 1Gbps)

But it may not be enough for connecting together multiple gigabit LAN segments.  So I will need to keep all high bandwidth traffic on the same VLAN so that the traffic gets handled by the switches without touching the pfSense firewall.

Update #1 (Jul 10 2015): Suricata cuts the performance of the WAN interface (in terms of CPU load per Mbps) by a factor of 5x-10x.  While I could probably route 1.2-1.5Gbps with this firewall, a 30Mbps load on the WAN, which is monitored by Suricata, resulted in 20% CPU load.  That puts my upper-bound for WAN traffic at only 150Mbps.

