pfSense System Requirements - Hardware Compatibility
pfSense is based on FreeBSD and requires a 64-bit amd64 (x86-64) architecture exclusively. It runs on both physical hardware and virtualization platforms. When selecting hardware, consider the expected throughput, number of concurrent connections, and the features in use - VPN, IDS/IPS, proxy servers, and other packages all affect resource consumption.
Minimum Requirements
The specifications below represent the absolute minimum for booting pfSense. Production deployments should follow the recommended requirements further in this document.
| Component | Minimum |
|---|---|
| CPU | 64-bit (amd64), single core, 500 MHz |
| RAM | 1 GB |
| Storage | 8 GB (SSD or HDD) |
| Network Interfaces | 1 (minimum to boot; 2 for a typical WAN + LAN configuration) |
| Installation Media | USB drive or DVD |
Warning:
The minimum configuration is suitable only for lab environments and testing. Production deployments require hardware that meets or exceeds the recommended specifications below.
Recommended Requirements
Hardware requirements depend on deployment scale, traffic volume, and active services. The following recommendations cover three common scenarios.
Small Office (up to 50 users)
| Component | Recommendation |
|---|---|
| CPU | 2 cores, 1.0+ GHz, AES-NI support |
| RAM | 4 GB |
| Storage | 32 GB SSD |
| Network Interfaces | 2 (WAN + LAN), Intel |
| Throughput | up to 500 Mbps without VPN |
This configuration handles routing, a firewall with a moderate rule set, and one or two VPN tunnels.
Branch Office (50–200 users)
| Component | Recommendation |
|---|---|
| CPU | 4 cores, 1.5+ GHz, AES-NI support |
| RAM | 8 GB |
| Storage | 64 GB SSD |
| Network Interfaces | 3–4 (WAN, LAN, DMZ, optional OPT), Intel |
| Throughput | up to 1 Gbps without VPN |
When running Suricata or Snort for traffic inspection, increase RAM to 16 GB. IDS/IPS packages consume significant memory depending on the number of loaded rule sets.
Enterprise Network (200+ users)
| Component | Recommendation |
|---|---|
| CPU | 4–8 cores, 2.0+ GHz, AES-NI support |
| RAM | 16–32 GB |
| Storage | 120+ GB SSD (NVMe preferred) |
| Network Interfaces | 4+, Intel server-grade (i350, X520, X710) |
| Throughput | 1–10 Gbps |
For enterprise deployments with heavy VPN usage, hardware AES-NI support is critical. Without it, IPsec and OpenVPN throughput drops by several times.
State Table Memory Calculation
Every active connection passing through pfSense occupies an entry in the state table. Memory consumption scales linearly:
| State Count | Memory Usage |
|---|---|
| 100,000 | ~100 MB |
| 500,000 | ~500 MB |
| 1,000,000 | ~1 GB |
When planning RAM capacity, account for both the state table and installed package requirements (Suricata, pfBlockerNG, HAProxy, and others).
Network Interfaces
The choice of network adapter has a substantial impact on pfSense performance. Low-quality adapters impose a disproportionate CPU load even at modest traffic levels.
Recommended Chipsets
Intel - the preferred choice for pfSense. Intel drivers in FreeBSD are stable and performant. Recommended product lines:
- Intel i210/i211 - gigabit adapters for small deployments
- Intel i350 - server-grade gigabit adapter with SR-IOV support
- Intel X520/X540 - 10-gigabit adapters (SFP+/10GBase-T)
- Intel X710/XL710 - 10/40-gigabit adapters with DPDK support
Chelsio - server-class adapters with well-maintained FreeBSD drivers. Suitable for high-throughput deployments at 10/25/40 GbE.
Adapters to Avoid
Realtek - budget adapters based on RTL8111/RTL8168 chipsets function but impose significantly higher CPU overhead compared to Intel. Not recommended for production use.
USB adapters - strongly discouraged. They are unreliable, offer poor performance, and are unsuitable as firewall network interfaces.
Warning:
To verify compatibility of a specific adapter model, consult the FreeBSD Hardware Notes for the FreeBSD version underlying your pfSense release.
Virtualization
pfSense runs on all major virtualization platforms. Below are platform-specific recommendations.
VMware ESXi
- Guest OS type: FreeBSD 14 (64-bit) or Other (64-bit)
- Network adapters: VMXNET3 (preferred) or E1000
- Disk controller: PVSCSI or LSI Logic
- Allocate a CPU with AES-NI support and pass the flag to the guest OS
VMXNET3 delivers the best performance for pfSense on ESXi. Use E1000 only if compatibility issues arise.
Proxmox VE
- Machine type: q35
- Network adapters: VirtIO (virtio-net)
- Disk controller: VirtIO SCSI or VirtIO Block
- CPU type: host (to pass through hardware instructions including AES-NI)
VirtIO drivers are included in the FreeBSD kernel and require no additional installation. Proxmox is among the most convenient platforms for deploying pfSense in a virtual environment.
Microsoft Hyper-V
- Virtual machine generation: Generation 2
- Network adapters: Hyper-V synthetic adapters (hn)
- Secure Boot must be disabled in VM settings
- Hyper-V Integration Services drivers are included in the FreeBSD kernel
Warning:
Hyper-V Generation 1 may cause boot failures. Use Generation 2 exclusively with Secure Boot disabled.
KVM / QEMU
- Machine type: q35
- Network adapters: VirtIO (virtio-net)
- Disk controller: VirtIO (virtio-blk or virtio-scsi)
- CPU type: host
- Display adapter: VGA (QXL is unnecessary for headless installations)
The configuration mirrors Proxmox, as Proxmox uses KVM/QEMU as its underlying hypervisor.
General Virtualization Guidelines
- Do not use emulated adapters (rtl8139, ne2k) - they degrade performance significantly
- For VPN tunnels, verify that AES-NI instructions are passed through to the virtual machine
- Allocate fixed rather than dynamic memory
- For high-throughput scenarios, consider PCI Passthrough of physical network adapters
Migrating from Other Platforms
Administrators transitioning to pfSense from Cisco ASA, FortiGate, or MikroTik appliances often plan to repurpose existing server hardware. Several factors warrant consideration when evaluating compatibility.
Reusing Existing Hardware
Standard x86-64 servers (Dell PowerEdge, HP ProLiant, Supermicro) are suitable for pfSense provided the network adapters are compatible. Proprietary appliance hardware (Cisco ASA appliance, FortiGate appliance) is not suitable - these platforms use locked firmware and, in some cases, non-standard architectures.
Compact Platforms
For smaller deployments, compact x86-64 platforms work well:
- Protectli - devices with Intel Celeron/Core i processors and multiple Intel NIC ports
- Qotom - mini PCs with multiple Ethernet ports and Intel processors
- Supermicro SYS-E series - compact servers with server-grade network adapters
When selecting a compact platform, verify AES-NI support and ensure a sufficient number of Intel-based network ports.
Performance Expectations During Migration
When replacing a hardware firewall with pfSense, note that published throughput figures for appliances (e.g., “Cisco ASA 5525-X - 2 Gbps firewall throughput”) are achieved using dedicated ASICs. A software firewall on x86 hardware requires a more powerful CPU to match comparable numbers, particularly with IDS/IPS and VPN enabled.
Related Sections
- Installation Guide - step-by-step installation after verifying hardware compatibility
- Upgrading pfSense - version upgrades, including hardware platform changes
- Firewall Rules - configuring filter rules after completing installation