Why would a hardware firewall need 1000Mb/s throughput?

[mmj_uk]

Hi all, I'm a networking noob so I've been building an x86 firewall to help me learn more about how it all works.

On the PFSense forum everybody says that for >500Mb/s throughput you should have Intel NIC's (better apparently) and a >3Ghz processor in your firewall box.

My question is why would you need such a huge amount of bandwidth on your firewall with only say a 20Mb/s internet connection? is this just for the corporate environments where they have hugely fast internet connections?

If I'm not mistaken then surely in a home environment all that you need is a switch on your LAN port which will then bypass the firewall besides for internet traffic? and even then wouldn't the hard drives in the computers be massive bottlenecks unless you're using the latest SSD's?

Thanks for helping clear this up.

 

[mmj_uk]

Oh I see that's great info thanks.

Could you also clarify the usage of a switch for me please?

Say for example if I plug a 1000Mb/s switch into my LAN port then am I right in thinking that file transfers between any computers connected to the switch ignores the presence of the firewall? so the processing power/bandwidth of the firewall is irrelevant in that case?

 

[mmj_uk]

Quite often you want to have seperate networks with filters/firewalls between in which case a L2 switch isn't suitable (L3 switch obviously would work), in this scenario you'd want good througput between networks.

So apart from the processing required for the firewall duties it's mainly for if you want to separate multiple networks via the firewall. eg. have 2+ LAN interfaces on the firewall each going to separate switches and set of computers? would transfers between computers on the same switch work at near maximum throughput if you had Intel NIC's and 1000Mb/s hard drives for transferring? or is the 1000Mb/s just a theoretical number not taking into account overhead?

*goes to read up on difference between L2/L3 switches*

 

[mmj_uk]

Brilliant thanks guy I feel much clearer about it now.

I'm going to get an Netgear unmanaged (L2) switch then now that I understand how it all works.

I've got 3 NIC's on my firewall my access point is on a separate NIC because it's supposed to be more secure that way (it's isolated from accessing anything on the LAN interface).

If you don't plan on getting too complex with what the firewall will be doing then you could be fine just using an Atom board, which is low speed but will most likely be better than most home routers by a long way, and with some decent firewall software on there can be quite powerful. If on the otherhand you want your firewall to perform lots of other functions like dave-lew99 mentioned such as virus scanning, VPN endpoint etc... then thats when you may need to start looking at a more powerful system.

Yeah I have an AMD E-350 dual 1.6ghz ITX and last 5mins usage is generally around 0.05% so I'm obviously not struggling for CPU power yet.