On Tue, Jun 1, 2010 at 2:08 PM, Per Buer <[email protected]> wrote: > Hi. > > We've installed pfSense 1.2.3 on a couple of Coyote Point 550i > appliences and so far we're very happy. It has 2GB of memory and a > Xeon 3000-something CPU. It's run to run some sort of FreeBSD so > Nanobsd should be well supported. > > This week however, we started running some test through the firewall. > We're stresstesting Varnish, a http accelerator. The problem is that > the pfSense box seems to be the weakest link in the chain. > > Quickly we saw the state table run full. When we increased the size of > the table we run out of CPU quite fast. Load (read using vmstat) jumps > up to ~50. > > Is it probable that this is due to the overhead of state tracking?
When you hit the limit of your hardware, you'll run out of CPU. At what point that happens depends on the speed of the CPU, and what NICs you have. The ceiling for a given piece of hardware is packets per second rather than bandwidth, and large scale HTTP load testing can generate a lot of packets. The overhead is in the firewalling. At what throughput levels are you pegging the CPU? One other consideration with any HTTP load testing with stateful firewalls is to be careful with your methodology. Generating large numbers of requests from a single source IP will lead to source port reuse which will be problematic with any stateful firewall (you'll start to see some connections failing) and generally isn't indicative of real-world usage patterns. I suspect given your business, you probably already know that. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
