Firewall Hardware Sizing Guide

Before Starting

The following hardware sizing guide was written initially and primarily for the pfSense® and OPNsense® operating systems.
If you are interested in understanding the differences, you will find a technical comparative pfSense® VS OPNsense® at this link.
However, these concepts can also be extended to Zeroshell, ipCop, ipFire.

Useful tools: quick sizing of the equipment

Below we will elaborate on some technical concepts to explain and motivate our conclusions in the DInstant dimensioning table.
If the navigator does not want to read the whole technical part can immediately jump to: Instant dimensioning.

Here you can find the link to the NEW HARDWARE CONFIGURATOR of our equipment: with a few clicks you will be able to understand which equipment to buy.

Equipment hardware configurator.
N.B. Under “Select product category”: select “Firewall”.


To dimension a hardware firewall based on pfSense®/OPNsense® from 2.4.X/18.X onwards it is necessary to keep in mind 3 main factors:

    1. Throughput required
    2. Features or additional pfSense®/OPNsense® packages used
    3. Number and type of NIC (Network Interface Card) required

These 3 factors mainly affect RAM, CPU, mass storage and obviously NIC. In the part below we will provide our experience in hardware sizing.

Please also note that pfSense® version 2.4 DOES NOT SUPPORT CF systems anymore (in particular it no longer supports i386 images), which OPNsense® continues to do.

1. Considerations on the required Throughput

By definition we mean through the throughput of a communication channel its transmission capacity actually used.
The throughput is not to be confused with the ability of the link. Both the capacity and the throughput are expressed in bit/s, but while the first expresses the maximum transmission frequency at which data can travel, the throughput is an index of the actual use of the link capacity. Throughput is the amount of data transmitted in a unit of time and depends solely on how much information is fed into the transmission channel.
Before considering troughput considerations, it must be considered that both pfSense® and OPNsense® can operate either as a firewall or as a router, or both. It will therefore be necessary to consider the overall throughput of the system we want to achieve for the choice of the apparatus.
For example, if we need to build a firewall, we can consider the sum of WAN throughput as throughput.
On the other hand, if we have to create a router that links networks together, we must add the throughput of all the interfaces, both WAN and LAN.
It is important to determine the throughput of a network before installing a pfSense® / OPNsense® firewall / router as it determines the type of CPU to be used and in some cases the type of NIC.
If less than 10 Mbps is required then the minimum hardware requirements can be used. For higher throughput we strongly recommend following the sizing suggested in the table below, based on tests actually performed in the field. The table below is designed to avoid reaching the maximum level of hardware load, so as not to incur problems.
For example, if I have to make a Router or Firewall with 10 Gbit ports, I will not be able to use a less powerful CPU than an XEON Quad Core. In fact, when the NIC reaches the 10 Gbit of traffic the Core of the appliance goes to 100% and the machine goes into crisis.

For these uses we recommend A2-Server o A3-Server.

Minimum system requirements for pfSense® up to version 2.3.5:

CPUNot less than 300 MHz
Installation su Hard Disk1 GB
EmbeddedCompact Flash da 2 GB

Minimum system requirements for pfSense® version 2.4.X:

CPUNot less than 1 GHz
Installation on Hard Disk16 GB
EmbeddedCF not supported

PfSense®/OPNsense® sizing based on Throughput

Requisiti hardware consigliatiProdotto consigliatoRumorosità
1-20 MbpsNot less than 1000 MHz CPU Single CoreFIREWALL ENTRY LEVEL
APU1 Entry Level
APU2 Entry Level
10-100 MbpsNot less than 2.4 GHz CPU Quad CoreFIREWALL CORPORATE
Compact Small UTM
Almost nothing (*)
450 – 1000 MbpsNot less than 3,5 GHz Quad CoreFIREWALL DATACENTER
Medium (*)
Up to 10 GbpsNot less than 3,5 GHz Xeon Quad/Octa CoreFIREWALL DATACENTER
Medium (*)

PfSense® / OPNsense® sizing based on the Cluster version Throughput

Requisiti hardware consigliatiProdotto consigliatoRumorosità
1-20 MbpsNot less than 1000 MHz CPU Single CoreFIREWALL ENTRY LEVEL
Nano Cluster APU2
10-100 MbpsNot less than 2.4 GHz CPU Quad CoreFIREWALL CORPORATE
Small Cluster
Power Cluster
Low (*)
450 – 1000 MbpsNot less than 3,5 GHz Quad/Octa CoreA2-Server Cluster
A3-Server Cluster
Medium (*)
Up to 10 GbpsNot less than 3,5 GHz Xeon Quad/Octa CoreA2-Server Cluster
A3-Server Cluster
Medium (*)

(*) The Power Cluster and APUTM models with Intel I7 CPU have a Medium noise level only if they are subjected to strong and continuous workloads.

2. Features or additional pfSense®/OPNsense® packages used

Many features of pfSense®/OPNsense® greatly influence hardware sizing.

VPN: the heavy use of the VPN service greatly increases the CPU requirements. Encryption and decryption of packets increases the load on the CPU. The number of connections is a less troubling factor than throughput.

  • 266 MHz CPU supports approximately 4 Mbps of IPsec traffic
  • 500 MHz CPU supports about 10-15 Mbps of IPsec traffic
  • New-generation I7 or I3 CPUs support almost up to 200 Mbps of IPsec traffic
  • New generation XEON CPU for loads over 400 Mbps

Squid – Squidguard – outbound proxy traffic control: both packages use a lot of CPU and disk writes. Therefore, it is strongly discouraged to use the Entry level, Entry level APU1 and Entry Level APU2.
For this type of work it is strongly recommended to use COMPACT SMALL UTM, A2SUTM, A1-Server, A2-Server, A3-Server or APUTM with SSD or Classic disks.
However, it is also possible to use optimized with only the squid package on Entry level APU1 and Entry Level APU2 provided that you use the writing on the disk support sparingly and in any case to the detriment of performance.

pfBlockerNg: pfBlockerNG is a package for pfSense® that allows you to extend firewall functionality beyond the traditional L2 / L3 / L4 firewall. pfBlockerNG allows you to configure the firewall to allow / deny traffic based on items such as geo location of an IP address, domain name (for example to block Facebook and similar) or Alexa ratings of certain websites.

This package requires an increase in CPU and RAM from 15% to 25%.
To learn more about this package, you can consult the guide we have created and published in our guide area.

Captive Portal: Environments with hundreds of connections require a lot of CPU. With reference to the throughput table it will be necessary to increase users by 15-20% to get the recommended platform.

Large state tables: Each entry in the status table requires 1 KB. The state table, when full, has 10,000 entries, so approximately 10 MB of RAM. For larger state tables, with hundreds of thousands of connections, it will be necessary to properly size the RAM.

Packages: many packages significantly increase the amount of RAM used. For example, snort and ntop should not be installed on hardware platforms with less than 512 MB of RAM and at least 32 GB of disk.

PfSense®/OPNsense® version to be installed

The difference between the two types of installations that can be performed with pfSense®/OPNsense® on the various devices should be emphasized.

  • The Embedded solution (firewall Entry Level) does NOT allow the writing of log files on the memory (C.F. or DOM) and in any case it is strongly discouraged to do so. Some of the additional pfSense®/OPNsense® packages can not be installed on this version.
  • The solution that is installed on hard disk (normally on Appliance solutions UTM or higher) has the ability to save the logs inside. On this version it is possible to install all the additional packages supplied for pfSense®/OPNsense®.

3. Deepening on the chipsets of the network cards

Choosing a network card is essential for anyone planning a medium/large system.
As you can see from the product descriptions, we always specify very well if the devices integrate Intel or Realtek chipsets inside.

Almost all of our devices have been equipped with Intel chipsets since about mid-2016.
The Realtek chipset is less efficient than the Intel chipset and is suitable primarily for less intense workloads. However, for a company that does not require high throughput (like 85% of Italian companies) it is still the ideal choice.
The Intel chipset instead offers more performance in the event of heavy traffic: it offers several advanced features such as queue management and the version of pfSense®</sup 2.2 onwards also improved support to multi-core. This translates into higher throughput and lower CPU load.
To be precise, full support for multicore has been introduced on FreeBSD, ie from the S.O. father of pfSense®</sup and OPNsense®</sup, so the same speech made for pfSense®</sup holds true and will also be valid for OPNsense®</sup in the future.
If you are still using pfSense® 2.1.x, we have published an in-depth study on optimizing Intel NICs by tuning the driver and settings. However, we specify that until today our appliances do not need such optimization. We insert it anyway for completeness.

The current versions of pfSense®</sup/OPNsense®</sup do not seem to need to be modified.
If you think that your appliances have performance problems deriving from NICs, you can use this guide to diagnose the problem.

4. Sizing according to the noise level of the equipment

To provide the right product, you need to think about where the firewall will be located.
If the equipment will be placed in the vicinity of people who work, you will need to choose a machine with a low noise level or you will need to purchase a special silent kit!

Lately, due to the new technology at 25 nanometers of Intel, the power absorbed have decreased a lot and consequently also the dissipated heat has decreased.

From the design point of view, we preferred to keep the fan in the high-end models (typically used in datacenter or CED). This is because, if the board or the CPU detects high temperatures, the fan will bring the temperature to acceptable levels within a few seconds.

Below is a table with indicative data on the noise level of the equipment:

Band ApparatusNoise level
Entry Level / APU1 Entry Level / APU2 Entry Level / COMPACT / NanoCluster / A2SUTM / Small ClusterLevel 0 (completamente fan less)
A1-ServerLevel 1 (rumore quasi impercettibile)
A2-Server / A3-Server
Power Cluster / APUTM
Level 4 (rumore udibile from 4/5 meters)

Notes on noise::
a device that dissipates heat well, will certainly last longer and will be more stable and reliable!
That’s why our high-end devices are designed in such a way that the airflow “invests” the internal components by cooling them.

5. RAID function

One of the functions most appreciated by pfSense®/OPNsense® in terms of hardware reliability is the Raid functionality directly implemented by the FreeBSD operating system.
This function guarantees a higher level of reliability of the application as in the event of a disk failure the application will continue to function as if nothing had happened.
This function is supported by: A2SUTM, A1-Server, APUTM, A2-Server, A3-Server and in all the Cluster versions of our devices except the NanoCluster.
For those wishing to deepen the subject, we published a guide that explains how it works and how to intervene on the equipment in case of failure. You can find it under the guide menu.

6. When should I use a Cluster system?

A Cluster system is a solution composed of a system having two completely independent hardware devices. There are 3 versions of Cluster solutions, one for small offices and the other for heavy traffic and / or medium/large structures.

  • NANOCluster: compact 1U solution, designed for small offices
  • Small Cluster: 2U solution for SMEs and / or small Datacenters that do not want to give up high reliability
  • Power Cluster: 2U solution for companies and organizations that need high reliability
  • A2-Server Cluster and A3-Server Cluster: 2U Datacenter-level solution that provides high reliability

The Small Cluster and the Power Cluster are 2U devices, consisting of 2 independent drawers, while the NanoCluster is composed of two Entry Level devices.
Using pfSense® or OPNsense® you can get a real passive active Cluster configured to obtain high reliability between the 2 devices that become in effect the cluster nodes.
The others S.O. they do not have (hopefully for now) a function like the CARP of pfSense® / OPNsense® but they can still be configured in such a way that the user can manually switch off one of the two systems and turn on the other. We can therefore say that it is a Cluster system that in the case of pfSense® and OPNsense® is automatic and in the case of other S.O. it’s manual. This system should be used in environments where high reliability is mandatory.

7. Instant sizing

Based on our experiences we have compiled a classification of the installations we have followed over the years. This classification is not only the result of the experience made during the installation of the firewall, but also of the technological evolution that the user requires to the device during the years of use.

The results are linked, for example, to the technological evolution that every company / entity undergoes or requires over the years for different needs. For example, small businesses initially require the installation of a simple firewall. Normally it does not take much time to submit requests such as VPN, content filtering or navigation rules.

For this reason, based on the number of “active devices” (ie devices connected to the Internet) we have elaborated the following table which also takes into account the above concepts:

Firewall modelN.of active devices
Entry Level o NanoClusterfrom 1 a 5 users
Entry level APU1 o Entry Level APU2 o NanoClusterfrom 1 a 10 users
COMPACT o A2SUTM o Small Clusterfrom 8 a 35 users
A2SUTM o A1-Server o Small Clusterfrom 20 a 60 users
A1-Server o Power Clusterfrom 50 a 350 users
A2-Server o APUTM o Power Clusterfrom 100 a 2000 users
A3-Server o APUTM o Power Clusterfrom 100 a 3500/5000 users
A3-Serverfrom 500 a 10.000 users

8. Analisi performance apparati

ALIX86,60 Mbps87,10 Mbps0,123 ms86,57 Mbps88,40 Mbps0,122 ms
APU474,00 Mbps735,00 Mbps0,028 ms474,00 Mbps535,00 Mbps0,037 ms
CASUTM595,00 Mbps653,00 Mbps0,033 ms595,00 Mbps535,00 Mbps0,037 ms
AUTM5754,50 Mbps735,00 Mbps0,024 ms551,20 Mbps560,00 Mbps0,035 ms
Power Microcluster939,00 Mbps784,00 Mbps0,029 ms942,00 Mbps784,00 Mbps0,025 ms
APUTM939,00 Mbps784,00 Mbps0,029 ms942,00 Mbps784,00 Mbps0,025 ms
ALIX13,43 Mbps18,00 Mbps0,052 ms12,30 Mbps16,00 Mbps0,048 ms14,67 Mbps20,00 Mbps0,095 ms
APU68,20 Mbps60,00 Mbps0,055 ms58,63 Mbps55,00 Mbps0,073 ms79,33 Mbps68,40 Mbps0,057 ms
CASUTM62,77 Mbps75,50 Mbps0,038 ms56,10 Mbps65,30 Mbps0,064 ms71,93 Mbps87,10 Mbps0,040 ms
AUTM580,20 Mbps94,10 Mbps0,026 ms69,40 Mbps80,25 Mbps0,042 ms97,10 Mbps114,80 Mbps0,040 ms
135,24 Mbps121,74 Mbps0,024 ms116,16 Mbps106,88 Mbps0,031 ms153,79 Mbps138,41 Mbps0,029 ms
APUTM135,24 Mbps121,74 Mbps0,024 ms116,16 Mbps106,88 Mbps0,031 ms153,79 Mbps138,41 Mbps0,029 ms
ALIX15,27 Mbps16,00 Mbps0,105 ms13,73 Mbps14,00 Mbps0,116 ms14,10 Mbps15,00 Mbps0,106 ms8,62 Mbps9,00 Mbps0,089 ms
APU49,00 Mbps70,00 Mbps0,061 Mbps45,60 Mbps54,20 Mbps0,028 ms44,60 Mbps58,20 Mbps0,083 ms26,53 Mbps32,00 Mbps0,051 ms
CASUTM60,13 Mbps67,20 Mbps0,042 ms56,03 Mbps63,20 Mbps0,049 ms56,87 Mbps66,10 Mbps0,057 ms34,43 Mbps37,10 Mbps0,042 ms
AUTM574,22 Mbps80,40 Mbps0,079 ms68,60 Mbps73,50 Mbps0,064 ms69,70 Mbps71,30 Mbps0,074 ms37,80 Mbps40,00 Mbps0,023 ms
109,54 Mbps106,77 Mbps0,039 ms103,72 Mbps96,06 Mbps0,035 ms105,99 Mbps95,01 Mbps0,039 ms62,82 Mbps54,86 Mbps0,024 ms
APUTM109,54 Mbps106,77 Mbps0,039 ms103,72 Mbps96,06 Mbps0,035 ms105,99 Mbps95,01 Mbps0,039 ms62,82 Mbps54,86 Mbps0,024 ms
ALIX15,27 Mbps16,00 Mbps0,105 ms13,73 Mbps14,00 Mbps0,116 ms8,62 Mbps9,00 Mbps0,089 ms
ALIX + Card (*)
48,33 Mbps39,10 Mbps0,061 ms48,07 Mbps39,10 Mbps0,078 ms48,57 Mbps39,10 Mbps0,049 ms
Gain [%]

(*) These measurements were made using the compression hardware module.

  ti posso interessare anche