Why would a hardware firewall need 1000Mb/s throughput?

mmj_uk · 7 Jul 2011 at 19:59

Hi all, I'm a networking noob so I've been building an x86 firewall to help me learn more about how it all works.

On the PFSense forum everybody says that for >500Mb/s throughput you should have Intel NIC's (better apparently) and a >3Ghz processor in your firewall box.

My question is why would you need such a huge amount of bandwidth on your firewall with only say a 20Mb/s internet connection? is this just for the corporate environments where they have hugely fast internet connections?

If I'm not mistaken then surely in a home environment all that you need is a switch on your LAN port which will then bypass the firewall besides for internet traffic? and even then wouldn't the hard drives in the computers be massive bottlenecks unless you're using the latest SSD's?

Thanks for helping clear this up.

Dist · 7 Jul 2011 at 20:08

I know little about firewalls, but my experience with WAN to LAN throughput is that even with a 100 Mb port on the WAN side, the processing overhead associated with transfering data from WAN to LAN is a bottleneck (such as a wrt54gl have trouble past 30 Mb/s, even with a 100 Mb WAN port). So the reason for using things like an Intel NIC is not so much for the gigabit capabiliity but for the better processing speed in terms of how many packets per second, and that if you have a complex firewall setup with lots of rules and filtering that you would need a good NIC and processor to cope with it, although I personally would have thought a 3 GHz processor is by far overkill, but as I said I dont have a great deal of experience.

mmj_uk · 7 Jul 2011 at 20:50

Oh I see that's great info thanks.

Could you also clarify the usage of a switch for me please?

Say for example if I plug a 1000Mb/s switch into my LAN port then am I right in thinking that file transfers between any computers connected to the switch ignores the presence of the firewall? so the processing power/bandwidth of the firewall is irrelevant in that case?

dave-lew99 · 7 Jul 2011 at 20:52

It depends how much processing you're doing on your firewall - they are intended to be pretty sophisticated intrusion detection/prevention systems as well as content filtering, virus scanning, proxy/cache and VPNs (to mention a few roles).

Quite often you want to have seperate networks with filters/firewalls between in which case a L2 switch isn't suitable (L3 switch obviously would work), in this scenario you'd want good througput between networks.

mmj_uk · 7 Jul 2011 at 21:02

dave-lew99 said:
Quite often you want to have seperate networks with filters/firewalls between in which case a L2 switch isn't suitable (L3 switch obviously would work), in this scenario you'd want good througput between networks.

So apart from the processing required for the firewall duties it's mainly for if you want to separate multiple networks via the firewall. eg. have 2+ LAN interfaces on the firewall each going to separate switches and set of computers? would transfers between computers on the same switch work at near maximum throughput if you had Intel NIC's and 1000Mb/s hard drives for transferring? or is the 1000Mb/s just a theoretical number not taking into account overhead?

*goes to read up on difference between L2/L3 switches*

Dist · 7 Jul 2011 at 21:23

The way a switch works (and for the moment lets focus on Layer 2 switches) is that it builds up a table of what devices are on what port, and when a packet goes into it all it does is look at the destination and compares that with its table to send on the correct port. Because of this switches (ignoring the more complicated stuff) can operate very fast with very simple circuitry designed for that simple task. So if you get a Gigabit switch attached to gigabit devices then yes you should get gigabit speeds.

In a home environment this is all you need to think about, Layer 3 or manged switches simply aren't realy needed. If all you want to do is build a firewall to learn in your home then all you would do is have 2 ports on the firewall, 1 attached to your router (or directly to the modem if you want to use your firewall as a router, which is perfectly viable) and 1 port attached to a gigabit switch. Internal communication between LAN devices will work using the switch, and the only time data will traverse the firewall is when it is going to/from the internet.

If you don't plan on getting too complex with what the firewall will be doing then you could be fine just using an Atom board, which is low speed but will most likely be better than most home routers by a long way, and with some decent firewall software on there can be quite powerful. If on the otherhand you want your firewall to perform lots of other functions like dave-lew99 mentioned such as virus scanning, VPN endpoint etc... then thats when you may need to start looking at a more powerful system.

mmj_uk · 7 Jul 2011 at 21:40

Brilliant thanks guy I feel much clearer about it now.

I'm going to get an Netgear unmanaged (L2) switch then now that I understand how it all works.

I've got 3 NIC's on my firewall my access point is on a separate NIC because it's supposed to be more secure that way (it's isolated from accessing anything on the LAN interface).

Dist said:
If you don't plan on getting too complex with what the firewall will be doing then you could be fine just using an Atom board, which is low speed but will most likely be better than most home routers by a long way, and with some decent firewall software on there can be quite powerful. If on the otherhand you want your firewall to perform lots of other functions like dave-lew99 mentioned such as virus scanning, VPN endpoint etc... then thats when you may need to start looking at a more powerful system.

Yeah I have an AMD E-350 dual 1.6ghz ITX and last 5mins usage is generally around 0.05% so I'm obviously not struggling for CPU power yet.