pfSenseÀÇ ¹æÈ­º® 󸮿뷮Àº ¾î¶»°Ô ÃßÁ¤ÇÒ ¼ö ÀÖ³ª¿ä?

   Á¶È¸ 15399   Ãßõ 0    

장터발 솔리게이트에 pfSense를 설치했습니다.
 
전면에 10/100/1000 포트 6개중 5번포트(6번째)를 WAN으로 잡았고
확장슬롯에 10/100/1000 4포트가 있습니다 (10/100을 교체 예정)
 
솔리게이트 + pfSense로 얼마나 많은 트래픽의 처리가 가능한지 확인을 하고 싶은데 어떻게 해야 하나요?
 
5번 포트를 스위치에 연결하고,
전면부의 0-4번 은 서비스용 서버에 연결하고
후면부의 포트는 내부용 서버에 연결할 예정 입니다.
- to be continue -
ªÀº±Û Àϼö·Ï ½ÅÁßÇÏ°Ô.
±è¼­¹æ 2013-10
pfSense¿¡  ¸ð´ÏÅ͸µ ÅøÀÌ Á¸ÀçÇÑ´Ù°í ³ª¿É´Ï´Ù.
Reporting and Monitoring
RRD Graphs
The RRD graphs in pfSense maintain historical information on the following.

CPU utilization
Total throughput
Firewall states
Individual throughput for all interfaces
Packets per second rates for all interfaces
WAN interface gateway(s) ping response times
Traffic shaper queues on systems with traffic shaping enabled

Àåºñ°¡ ÇÑ´ë¸é ±×³É ½Ã½ºÅÛ¿¡¼­ ¸ð´ÏÅ͸µ ÇϽðí Àåºñ°¡ ¿©·¯´ëÀÎ °æ¿ì¿¡´Â snmp¸¦ ÀÌ¿ëÇؼ­
´Ù¼öÀÇ Àåºñ¸¦ ¸ð´ÏÅ͸µ ÇÏ½Ã¸é µË´Ï´Ù.
     
ȸ¿øK 2013-10
¾î´ÀÁ¤µµ±îÁöÀÇ Æ®·¡ÇÈ Ã³¸®°¡ °¡´ÉÇÑÁö ¿ë·®À» estimate ÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀÌ ¾øÀ»±î¿ä?
ÀÏ¹Ý ¼­¹ö¿¡ pfSense¸¦ ¼³Ä¡ÇÏ´Â °æ¿ì ¾î´ÀÁ¤µµ 󸮿뷮ÀÎÁö È®ÀÎÇÒ ¹æ¹ýÀÌ ÇÊ¿äÇÒ °Í °°Àºµ¥
¸øã°í ÀÖ½À´Ï´Ù.
          
±è¼­¹æ 2013-10
Á¦°¡ »ý°¢ÇÏ´Â °¡Àå ÆíÇÑ ¹æ¹ýÀº iperf ¸¦ ÀÌ¿ëÇؼ­ ÆÐŶloss°¡ ¹ß»ýÇÏ´Â ½ÃÁ¡À» Àâ¾Æ³»¸é ¾óÃß ºñ½ÁÇÏÁö ¾ÊÀ»±î ½Í½À´Ï´Ù. ÆÐŶ ÁÖ°í ¹ÞÀ» ¼ö Àִ  Ŭ¶óÀ̾ðÆ®¿Í ¼­¹öµéÀÌ ¸¹ÀÌ ÀÖ´Ù¸é ÀÌ·± ±¸¼ºÀ¸·Î Å×½ºÆ® Çغ¸½Ã´Â°Ô ¾î¶°½Ç±î ½Í½À´Ï´Ù.
pc´Ù¼ö---¹æÈ­º®---¼­¹ö´Ù¼ö ÀÌ·±½ÄÀ¸·Î ¿¬°áÇÏ°í ¼­¹ö ´Ù¼ö¿¡ iperf ¼­¹ö ±¸µ¿, pc´Ù¼ö¿¡ iperf client ·Î
Å×½ºÆ® ÇÏ¸é ¾îÂ÷ÇÇ ¸ðµç ÆÐŶÀº ¹æÈ­º®À» °ÅÃļ­ °¡±â ¶§¹®¿¡ ÆÐŶ ·Î½º°¡ ¹ß»ýÇÏ´Â ½ÃÁ¡À» ãÀ» ¼ö ÀÖÀ»µí ÇÕ´Ï´Ù. ±× ½ÃÁ¡ÀÇ ¹æÈ­º®ÀÇ rrd graph¸¦ È®ÀÎÇÏ½Ã¸é ´ë·« ÇÑ°èÄ¡°¡ ³ª¿ÀÁö ¾ÊÀ»±î ½Í³×¿ä.
¹æÈ­º®ÀÇ »ç¾çÀÌ ¾î¶»°Ô µÇ´ÂÁö´Â ¸ð¸£°ÚÁö¸¸
±â°¡ºñÆ® ÄÁÆ®·Ñ·¯ ´Þ·ÁÀÖ°í ¸Þ¸ð¸® ÃæºÐÇϸé 700~800Mbps ±îÁö´Â ÃæºÐÈ÷ ¹öƼÁö ¾ÊÀ»±î ¿¹»óÇØ º¾´Ï´Ù.
               
ȸ¿øK 2013-10
¸Þ¸ð¸®´Â DDR2-6400U·Î 2GÀÌ°í
CPU´Â ¾÷±ÛµÇ¾î¼­ ÁÁÀº »ç¾çÀ¸·Î ¾Ë°í ÀÖ½À´Ï´Ù (CPU ¶óº§À» Àû¾îµÎÁö ¾Ê¾Æ¼­...)
ÀÌÁ¤µµ¸é 700-800 mbps±îÁö ¹öÆ¿ ¼ö ÀÖÀ»±î¿ä?

Ãß°¡·Î ·¥À» 4G·Î ´Ã¸°´Ù¸é ¼º´ÉÀÌ ´õ ÁÁ¾ÆÁö´ÂÁö ¾Ë°í ½Í½À´Ï´Ù.
¼­¹ö´Â »ç¾ç¸¸ µé¾îµµ ÃßÁ¤ÀÌ µÇ´Âµ¥,
¹æÈ­º®Àº ½áº¸Áö¸¦ ¾Ê¾Æ¼­... ¿¹ÃøÀÌ ¾ÈµÇ³×¿ä.
                    
±è¼­¹æ 2013-10
freebsd´Â Á¦°¡ ¸¹ÀÌ »ç¿ëÇغ¸Áö ¾Ê¾Æ¼­ Á¤È®ÇÑ ´äÀº µå¸®±â Èûµé°í
¸®´ª½º¸¦ ¿¹¸¦ µéÀÚ¸é ¸®´ª½º ¹æÈ­º®ÀÇ °æ¿ì ´ëºÎºÐ iptables·Î ÆÐŶ ÄÁÆ®·ÑÀ» ÇÏ°Ô µË´Ï´Ù.
iptables°¡ µ¿ÀÛÇϸ鼭 ¿¬°á ÃßÀû(conntrack)À» ±âº»ÀûÀ¸·Î ÇÏ°Ô µÇ´Âµ¥ ÀÌ °æ¿ì ½Ã½ºÅÛÀÇ ¸Þ¸ð¸®ÀÇ
¿µÇâÀ» ¹Þ°Ô µË´Ï´Ù. Áï ó¸®ÇÒ¼öÀÖ´Â ¼¼¼Ç¼ö°¡ ÇÑ°è¿¡ µµ´ÞÇÏ°Ô µÇ¾î µ¿½Ã¿¡ ¸¹Àº Ä¿³Ø¼ÇÀÌ ¹ß»ýÇϸé
´õÀÌ»ó 󸮸¦ ¸øÇÏ°Ô µÇ´Â °æ¿ì°¡ »ý±é´Ï´Ù.
µû¶ó¼­ °¡±ÞÀû ¸Þ¸ð¸®´Â ³Ë³ËÇÏ°Ô °¡Á®°¡´Â°ÍÀÌ ÁÁ½À´Ï´Ù.
±âº»ÀûÀ¸·Î 1GÀÌ»óÀÇ ½Ã½ºÅÛ¿¡¼­´Â ip_conntrack_max °ªÀÌ 65536°³ ÀÔ´Ï´Ù.
¹°·Ð ÀúÁ¤µµµµ ¿Ø¸¸ÇÑ Á¢¼ÓÀÌ ¸¹Àº °÷¿¡¼­µµ Àß ¹öÆÁ´Ï´Ù¸¸ Àú °ªÀÌ ½Ã½ºÅÛ ¸Þ¸ð¸®¿Í °ü·ÃÀÌ À־
¹«ÀÛÁ¤ ´Ã¸±¼ö°¡ ¾ø½À´Ï´Ù. µû¶ó¼­ Á¢¼Ó¿¡ °ü·ÃÇÑ °ªÀ» È®ÀÎÇÑÈÄ ºÎÁ·ÇÏÁö ¾Ê°Ô ¸Þ¸ð¸®¸¦ Áõ¼³À» ÇØÁÖ¼Å¾ß ÇÕ´Ï´Ù.
Ä¿³Î¹®¼­¿¡ µû¸£¸é ½Ã½ºÅÛ¸Þ¸ð¸®(byte)/16384 ÇϽøé ip_conntrack_max°ªÀÌ ³ª¿Â´Ù°í µÇ¾îÀÖ½À´Ï´Ù.
                         
ȸ¿øK 2013-10
CentOS¸¸ ½á¿Í¼­ FreeBSD´Â Àúµµ ¸ð¸¨´Ï´Ù.
ÇöÀç 1G 6400U°¡ 2°³ ²ÅÇô Àִµ¥, ¹ðÅ©°¡ 2°³¶ó¼­ 2G·Î ¹Ù²ã¾ß 4G°¡ ³ª¿É´Ï´Ù.
±×·±µ¥ 2G 6400U´Â ±ÍÇÑ °ÍÀÌ¶ó¼­ ±¸Çϱ⠽±Áö´Â ¾ÊÀ» °Í °°±¸¿ä.

2G¿¡¼­´Â 12¸¸ Á¤µµ ³ª¿À³×¿ä.
50mbps ³ª°¡´Â À¥¼­¹öÀÇ apacheÀÇ connection(apachectl status¿¡¼­ º¸ÀÌ´Â °Í)ÀÌ
º¸Åë 10-30°³ Á¤µµ ¿­¸®´Ï±î 500mbps ÀÌ»óµµ ¹«³­ ÇÒ °Í °°Àºµ¥...
Á¦ »ý°¢ÀÌ ¸Â´Â°É±î¿ä? ^^
ȸ¿øK 2013-10
https://doc.pfsense.org/index.php/Hardware_requirements#Hardware_Sizing
High Throughput Environments

In environments where extremely high throughput through several interfaces is required, especially with gigabit interfaces, PCI bus speed must be taken into account. When using multiple interfaces in the same system, the bandwidth of the PCI bus can easily become a bottleneck. Most typical motherboards only have one or two PCI buses, and each can run an absolute maximum of 133 MBps, or 1064 Mbps. That's less than one gigabit interface can transfer. PCI-X can transfer up to 1056 MBps, or about 8.25 Gbps.

PCIe (PCI Express) offer significantly higher bandwidth than traditional PCI and PCI-X slots. PCIe 1.0 offers a bandwidth of 250MB/sec per lane, while PCIe 2.0 doubles that to 500MB/sec per lane, while PCIe 3.0 offers a staggering 985MB/sec per lane although as of winter 2013 there are no PCI 3.0 NICs on the market. Most single and multi-port NICs (both integrated and add-on PCIe cards) are connected via an x4 (four lane PCIe) offering plenty bus headroom to saturate multiple gigabit links. Both single and dual port 10gbit adaptors are typically PCI-e x8.

If you need sustained gigabit throughput at wire speed, you will want a server-class motherboard with PCIe or PCI-X slots with matching PCIe/PCI-X NIC's. You'll also need a 2.8+ GHz CPU.
ȸ¿øK 2013-10
http://www.firewallhardware.it/en/pfsense_selection_and_sizing.html
201-500 Mbps No less than 1.0 GHz CPU Dual Core

A 266 MHz CPU will max out at around 4 Mbps of IPsec throughput, a 500 MHz CPU can push 10-15 Mbps of IPsec, and relatively new server hardware (Xeon 800 FSB and newer) deployments are pushing over 100 Mbps with plenty of capacity to spare.

¼Ö¸®°ÔÀÌÆ® Á¤µµÀÇ Àåºñ¿¡ pfSense¸¦ ¿Ã¸®¸é 500mbps ÀÌ»ó ¹«³­ÇÑ °Í °°½À´Ï´Ù.
ȸ¿øK 2013-10
http://pfsensesetup.com/pfsense-hardware-requirements/

¾ÕÀÇ ÀڷḦ Á¶±Ý ´õ Á¤¸®ÇÑ °Í ÀÔ´Ï´Ù...
½Ç»ç¿ëÀÚµéÁß¿¡´Â atomÀ¸·Îµµ 200mbps´Â ó¸®ÇÑ´Ù°í ÇÏ´Ï Xeon °è¿­À̸é 500mbps´Â ¹«³­ÇÒ °Í °°½À´Ï´Ù.
±è¼­¹æ 2013-10
2G Á¤µµ¸é 500MbpsÁ¤µµ´Â ÃæºÐÈ÷ 󸮰¡´ÉÇÒ °ÍÀ¸·Î ¿¹»óÇÕ´Ï´Ù.
ÇÁºñ¿¡¼­µµ Ä¿³Î ¿ÉƼ¸¶ÀÌ¡ÀÌ °¡´ÉÇϹǷΠÀÏ´Ü Å×½ºÆ® Çغ¸½Ã°í Àû¿ë½ÃÅ°½Ã¸é µÇ½Çµí Çϳ׿ä
iptables  ÀÇ conntrack  Àº ¹æÈ­º®ÀÇ ·êÀÌ ¾î¶»°Ô µÇ¾î ÀÖ´À³Ä¿¡ µû¶ó¼­µµ ¿µÇâÀ» ¹Þ½À´Ï´Ù.
º¸Åë Çã¿ëµÇ´Â Æ÷Æ®¿¡ ´ëÇؼ­´Â conntrackÀ» ÇÏÁö ¾Ê´Â°Íµµ ¹æ¹ýÁß¿¡ ÇϳªÀÔ´Ï´Ù.
     
ȸ¿øK 2013-10
µð½ºÅ©¸¦ CF¿¡¼­ 250G sata·Î ±³Ã¼Çߴµ¥, ±×°ÍÀº ¿µÇâÀÌ ¾øÀ»±î¿ä?
¼Óµµ¸¦ À§ÇØ ssd·Î ¹Ù²Ù´Â °ÍÀº ¾î¶²°¡¿ä?
          
±è¼­¹æ 2013-10
ÇÁºñÀÇ ipfw³ª ¸®´ª½ºÀÇ iptables³ª ¸ðµÎ Ä¿³Î¿¡¼­ µ¿ÀÛÇÏ´Â ³à¼®µéÀ̹ǷÎ
µð½ºÅ© ¼Óµµ´Â °ÅÀÇ Àǹ̰¡ ¾ø½À´Ï´Ù.
µð½ºÅ©¸¦ »ç¿ëÇÏ´Â °æ¿ì¶ó¸é ±â²¯ÇØ¾ß rrdtool ÀÌ¿ëÇؼ­ ±×·¡ÇÁ ¸¸µå´Â Á¤µµ¿Í ·Î±×±â·ÏÇÒ¶§¸¸ »ç¿ëÇÏ°Ô µÉ°Ì´Ï´Ù.
rrdtoolÀÇ °æ¿ì ¿ö³« °¡º­¿ö¼­ ½ÇÁ¦ µð½ºÅ©¸¦ ¹Ù²Û´Ù°í Çصµ ü°¨ÇÒ¸¸Å­ Å« Â÷À̸¦ ¸ø ÁÙ °ÍÀÔ´Ï´Ù.
               
ȸ¿øK 2013-10
°¨»çÇÕ´Ï´Ù. ¼Óµµ°¡ ´À¸° CF¸¦ »ç¿ëÇÒ Á¤µµ¸é Å« ¿µÇâÀÌ ¾øÀ»°Å¶ó »ý°¢Àº Çß½À´Ï´Ù.
ebay¸¦ µÚÁö´Ùº¸´Ï, ±¸Çü ÆæƼ¾ö4 ¼­¹ö°¡ 50mbps Á¤µµ ó¸® °¡´ÉÇϳ׿ä.
»ý°¢º¸´Ù pfSenseÀÇ ¼º´ÉÀÌ ³ôÀº °Í °°½À´Ï´Ù.
     
ȸ¿øK 2013-10
netgear utm50ÀÇ °æ¿ì 4¸¸ ¼¼¼ÇÀÇ Ã³¸®°¡ °¡´ÉÇѵ¥, 400mbps ÀÔ´Ï´Ù.
2G¿¡¼­ 6¸¸ Á¤µµÀÇ conntrack°¡ °¡´ÉÇϸé 600mbps Á¤µµ °¡´ÉÇÑ°ÍÀÌ ¾Æ´Ò±î¿ä?
1 conntrack = 1 sessionÀÌ ¸Â´ÂÁö ¸ð¸£°Ú½À´Ï´Ù.

Users:    20-60
Throughput:    400mbps
Max. Sessions:    40,000
Lan Ports:    6
WAN Ports:    2
VPN Tunnels:    50


QnA
Á¦¸ñPage 5530/5683
2015-12   1491190   ¹é¸Þ°¡
2014-05   4954687   Á¤ÀºÁØ1
2002-07   14782   ±èÁ¾±¸
2002-08   14784   pak
2017-12   14784   À¸¶óÂ÷Â÷Â÷
2010-03   14785   FreeBSD
2002-07   14787   ¹Ú¿µ¸í
2010-09   14788   95GSR
2014-03   14788   ±è¹ÎöGC
2002-06   14792   À̽¿ø
2013-01   14794   ¹Ú¹®Çü
2003-03   14794   Á¤Àç¿õ
2009-04   14794   ¹Ú»ó¹ü
2010-11   14797   ¹«±î¸¶±î
2002-11   14798   ¹ÚÇö¼ö
2002-06   14800   ÀÓÁø¿í
2011-05   14801   ÀϹÝÀ¯Àú
2013-08   14803   ºÀ»ïÀÌ2
2002-06   14806   Á¤»ó¿ë
2002-06   14807   ¹éÁ¤È¯
2002-08   14809   ¿ÕÁ¤¼ö
2002-07   14811   ¾ç¼¼È£