Most firewalls and routers are in fact CPU-based; even those marketed as "hardware appliances". Our security router software is compiled for 32/64 bit Intel-compatible (i386/amd64) computers and servers, and offers a very good price/performance ratio for systems handling traffic volumes in the range of 10 Mbps to 10 Gbps. The benchmarks below are performed using two low-end computers running Linux with iperf or OpenBSD with tcpbench (with standard configuration and without extra command-line options), in order for you to know what you should expect at least.
We offer a few hardware appliances. Their port configuration, licenses and recommended prices are listed on the pricing page.
|CPU||AMD GX-412TC 1 GHz||AMD G-T24L 1 GHz||Intel Atom C2518 1.7 GHz||Intel Xeon E31275 3.4 GHz|
|Plain-text bits||940 Mbps||954 Mbps||2500 Mbps||3421 Mbps|
|Plain-text packets||110 kpps||135 kpps||300 kpps||493 kpps|
|NAT bits||910 Mbps||922 Mbps||1700 Mbps||2734 Mbps|
|NAT packets||74 kpps||82 kpps||200 kpps||310 kpps|
|VPN (AES)||91 Mbps||95 Mbps||300 Mbps||510 Mbps|
Many users prefer to use our software on their own hardware appliances. We have benchmarked a few of the servers mentioned in our list of supported hardware.
|Name||Plain-text bits||Plain-text packets||VPN (AES)|
|PC Engines ALIX 2D3||90 Mbps||40 Mbps|
|Intel D2500CC||50 Mbps|
|VMware ESX 5.1 on HP DL120 G7||500 kpps||500 Mbps|
The default values offers a good security/performance tradeoff. However, for very powerful and busy systems, some sysctl tweaking might be necessary. Exactly which settings and values has to be determined on a case-by-case basis, usually by inspecting the kernel memory (using for example systat) and queue lengths. If you are experienced enough to do this yourself, you can make such changes static by using skeleton files such as /cfg/skel/rc.local and add commands such as
# just an example sysctl net.inet.ip.ifq.maxlen=512