2.5. Hardware Sizing

Determining the exact hardware sizing for your SmallWall deployment can be difficult at best, because network environments differ dramatically. The following will provide some base guidelines on choosing what hardware is sufficient for your installation. Stated throughput numbers are very conservative for most environments, leaving some room for error and future expandability. However, heavy VPN use can cause significant load in some cases.

2.5.1. Embedded Devices

The following can be used as a rough guide to determining which embedded platform, if any, is suitable for your environment. Soekris 48xx

The Soekris 48xx line is sufficient for most Internet connections less than 30 Mbps. If IPsec VPN's will be used, a 48xx is sufficient up to around 15 Mbps

One thing to keep in mind is the maximum throughput between interfaces, if you plan on utilizing a DMZ segment or second LAN segment. A 48xx maxes out at around 40 Mbps. If you need more than 40 Mbps of throughput between your internal networks, you will need to go with a faster platform. ALIX

ALIX boards are sufficient for most Internet connections less than 60 Mbps. If IPsec VPN's will be used, a WRAP is sufficient up to around 30 Mbps.

One thing to keep in mind is the maximum throughput between interfaces, if you plan on utilizing a DMZ segment or second LAN segment. A ALIX maxes out at around 80 Mbps. If you need more than 80 Mbps of throughput between your internal networks, you will need to go with a faster platform.

2.5.2. Network Cards

Your selection of network cards (NIC's) is the single most important performance factor in your setup. Cheap NIC's will keep your CPU very busy with interrupt handling, causing your CPU to be the bottleneck in your configuration. A quality NIC can increase your maximum throughput as much as two to three fold, if not more.

FreeBSD refers to network cards by their driver name followed by the interface number. For example, if you have two Intel Pro/100 cards (fxp driver) and one 3Com 3C905 card (xl driver), you will have interfaces fxp0, fxp1, and xl0 respectively.

Intel Pro/100 and Pro/1000 cards tend to be the best performing and most reliable on SmallWall. Cheap cards like those containing Realtek chipsets (FreeBSD rl driver) are very poor performers in comparison. If you are purchasing NIC's for your SmallWall installation, we strongly recommend purchasing Intel cards. You can find them on ebay for less than $30 USD for 3-5 cards in a bulk lot. If you are looking at Atom motherboards, those with Intel chips are significantly better then the rt chips at the lower end.

For low throughput environments, like a low end broadband connection 6 Mbps or less, any NIC will suffice. If you require fast throughput (more than 30-40 Mbps) between interfaces for multiple LAN networks, or between a DMZ and your LAN, then using quality NIC's on a high speed bus (PCI-e) becomes much more important. With good Intel PCI-e gigabit nics on a solid computer, sustained transfers of 900 Mbps are possible.

2.5.3. Processor

Your CPU can be the bottleneck in your system. IPSEC can load the system, and network throughput with cheap NIC's will max out your CPU long before it will get maxed out with quality NIC's, so the most important factor with CPU sizing is the quality of your NIC's.

If you are using good quality NIC's like Intel cards, as a general measure, a Pentium will suffice up to 30-40 Mbps, a Pentium III will do 100 Mb at wire speed, and for gigabit wire speeds you will need a 2.8+ GHz Pentium 4, or a newer Atom CPU.

2.5.4. RAM

The stock SmallWall images will not use more than 512 MB RAM under most circumstances. You can install as much memory as you like, but even with all features enabled and heavy loads, you will not exhaust 1 gig.

2.5.5. Storage Medium

SmallWall will work fine on any hard drive or compact flash card at least 16 MB in size. At boot, SmallWall is loaded into RAM and runs from RAM, so the speed and type of storage medium used is not a factor in system performance.

The only times storage is accessed is at boot, when the configuration is being changed, and during firmware updates. At all other times, the hard drive can be set to "sleep" and it may not spin up for months at a time.

Slower storage mediums like compact flash will take slightly longer to boot than hard drives will, but boot time is the only performance factor in selecting your storage medium. Flash storage (CF Card, USB stick, or DOM) is suggested for maximum reliability since it is much less likely to fail than a hard drive.

2.5.6. High Throughput Environments

In environments where extremely high throughput through several interfaces is required, especially with gigabit interfaces, PCI bus speed must be taken into account. When using multiple interfaces in the same system, the bandwidth of the PCI bus can easily become a bottleneck. Most typical motherboards only have one or two PCI buses, and each can run an absolute maximum of 133 MBps, or 1064 Mbps. That's less than one gigabit interface can transfer. PCI-X and PCI-e can transfer up to 1056 MBps, or about 8.25 Gbps.

If you need sustained gigabit throughput at wire speed, you will want a solid motherboard with PCI-e slots and PCI-e NIC's. (Or a board with embedded Intel nics on a PCI-e bus.