Maximizing pfsense performance, for the fun of it

Prophet4NO1 · April 18, 2021, 1:42am

So, after a short stint on Untangle, I am back on pfsense. So, now, for the fun of it I want to poke and tweak it. I have been using it for the most part for the last five or six years.

The machine is overkill to start. An older E3 quad core Xeon, 4 GB of RAM, and a 10GB Intel X520 NIC for the LAN side. So, not really anything hardware to tweak.

What I have done so far is set the DNS forward to Cloudflare since I get really good ping times to them, 2-3ms. Internally, I am using the built in DNS resolver and have prefetch turned on for the cached entries. If my understanding is right, this will fetch updated DNS entries for anything in the cache and keep it up to date for internal use on the LAN. I also set the size of the cache to 512MB. Probably way more than I need, but you can not have too much cache.

So, what else can be done to tweak and squeeze every ounce out of pfsense? I pretty much get my ISP symmetric 1Gb/s already, so throughput is not really an issue. It is more about finding responsiveness of the network. I know the outside world is out of my control and that the gains are going to be minimal. I am just playing with this for my own amusement. Nothing more.

So, anything aside from QoS and traffic shaping that can be done? Or have I pretty much tweaked things as much as can be? I do have pfblocker running as well, so DNSBL obviously has a bit of impact on things. But, not sure I can do much about that.

neogrid · April 18, 2021, 11:36am

You could try creating a high availability setup if you have cash to burn.

neogrid · April 18, 2021, 11:39am

If you have a 10G LAN and a 1G WAN do you get any bufferbloat ? I would have guessed yes unless you have limiters setup to address that.

Prophet4NO1 · April 18, 2021, 6:23pm

Not really looking to do HA at the moment. Maybe later down the road.

As for buffer boat, not any that I can see. I tried tools like DSLreports, and they show only 3-5ms latency during test. So, seems good. Also tried Fast as well. Similar results. And that was from a 10G connection on the network into the pfsense and out the 1G WAN.

neogrid · April 18, 2021, 6:49pm

Was gonna suggest those different limiters but it sounds like you have a sweet set up

Prophet4NO1 · April 18, 2021, 10:23pm

This what it looks like so far. The black server is pfsense. The blue one is my VM server. File server is sitting below in a a tower out of frame.

mariem56 · April 19, 2021, 7:34am

Any issues with the latest version?

Prophet4NO1 · April 19, 2021, 10:47am

I have not bumped up to 2.5.1, yet. But 2.5.0 has been fine for me.

Bogdan · April 25, 2021, 12:10pm

If you are looking for additional use for your pfSense and you have spare CPU performance , . Then have a look at running built in IDS/IPS: Snort or Suricata. >> check for any intrusions.

Prophet4NO1 · April 25, 2021, 1:27pm

I was looking at checking suricata. I started setting it up and realized I had no idea what rules to run. At some point I plan to read up on the rules more to I should use.