Netgate SG-3100 Iperf < 600MBPS
-
Hi all, Having an issue with an SG-3100 that we use for WAN and Firewall. It has a 1Gbps/1Gbps connection on LAN and 1Gbps/1Gbps on WAN. We've tested using iperf and cannot go over 500~600Mbps through the LAN port from either client to client on another VLAN or from client to router using the iperf package on PFsense.
-
I don't own a 3100, I use a 4100 (some what comparable, I guess), and I'll excuse upfront :
You do the test wrong ^^.Do (exactly) what this guy did here : https://www.youtube.com/watch?v=dbSUdDyfW0M&t=688s as he is pulling a gigbit through a 3100 - the video shows it, using 'iperf'
-
@dave10x explain the set up a bit more.
Clients connects directly to the LAN port on the 3100 or are they connected to a switch down stream?
3100 isnt set up for bridging i hope. -
The client is a laptop that has been tested to be able to saturate a full 1Gb using iperf. Or 900Mbps+ to other clients on the same LAN.
It is plugged into a unify 48-port switch capable of 10Gbps also been tested with other hardware on the same LAN / same network segment. We cannot unplug the Lan port to test directly as its hosting a live connection for 1400 users. this would require planned downtime.
We have multiple VLANs on the LAN interface and testing traffic going through the router to another client on another VLAN or through the WAN connection is the same result.
We have about 10 Netgate routers in our organisation, and only the 3100 seem to do this. They are fully patched. No Bridging lol.
Thanks.
-
@dave10x said in Netgate SG-3100 Iperf < 600MBPS:
No Bridging lol.
But you do something else : you took a LAN, and squeeze VLAN's into a LAN port.
So I'm asking, if one VLAN "eats" some xxxx Mbits/sec, on another VLAN (same LAN), you have this amount of bandwidth already gone.And again, I'm gona be silly : read again :
@gertjan said in Netgate SG-3100 Iperf < 600MBPS:
Do (exactly) what this guy did
So no 1400 clients.
No VLANs.
Bare bone device please, with gadgets, wishles and bells (like snort - suricata and other resource killers etc)
-
IPerf is being used exactly like Tom did.
So I've recreated the test from one of our servers (10Gb) in another very quiet site (80 users) on another SG-3100 and got the same result. Using iperf exactly like Tom did, big fan of his work.
I'm going to install an SG-4100 that definitely saturates a Gig and get the SG-3100 back in the office to test it with factory defaults on it.
There's no Suricata/Snort installed.
All traffic shaping is disabled per interface.
Limiters are disabled. -
@dave10x Check CPU utilization? There was a recent thread:
https://forum.netgate.com/topic/175679/slower-internet-behind-sg-3100 -
@steveits doesn't look overly high, and we don't use Pfblocker, but thanks anyway.
-
@dave10x said in Netgate SG-3100 Iperf < 600MBPS:
or from client to router using the iperf package on PFsense
Netgate has posted in the past to not run it on the router, since that uses CPU cycles and pfSense is optimized to route traffic not run programs. Instead test through pfSense. (I'm just reporting what they've posted)
re: CPU, is log compression disabled? If "top"/System Activity shows bzip processes then it's likely stuck spending time on disk writes, which are not particularly fast on eMMC storage. That's come up here a few times.
Is your VLAN on a switch port, or on OPT1?
-
Hi Steve, we have tested through the router to a client on the other VLAN. Same result.
Log compression is set to default. "bzip2" - we will try disabled
VLAN is on the Switch port.
Thanks.
-
After log compression set to none.
Connecting to host 10.40.144.150, port 5201
[ 4] local 10.40.144.4 port 53975 connected to 10.40.144.150 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 64.4 MBytes 539 Mbits/sec
[ 4] 1.00-2.00 sec 65.4 MBytes 549 Mbits/sec
[ 4] 2.00-3.00 sec 67.8 MBytes 568 Mbits/sec
[ 4] 3.00-4.00 sec 65.9 MBytes 553 Mbits/sec
[ 4] 4.00-5.00 sec 62.8 MBytes 526 Mbits/sec
[ 4] 5.00-6.00 sec 67.2 MBytes 565 Mbits/sec
[ 4] 6.00-7.00 sec 64.9 MBytes 544 Mbits/sec
[ 4] 7.00-8.00 sec 65.2 MBytes 547 Mbits/sec
[ 4] 8.00-9.00 sec 67.1 MBytes 564 Mbits/sec
[ 4] 9.00-10.00 sec 64.8 MBytes 543 Mbits/sec
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 655 MBytes 550 Mbits/sec sender
[ 4] 0.00-10.00 sec 655 MBytes 550 Mbits/sec receiveriperf Done.
-
@dave10x looks like your directly running IPerf on pfsense? Your IPs seem to be in the same vlan, unless your not using a /24 mask?
Notice in his test he is routing through pfsense. Notice the IPs that are testing to from.
-
We are using a /21. The test was carried out to the same subnet for that test (my mistake).
We have tried this routing to:
- the same subnet (not routing)
- another Virtual interface on another Tagged VLAN / Subnet on the PFsense
- another VM on another VLAN / separate IP range.
Here is another test routing to a client on another subnet.
Connecting to host 10.40.161.12, port 5201
[ 4] local 10.40.144.4 port 54463 connected to 10.40.161.12 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 47.5 MBytes 398 Mbits/sec
[ 4] 1.00-2.00 sec 52.5 MBytes 440 Mbits/sec
[ 4] 2.00-3.00 sec 51.9 MBytes 435 Mbits/sec
[ 4] 3.00-4.00 sec 49.6 MBytes 417 Mbits/sec
[ 4] 4.00-5.00 sec 47.9 MBytes 402 Mbits/sec
[ 4] 5.00-6.00 sec 42.6 MBytes 357 Mbits/sec
[ 4] 6.00-7.00 sec 45.6 MBytes 383 Mbits/sec
[ 4] 7.00-8.00 sec 47.9 MBytes 401 Mbits/sec
[ 4] 8.00-9.00 sec 50.9 MBytes 428 Mbits/sec
[ 4] 9.00-10.00 sec 51.0 MBytes 428 Mbits/sec
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 487 MBytes 409 Mbits/sec sender
[ 4] 0.00-10.00 sec 487 MBytes 409 Mbits/sec receiveriperf Done.
-
@dave10x said in Netgate SG-3100 Iperf < 600MBPS:
The test was carried out to the same subnet for that test (my mistake).
well that wouldn't go through pfsense then - and your still not seeing gig..
And you also mention VM..
Lets see a test between your 2 devices you want to use for testing of the routing speed, actually do gig.. before you route it through pfsense.. In your test you posted, clearly pfsense was not routing that traffic and you only saw 600..
-
One thing to be aware of here is that the mvneta NICs in the 3100 are single queue.
That means if you're testing between two VLANs on the same NIC you can only use a single transmit and receive queue.
You may see significantly worse performance than you would between the WAN and OTP ports, for example, where two NICs are in use.
That's the primary difference between the 2100 and 1100 and we see ~50% better throughput there.
Steve
