Has anyone DIYed a *BSD/Linux based firewall that can handle gigabit traffic, running reliably for years? There are quite some software solutions but is there a hardware baseline to achieve reliable gigabit firewalling?
Some one at Open source firewall or commercial firewall claimed
"take a look at a Juniper SRX. You're never going to get the same amount of performance with pfSense on a Dell."
He doesn't mean pfSense on a Dell can't even match the $480 SRX100, right?
He's probably referring to hardware vs. software.
View from above
Yes to a certain point all hardware firewalls are software but given the right hardware you can reprogram the hardware. That is usually quite an expensive operation but once the hardware is reprogrammed the firewall can operate at line speed.
Performance in Linux
We had a DDOS attack on one of our sites with a GBit uplink. Under normal circumstances we were perfectly able to deliver nearly at wire speed. The attack however was a simple SYN-Flood and we couldn't take it.
The reason was a "crappy" card with only a single receive queue. That meant the only a single core was used by Linux to get the packages from the card. This resulted in a single core running at 100% usage which was too slow to process all the packages. So the servers behind the firewall were all bored but the one single core was maxed out (Yes we had SYN-Flood protection on, but since there were just to many incoming packages to the card -- before Linux even knew about it -- we couldn't take it)
Once we upgraded the hardware (only the network card, not anything else in the server) to a network card with more receive queues we saw more cores getting used and that was enough for our case. Hardware was (IIRC) 16 Cores CPU wise, 8 queues on the network card. All of a sudden we had 8 times the performance and that was enough.
That being said:
There's nothing you can do against a sufficiently large DDOS attack -- we were just lucky that it wasn't larger and the new setup could take it.
I'd always go for a hardware firewall if it implies better cover-your-behind: Leaving the technical specs aside it's just a matter of risk management. Get any Cisco/Juniper/whatever hardware and a decent support contract and you'll have someone to call who has to fix the problem or pay for the losses in case it doesn't do what was promised. Of course you'll need to get the budget for such a thing, but at a certain point the money for the investement is likely to be a fraction of what the expected income is. Also having a support contract and someone else to blame is a nice cover-you-behind tactic :)
EDIT: Missing if in the last paragraph.
I'm going to offer a counter-point to Server Horror and expand on what migabi said. For small to medium range setups, I really like OpenBSD with the constantly evolving pf, CARP and friends. As far as I know, FreeBSD (and hence pfSense) are lagging behind in getting the latests pf and CARP updates over.
Granted, you have to be willing to do your own testing and find decent systems with decent network cards and be aware of the limitations of pf, but in my experience, all setups have their limitations. Enabling one particular inspection feature in a hardware appliance can some times cut throughput performance in half, or worse. And would you really deploy a commercial solution in production without considerable testing to verify the manufacturer's claims?
Many times you can get two decent boxes for failover, plus a third for testing for less than you'd have to pay for a commercial alternative.
And lastly I'm just really uncomfortable paying a sum of money for support when it doesn't obligate them to document properly, cover losses or fix bugs in their product. I'm feeling that particular pain right now, and pain without source code just isn't my thing.
You have kind of answered your own question here.
Yes it is possible to build a high bandwidth firewall that will give years up-time, and high through-put but you can't just use junk hardware, to get good you have top pay the bucks!
If you get a HP DL360 G6 (for example, a similar spec Dell or IBM would be fine) with dual PSUs, SAS drives (or use a USB stick plugged into the mainboard) and put it on a decent UPS system that config will sit up for years and easy clear Gig traffic (the on-board NICS support TOE if you want to licence that) but if you use a domestic mainboard with a realtek Nic and an i3 you got from the bottom drawer of your desk, you may have trouble.
Also be aware decent firewall device use FPGAs to do a lot of the sums, that is wire-speed logic, no software solution can ever approach that for efficiency, spinning up 2 x quad core Xeons for 3 years will have a cost in energy!!
The above config is cheap of the re-furb market, if you are hang an enterprise off this firewall you need a HP gen8 (or equiv) with a full on-site warranty and probably 2 of them clustered for failover...
Welp, TIL Juniper's Junos is based on FreeBSD and that's what goes on their routing equipment. That being said, you would probably save money and a little headache going with a juniper appliance, because if the hardware fails you can get support for it. However, there are companies that make appliances designed to run PFSense, all you would need to know is how much traffic roughly you plan on passing through it.
Software issues are debatable, PFSense for example has a wide usage even in enterprise environments, so their are forums chocked full of information, and you can always drop by Serverfault.com for PFSense help.
I have some running master/slave using 10 Gbit throttled to 2Gbit via softare going for 1 1/2 years now.
They are dual CPU 6 core Xeon with Intel NIC's. The Intel NIC's that we chose back then were important, but I forgot the exact reason why. I know it had something to do with the drivers and the way interrupts were being distributed among cores.
We also had the requirement to route a different interface type. Something you couldn't buy in a hardware firewall, so this was a very cost effective solution.
So yes it's very possible to do this. Use server hardware though.
