The recommended specs for pfSense are way, way, way overkill. Your machine should handle that load quite handily. For a point of reference, I used a Soekris Net5501 in production for a little while and it fell over at about 45Mbps. It was spec'd out with a 500MHz Geode, 256MB RAM, and some of the worst NICs ever created (Via Rhinestone - vr driver).
In my experience, the most common big performance obstacle on a router like this is the context switching required by rapid-firing interrupts. Shitty NICs like the Rhinestones fire an interrupt for every single packet they receive. This becomes a major problem because each packet has to be processed, but oops! In the middle of processing it, another one comes in. So you pull that out, get interrupted, etc etc. Context switching is an expensive operation and quickly overwhelms a slow CPU.
Good NICs (Intel and Broadcom are both solid) have interrupt mitigation capabilities, which means they only bug the CPU when they have a certain number of packets accumulated, or when a timer hits 0. Operating in chunks like this is far, far more efficient than constant context switching.
Some operating systems attempt to mimic interrupt mitigation with polling - the kernel ignores the NIC's interrupts and just checks its buffers every so often. This can lead to much higher throughput and lower CPU utilization, but at the expense of latency, possibly losing packets if the NIC's buffers fill up, etc. OpenBSD has not implemented polling. In my experience interrupt mitigation is superior to polling, and the price of decent NICs is low enough that there's not much excuse.
Memory really should not be an issue. OpenBSD and PF are very efficient. On a pretty slow day (today), one of my production routers has about 17.5k states in memory. It's also running spamd, logging all blocked packets, and doing a tcpdump on its most active interface. Using 191MB of RAM.
So all that to say your specs are more than enough, TCO or no.
First, I don't think you are going to be able to do a good job of this on a broadband router. You probably need to look at setting up a Linux box to act as a proxy firewall router. Plus, if you do this on a computer you can run a cache which will save you bandwidth since pages visited by many users will only need to be downloaded once.
Blocking P2P tends to get very difficult. Most protocols these days tend to be very good at getting around the firewall.
- Setup a firewall that by default denies any outgoing requests. Yes, this is very harsh, but if you really want block things this is a cheap way to start
- you will need to probably explicitly add rules for any servers that are hosted within your network.
- Setup an HTTP proxy (e.g. squid), and all the browsers to use the proxy server.
- Subscribe to a blacklist (e.g. 1, 2) service and make sure you prohibit any proxies.
- Setup something like srg or sarg to produce reports per user/computer about who is visiting what, and how much bandwidth they are using. Give the administration the ability to view this information.
- Use the controls inside your proxy server to throttle computers (squid delay_pools)
- Setup a procedure for trusted users to get around the default deny firewall policy. (But still keep logs)
I know the above is very heavy-handed, but it will block almost all P2P traffic, and isn't particularly difficult to implement.
Please see these related questions:
Best Answer
MLPPP is supported in any Cisco router capable of running IOS 11.1.