[Previous: Logging] [Contents] [Next: Issues with FTP]

PF: Performance

"How much bandwidth can PF handle?"
"How much computer do I need to handle my Internet connection?"

There are no easy answers to those questions. For some applications, a 486/66 with a pair of good ISA NICs could filter and NAT close to 5Mbps, but for other applications a much faster machine with much more efficient PCI NICs might end up being insufficient. The real question is not the number of bits per second but rather the number of packets per second and the complexity of the ruleset.

PF performance is determined by several variables:

Will multiple processors help?

PF will only use one processor, so multiple processors (or multiple cores) WILL NOT improve PF performance. HOWEVER, under some circumstances, running the SMP version of OpenBSD (bsd.mp) instead of bsd will give better performance due to differences in how interrupt handling is done. In many cases, bsd.mp will give less performance. IF you are seeing performance problems, experiment with this, most users will never hit any limits to worry about it.

Are there any benchmarks?

People often ask for PF benchmarks. The only benchmark that counts is your system performance in your environment. A benchmark that doesn't replicate your environment will not properly help you plan your firewall system. The best course of action is to benchmark PF for yourself under the same, or as close as possible to, network conditions that the actual firewall would experience running on the same hardware the firewall would use.

PF is used in some very large, high-traffic applications, and the developers are "power users" of PF. Odds are, it will do very well for you.

[Previous: Logging] [Contents] [Next: Issues with FTP]