General Discussion

Is there a benchmark available on M0n0wall HW scalability.
What kind of specific HW can be used in

a) Small Office Environment (number of users < 20) (Would say an Alix board may fit well)
b) Mid sice Offices (number of users 20 < 100)
c) Large scale (number of users > 100)
d) Enterprise Environment

c) and d) may be challanging, aren't them.
Coverage should be all that nasty VPN, DMZ, etc.... stuff

Did anyone tried this? I didn't so far.

I personal run on either a WRAP and ALIX board.
On my Alixboard I run M0n0wall for test and development,  pfsense or an OpenBSD based FW for testing.  After starting with a very very old PC  a couple of years before.

F41THR

I ran it at an old job on a Dell PowerEdge 2850 with way more ram than one should reasonably throw at it (6GB, I think) and a single Xeon 3-ish Ghz to run our captive portal for our Guest Wireless.  Some time after I left they had some conference with 20-something people trying to all VPN at once, supposedly they over-ran the state table that m0n0 supports.  I wouldn't think that a few VPN users would over-run the state table, but supposedly the state table was their issue.  They simply migrated over to PFsense and they claim all was well after that.

I would wager to say that m0n0wall is good for small offices and/or homes rather than large installations, especially if you want to run on "smaller" hardware.  If you need to scale (especially if you are scaling from a current m0n0wall install and want to "upgrade" and retain settings) I would say that PFsense may be better for larger requirements as it seems to be better suited to take advantage or "larger" hardware, although not as efficient on "smaller" hardware.

Number of users matters not at all.  It is all about throughput.

An embedded, like Geode, or Via processor maxes out at about 45 meg.  Less if doing VPN.

An Atom dual core, or other Dual core  will do wire speed fast ethernet.  It will NOT do full gig.  Depending on IO, you will get 300meg to 500 meg.

For full gigabit, you will need AGP connected cards, and still you will hit the wall at 600meg to 800 meg.

Number of users matters not at all.  It is all about throughput.

An embedded, like Geode, or Via processor maxes out at about 45 meg.  Less if doing VPN.

An Atom dual core, or other Dual core  will do wire speed fast ethernet.  It will NOT do full gig.  Depending on IO, you will get 300meg to 500 meg.

For full gigabit, you will need AGP connected cards, and still you will hit the wall at 600meg to 800 meg.

Scale-ability is also all about the number of states the router can manage, which is a finite number in m0n0wall.  That factor is often easier to ballpark calculate by counting users and what their general use profile will be.  100 people checking code in and out of a software repository is much different from 100 people heavily torrenting and/or playing games, from a state perspective, even if their bandwidth may be very similar.

This is what often brought down the old Linksys WRT54G routers, where their states were very long lasting, but not a very large state table, so users would often fill up the state table via usage with wide access patterns.  It was common for a single user to fill up the state table on a WRT54G just by polling a few server lists on some very popular games.  It can be a concern in m0n0wall too since the state table size is fairly hard coded.

I'll assume your mention of "AGP connected cards" is a label swap mistake, I would imagine you're going for PCI-Express.  I just want to make sure no one would get thrown off with the idea.  (I won't go so far to say that there are no AGP network cards, because I don't like to state assumptions as facts, but I would certainly bet that there aren't, and losing that bet would almost be worth it to see such a beast.)

Doh!  Yep.  I ain't never seen one of them AGP nics...   Yes, some 64 bit nic like pci-e or pci-64.

As to the limited state table, setting the expire shorter will solve those problems.  I have not seen the issue with several hundred users...