Lanner Inc. FW7535D
-
Hi,
We just purchased the Lanner Inc. FW7535 to replace a Alix 2C3. The VPN throughput was lacking severly and the internet connection will also be upgraded to 120mbit which requires gigabit ports. The box is a bit empty, although they do supply a power cord and the sata drive connector and the drive screws. There is no manual, quick start guide or cd provided with the system.
Front:
http://iserv.nl/files/pics/lanner-fw7535/fw7535-above-front.jpgThe FW7535 has 6 Intel Gigabit ports, the 1st is a older type Intel which works in 1.2.3. The others are a bit newer which are only supported in 2.0.
It has a Intel Atom D510 processor coupled with a single 1GB DDR2 SO DIMM from Kingston. There is 1 free memory slot available and 1 free miniPCI-e slot for a wireless card or hardware crypto card. We are finally ditching the mini-pci cards, Yay. There are 2 sata ports available on the motherboard and a breakout cable for VGA and PS2 are provided for legacy software that doesn't speak USB keyboard.Inside:
http://iserv.nl/files/pics/lanner-fw7535/fw7535-underside-open.jpgI wrote the nanoBSD version of pfSense 2.0 BETA4 to a Sandisk Extreme 3 CF card. For some reason the system refused to boot with the Sandisk Extreme 4 card I have here.
A note on the BIOS of this system, by default the console redirection is enabled. This causes the pfSense 2.0 boot loader to stop. You can enter the bios by connecting a serial cable to the device with the supplied cable.
Set the serial speed to 115200 and when you see the BIOS screen press TAB to enter it. Here you can set the "remote access console redirect option" to "disabled after post". This because the FreeBSD bootloader already uses the serial port for the console in the nanoBSD images.
After assigning the first port as the LAN and the 2nd as the WAN port I've setup a iperf server and did a few performance tests with a standard NAT setup and a port forward on WAN. This to facilitate bidirectional performance testing.Wonderful website sponsored by the US government:
http://nces.ed.gov/nceskids/createagraph/default.aspx?ID=e92dd120c4324894b8ee2feaf8139511
dual stream via port forward.
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 252 MBytes 211 Mbits/sec
[ 5] 0.0-10.0 sec 257 MBytes 215 Mbits/sec
Single stream lan to wan
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 579 MBytes 485 Mbits/secDividing the 200mbit throughput by the 1500byte frame size gives roughly 140k pps in a bidirectional setup.
Considering my issue was the lackluster IPsec throughput on the Alix 2C3, even with glxsb loaded. (roughly 10mbit) I hoped for a good performance leap.
For this I connected the FW7535 to the external 100mbit switch (HP Procurve 2650) where the production external CARP cluster lives. I added a IPsec tunnel between the FW7535 (2.0 BETA4) and this system (1.2.3 RELEASE). I proceeded testing the single stream and bidirectional throughput for the various cyphers that are provided by racoon.IPsec:
First up is a tunnel with AES 128bit
duplex stream
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-10.2 sec 33.7 MBytes 27.6 Mbits/sec
[ 4] 0.0-10.2 sec 32.0 MBytes 26.2 Mbits/sec
single stream
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 65.8 MBytes 55.1 Mbits/secAnd ofcourse AES 256 bit
duplex stream
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 29.9 MBytes 25.1 Mbits/sec
[ 5] 0.0-10.3 sec 29.6 MBytes 24.1 Mbits/sec
single stream
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 59.6 MBytes 50.0 Mbits/secThat is a rather small difference between the 128 bit and 256 bit cyphers. I omitted the results for AES 192 bit as these were smack in the middle.
I then tested blowfish, I left the bits on the 2.0 system set to "auto". This produced a rather awkard result in the bidirectional test.
duplex stream
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-10.0 sec 29.2 MBytes 24.4 Mbits/sec
[ 4] 0.0-10.2 sec 41.2 MBytes 33.8 Mbits/sec
single stream
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 72.8 MBytes 60.9 Mbits/secI then set blowfish to 128 bit on the 2.0 system. This produced a bit more predictable result.
duplex stream
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-10.0 sec 34.7 MBytes 29.1 Mbits/sec
[ 4] 0.0-10.2 sec 36.5 MBytes 29.9 Mbits/sec
single stream
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 73.6 MBytes 61.7 Mbits/secAnd ofcourse no IPsec tunnel can be forgotten without the almost standard 3DES encyrption. And it is as almost always the slowest of them.
duplex stream
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.1 sec 21.3 MBytes 17.7 Mbits/sec
[ 5] 0.0-10.4 sec 26.4 MBytes 21.4 Mbits/sec
single stream
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 48.2 MBytes 40.5 Mbits/secI tested the legacy single DES encryption as well, it's faster but it's not recommended since good alternatives like blowfish exist.
duplex stream des
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.1 sec 33.9 MBytes 28.0 Mbits/sec
[ 5] 0.0-10.3 sec 33.5 MBytes 27.3 Mbits/sec
single stream
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 68.1 MBytes 57.1 Mbits/secThe uncommon CAST128 is similar in performance to single DES and still slower over blowfish.
duplex stream cast128
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-10.1 sec 34.7 MBytes 28.8 Mbits/sec
[ 4] 0.0-10.2 sec 34.1 MBytes 27.9 Mbits/sec
single stream
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 69.4 MBytes 58.1 Mbits/secGood performance numbers across the board atleast. It doesn't compare to the throughput of a Core 2 Duo system though. But it is atleast on par with a P3 1Ghz, say, a Dell Optiplex GX150.
-
Thank you for that.
For comparison against similar pfSense boxes near the same speed category, look at this:
http://www.hacom.net/kb/ipsec-performance-pfsense-firewall-appliance
