pfsense / Untangle throughput and enterprise suitability?

A

Argher

Limp Gawd
Joined
Jun 23, 2004
Messages
374
Hi there,

I was thinking of running a 1.6ghz dual-core machine, 2GB RAM, dual gigabit NICs without TCP offload (onboard sadly) with Untangle or pfsense for firewall duties. Obviously I like the additional functionality of Untangle, but am unsure of what they use for firewall purposes - iptables or what?

Anyway, I was wondering what thoughts are regarding performance of that combination, and suitability of Untangle or pfsense for an enterprise-level environment.

Thanks for any light you may shed ...
 
Define your enterprise: What type of products have you used in the past? How many users, locations, etc? What is the corporate opinion of open source software? The open source products are pretty good, but more than just price should go into your decision.
 
This is a theoretical enterprise... I suppose I'm more interested in what the gut reaction is to the usage of either on very stable hardware in an enterprise environment (you may take issue with onboard NICs being stable, but that's another kettle of fish). Do they seem respectable? I knew a security company which used CentOS installs with customized iptables in their top-end products, so I know that linux firewalls in general can be accepted, but I haven't heard much about the use of either pfsense or Untangle specifically.

Users, let's say theoretically anywhere from 50-2000 spread around the world.
 
Untangle uses a combination of IPTables and Linux Traffic Control, with a few other things and their own proprietary stuff.

You can see the detailed breakdown of each component in the rack of Untangle...
Click on each component in the green...
http://www.untangle.com/Product-Overview

Then click on the technical specs of each one over on the right side.
 
Yes both PfSense and untangle can be used and are stable, as long as you have the right hardware.
 
To continue (just got distracted by remote support call)......

the "stability" of your *nix router is based on the hardware that you use. I've had great success with Untangle...and many other distros....I feel because I tend to use more solid, standardized, business grade hardware.

I have Untangle at quite a few clients, I've put it on solid business grade desktop PCs and servers. HP Evo/Business Desktop models, or Dell Optiplexes. Good solid Intel chipsets, Intel network cards. No el cheapo Via or SiS systems. Or for bigger clients...full servers...runs rock stable on Dells R200...including RAID.

Reboots? I've only had to reboot them when doing Untangle program version upgrades. Else..they run rock stable 24/7/365.

Untangle is designed more for the SMB range....quoted on the website for up to 500 users. But in their forums, they've had quite a few people set it up on beefy boxes for past 1000 users...there's one that even has it running well for a network of over 3,000.
 
I appreciate the thoughts put out thus far - great details, Stonecat. I thought I had looked in the tech specs, but perhaps i missed it :).

As far as throughput for either, do you have any idea what the maximum encrypted throughput would be that I would be looking at with a dual-core 1.6ghz, 2GB RAM machine with no NIC offloading?

That may be too specific a request, but general range would be appreciated. I can always build it and test, of course :).
 
I haven't seen specs other than, with earlier version 5.0x.....Untangle on a decent 2+ GHz machine could bang out approx 60 megs of throughput.

Benchmarking is time consuming, and the sheer near infinite combination of hardware out there for open source makes it impossible...esp with Linux being so performance varying on something like your choice of network card...different NICs can throw your numbers all over the chart.

You seem to be leaning towards heavy VPN use? That being the case....I'd probably want to separate my main firewall and VPN appliances....and run a dedicated VPN appliance, letting Untangle do the firewalling/protection of network/NAT.
 
You must log in or register to reply here.
Back
Top