From, an OpenBSD-based firewall
Revision as of 14:06, 17 June 2016 by Fredrik (talk | contribs) (Halon appliances)
Jump to: navigation, search

Most firewalls and routers are in fact CPU-based; even those marketed as "hardware appliances". Our security router software is compiled for 32/64 bit Intel-compatible (i386/amd64) computers and servers, and offers a very good price/performance ratio for systems handling traffic volumes in the range of 10 Mbps to 10 Gbps. The benchmarks below are performed using two low-end computers running Linux with iperf[1] or OpenBSD with tcpbench[2] (with standard configuration and without extra command-line options), in order for you to know what you should expect at least.

Halon appliances

We offer a few hardware appliances. Their port configuration, licenses and recommended prices are listed on the pricing page.

HSR 803 1200 2200 3000
CPU AMD GX-412TC 1 GHz AMD G-T24L 1 GHz Intel Atom C2518 1.7 GHz Intel Xeon E31275 3.4 GHz
Plain-text bits 940 Mbps 954 Mbps 2500 Mbps 3421 Mbps
Plain-text packets 110 kpps 135 kpps 300 kpps 493 kpps
NAT bits 910 Mbps 922 Mbps 1700 Mbps 2734 Mbps
NAT packets 74 kpps  82 kpps 200 kpps 310 kpps
VPN (AES) 91 Mbps  95 Mbps 300 Mbps 510 Mbps

Tested hardware

Many users prefer to use our software on their own hardware appliances. We have benchmarked a few of the servers mentioned in our list of supported hardware.

Name Plain-text bits Plain-text packets VPN (AES)
PC Engines ALIX 2D3[3] 90 Mbps 40 Mbps
Intel D2500CC[4][5] 50 Mbps
VMware ESX 5.1 on HP DL120 G7 500 kpps 500 Mbps


The default values offers a good security/performance tradeoff. However, for very powerful and busy systems, some sysctl[6] tweaking might be necessary. Exactly which settings and values has to be determined on a case-by-case basis, usually by inspecting the kernel memory (using for example systat) and queue lengths. If you are experienced enough to do this yourself, you can make such changes static by using skeleton files such as /cfg/skel/rc.local and add commands such as

# just an example
sysctl net.inet.ip.ifq.maxlen=512