[rstephenson2]

Does anyone know of anything a bit larger? There are a lot of great little devices for running WRT for your home, but are there any open distributions for, say, a 50-person startup? At that level, things like maximum connection count and QoS play more of a role. Is it possible to just scale up the hardware and run openWRT, or are there other concerns?

[walterbell]

Ubiquiti has a $100 device that will route 1 million packets/sec, distro is Vyatta based on FreeBSD, http://www.ubnt.com/edgemax/edgerouter-lite/

[m-app]

I was intrigued at first especially after reading the comparison with Cisco and Juniper gear and seeing that the Ubiquiti was out performing them. But when I read up on the forums I noticed that as soon as you enable any interesting advanced features the performance will drop because hardware offloading is disabled. A couple of examples: a modify firewall rule, load-balancing, netflow, QoS and probably many more.

For a couple of end user benchmarks: http://community.ubnt.com/t5/EdgeMAX/kernel-compilation/td-p...

[VLM]

"as soon as you enable any interesting advanced features the performance will drop"

This is highly insightful for OPs original question:

"Is it possible to just scale up the hardware"

In 1999 I was doing NAT and simple stateful firewall and some stereotypical appliance functions (DHCP, DNS, NTP) on a 25 MHz 486 desktop repurposed into my firewall and when maxing out the 1 meg dsl line I was running around 20% CPU, so I estimated the hardware wouldn't be limiting until 5 megs or so. I've upgraded a couple times since then.

Then again if you enable enough logging and packet inspection you can probably kill a brand new top of the line server on a 56K SLIP connection with one user.

There are certain pitfalls... at a glance comparing my 486 first firewall to a modern rasp pi, the pi should win, but the pi connects ethernet over its usb with pretty icky limits and latency. So my old 25 MHz 486 would probably crush a rasp pi acting in that role despite the orders of magnitude disparity in CPU speed.

In summary based on lots of experience, the variation in what you're trying to do, influences the "power" required, by several orders of magnitude more than the speed of the connection or number of users.

There is an interesting analogy in supercomputing that no matter how big the machine its not much of a challenge to submit an algo that scales poorly such that a modest appearing increase can crush it, see traveling salesman problem etc. In a similar way you could probably run a firewall on an embedded 486 appliance, although it would be trivial to configure a fw to absolutely crush a top of the line modern server no matter how much money was spent on it.

[walterbell]

This thread claims that additional offload support is planned, but there are no recent progress reports, http://community.ubnt.com/t5/forums/forumtopicprintpage/boar...

Is this a limitation of VyOS or the closed-source offload/acceleration driver?

For Intel hardware, DPDK improves performance even in virtualized environments, http://rishidot.com/blog/cloudcomputing/intel-dpdk-and-cloud... & http://events.linuxfoundation.org/sites/events/files/slides/...

[gonzo]

it's a limitation of the offload that the (closed source) driver enables.

[Titanous]

I have one and highly recommend it. The distro is actually Debian-based and is mostly an open source fork of Vyatta but has some proprietary bits for the Cavium offload.

[gonzo]

Don't believe the hype (or at least: understand it)

Also, EdgeOS is based on linux (originally Vyatta), not FreeBSD. but we're about to release pfSense 2.2 (FreeBSD 10) for the Edge Router.

[walterbell]

Any alternative hardware recommendations, other than PCEngines @ $250?

[gonzo]

There are a number of boards coming out based on Intel's Avoton/Rageley SoC.

[walterbell]

Found ASrock mb+soc for $280, http://www.newegg.com/Product/Product.aspx?Item=N82E16813157...

Or Lenovo TS140 home server with i3 cpu for $290, http://openindiana.org/pipermail/openindiana-discuss/2014-Ma...

[m0shen]

As mentioned elsewhere in this thread: https://www.pfsense.org/ works when you provide enough horsepower.

[pyvpx]

it is shockingly hungry (compared to something like BSDRP), and sadly out of date (tracking 8? que?!)

[gonzo]

Nope, it's tracking FreeBSD-10

pfSense 2.1(.x) -> FreeBSD 8.3 pfSense 2.2 -> FreeBSD 10 (-CURRENT)

and it's really no more hungry than BSDRP.

[tedchs]

For a company, I would look at a pair of small Juniper SRXes (e.g. SRX240), optionally with clustering enabled.