Hardware

pfSense® software has the flexibility to installed on a wide range of hardware, but it is currently supported only on the x86 architecture. The types of devices supported range from standard PCs to a variety of embedded devices, such as the ones you can find in the pfSense Store.

Determining the exact hardware sizing for your pfSense deployment can be difficult, because network environments differ dramatically. The following will provide some base guidelines on choosing what hardware is sufficient for your installation.

The pfSense Store

The pfSense Store allows you to get your hardware directly from the source behind the pfSense project! The hardware appliances in the pfSense store have been rigorously tested in large and small networked environments. By purchasing from the pfSense store, you are not only supporting the project, you are simplifying the process of selecting the right hardware for your needs. What's more, all hardware purchases from the store come bundled with one year of support for pfSense and the appliance.

Minimum Hardware Requirements

The following outlines the minimum hardware requirements for pfSense 2.x. Note the minimum requirements are not suitable for all environments, see the Hardware Sizing Guidlines for more information. You may be able to get by with less than the minimum, but with less memory you may start swapping to disk, which will dramatically slow down your system.

General Requirements:

  • CPU - Pentium II processor
  • RAM - 256 MB

Requirements Specific to Individual Platforms:

Live CD
  • CD-ROM drive
  • USB flash drive or floppy drive to hold configuration file
Hard drive installation
  • CD-ROM for initial installation
  • 1 GB hard drive
Embedded
  • 512 MB Compact Flash card
  • Serial port for console

Hardware Sizing Guidance

When sizing hardware to put pfSense software on, two main factors need to be considered.

  • Throughput required
  • Features that will be used

Throughput Considerations

The following guidelines are based on our extensive testing and deployment experience. These guidelines are very conservative for most environments and offer a bit of breathing room because you never want to run your hardware to its full capacity.

Network Card Selection

We will address this first, because your selection of network cards (NICs) is the single most important performance factor in your setup. Cheap NICs will keep your CPU very busy with interrupt handling, causing your CPU to be the bottleneck in your configuration. A quality NIC can increase your maximum throughput as much as two to three fold, if not more.

Intel Pro/100 and Pro/1000 cards tend to be the best performing and most reliable with pfsense software, if you are purchasing NICs for your pfsense installation we strongly recommend purchasing Intel cards. Cheap cards, like those containing Realtek chipsets, are very poor performers in comparison.

For low throughput environments, like any typical broadband connection 6 Mbps or less, any NIC will suffice unless you are seriously lacking CPU. If you require fast throughput (more than 30-40 Mbps) between interfaces for multiple LAN networks, or between a DMZ and your LAN, then using quality NIC's becomes much more important.

CPU Selection

The numbers stated in the following sections can be increased slightly for quality NICs, and decreased (possibly substantially) with low quality NICs. All of the following numbers also assume no packages are installed.

Remember if you want to use your pfSense installation to protect your wireless network, or segment multiple LAN segments, throughput between interfaces must be taken into account. In environments where extremely high throughput through several interfaces is required, especially with gigabit interfaces, PCI bus speed must be taken into account. When using multiple interfaces in the same system, the bandwidth of the PCI bus can easily become a bottleneck.

6-8Mbps
With the typical residential or small office broadband connection of up to 6-8 Mbps you can get by with the minimum requirements.
10-20 Mbps
No less than 266 MHz CPU
21-50 Mbps
No less than 500 MHz CPU
51-200 Mbps
No less than 1.0 GHz CPU
201-500 Mbps
Server class hardware with PCI-X or PCI-e network adapters, or newer desktop hardware with PCI-e network adapters. No less than 2.0 GHz CPU.
501+ Mbps
Server class hardware with PCI-X or PCI-e network adapters. No less than 3.0 GHz CPU.

Feature Considerations

Most features do not factor into hardware sizing, although a few will have a significant impact on hardware utilization:

VPN - Heavy use of any of the VPN services included in the pfSense software will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive. The number of connections is much less of a concern than the throughput required. A 266 MHz CPU will max out at around 4 Mbps of IPsec throughput, a 500 MHz CPU can push 10-15 Mbps of IPsec, and relatively new server hardware (Xeon 800 FSB and newer) deployments are pushing over 100 Mbps with plenty of capacity to spare. Supported encryption cards, such as several from Hifn, are capable of significantly reducing CPU requirements.

Captive Portal - While the primary concern is typically throughput, environments with hundreds of simultaneous captive portal users (of which there are many) will require slightly more CPU power than recommended above.

Large State Tables - State table entries require about 1 KB of RAM each. The default state table, when full at 10,000 entries, takes up a little less than 10 MB RAM. For large environments requiring state tables with hundreds of thousands of connections, ensure adequate RAM is available.

Packages - Some of the packages increase RAM requirements significantly. Snort and ntop are two that should not be installed on a system with less than 512 MB RAM.

Recommended Hardware Vendors

The following companies sell the hardware the developers use. This means purchasing from these vendors ensures the device is thoroughly tested, and if compatibility problems come up in future releases they will likely get fixed more quickly.

In addition to the benefits of well tested hardware, it is important for our user community to support the companies that keep this project running. Several hardware resellers have made much needed contributions of hardware and money to assist our development efforts, fund specific features, and cover the other expenses of running this project over the past 9 years.

Netgate - Seller of a wide variety of wireless equipment, ALIX boards and enclosures, the world's first pfSense Certified® system, and more.

Hacom - Seller of a variety of firewall hardware.

Tranquilnet - Provider of high quality and affordable IT Solutions.

www.OsNet.eu - French Reseller of ALIX boards and high end appliances, documentation and consulting services.

Hardware Compatibility List

As of pfSense 2.1 is based on FreeBSD 8.3, its hardware compatibility list is the same as FreeBSD's. The pfSense kernel includes all FreeBSD drivers.

FreeBSD 8.3 Hardware Compatibility List

pfSense 2.0.x is based on FreeBSD 8.1, and its hardware compatibility list is the same as FreeBSD's. The pfSense kernel includes all FreeBSD drivers.

FreeBSD 8.1 Hardware Compatibility List