pfSense Hardware Sizing Calculator

Methodology & honest caveats

Each feature is assigned a throughput-per-CPU coefficient (Mbps sustained per unit of a single-thread-weighted CPU index). The required CPU index for a feature is target_Mbps ÷ coefficient; the box must clear the maximum required index across every feature you enable. That maximum is the bottleneck — and it is almost always Suricata IPS (coefficient ≈ 1.6) or OpenVPN (≈ 1.4), not plain firewalling (≈ 12). OpenVPN also has a hard ~500 Mbps single-tunnel ceiling regardless of CPU, because it is single-process.

RAM = base (1 GB OS, 2 GB floor) + Suricata ruleset (≈ 1 GB + per monitored interface) + pfBlockerNG feeds + state-table memory from your user count. NIC guidance flags onboard Realtek near or above its ~900 Mbps practical ceiling, or whenever IPS is on — BSD Realtek drivers struggle under high packet rates. Storage grows with Suricata and pfBlockerNG logs; SSD/NVMe is required once IDS is on.

Coefficients and hardware tiers live in src/data/pfsense-hw-model.json (model v1.0.0). These are rounded planning figures across Netgate/Protectli-class hardware, not a benchmark of your exact silicon — real numbers depend on packet size, ruleset, tunables and driver. Treat the recommended tier as a floor; size up near any boundary or if you expect growth.