Low power gigabit NAT
-
Well even if a system can push 2GB that's really only 1GB "through" the box (1GB in one way, 1GB out the other). Would vary widely by OS and packet filter.
With pf disabled you can probably get quite a bit higher throughput, but that isn't a realistic scenario for most people.
-
I had a similar experience with my firebox when I found the gigabit interfaces didn't meet my expectations. Doing some research showed many other people who, similarly found FreeBSD underperformed compared to Linux based counterparts. However in my case I put it down to the rather buggy msk(4) interfaces.
This thread seems to report a similar discrepancy with Intel NICs:
http://forum.pfsense.org/index.php/topic,47907.0.html
It makes me wonder if the two firewalls are actually doing the same job.It's not an issue for me but I can see how it might be a big one for others.
Steve
-
I sure hope it not just 600Mbps, that I can get with a much cheaper consumer wireless router.
Not even remotely close to true, no consumer grade router can push 600 Mbps. That's commercial firewall territory at several thousand USD minimum. If you're talking about the built in switch in some consumer routers, that's a switch, not a multi-port firewall. A world of difference there.
-
I was referring to NAT speeds, e.g.:
http://www.smallnetbuilder.com/lanwan/router-charts/view -
I remember being pretty blown away by those numbers last time I read them.
I'd be interested to know how those numbers were tested and what those routers are actually doing.
Specs for high end soho routers have certainly stepped up a lot recently. The ASUS black diamond is 500MHz with 128MB. Hard to see how it could NAT 860Mbps. Specialist hardware?I see they list the test procedure: http://www.smallnetbuilder.com/lanwan/lanwan-howto/31103-how-we-test-hardware-routers-revision-3
Steve
-
These devices typically are SoC based with network accelerators and multi-core processors.
For traffic like NAT, it can all be done in the hardware network accelerator.
E.g. http://www.broadcom.com/press/release.php?id=s637241 -
Indeed.
However consider the Watchguard XTM 2. This is a device with similar SoC type hardware. 666MHz CPU and 256MHz ram yet running it's tweaked linux it claims only 200Mbps throughput.
Makes me have to consider that the consumer OS is not doing as much. Or it could be that hardware is s few years old. :-\Steve
Edit: Those are in fact over 2 years old now.
-
Those numbers are hard to believe, they basically equate a $120 USD Linksys to a minimum $2500 Cisco ASA (on the brand new -X platform) in forwarding performance. Maybe for single stream. The tests are really lame as far as actually stressing real NAT performance though. Though home grade routers may have advanced to the point they can handle that kind of single stream performance, we play in an entirely different world that's along the lines of the Cisco ASA as far as functionality, not anything the Linksys level can touch.
-
Note that in their description of testing they say they disable stateful filtering, and only perform NAT, and bypass it somehow if it can't be disabled in the unit.
That is really not a valid real-world performance metric you can compare against a system that's actually filtering traffic.
-
Yes, though they also say it didn't make much difference to performance. Makes me wonder just what it does then!
They do have some great pfSense write ups on smallnetbuilder:
http://www.smallnetbuilder.com/labels/pfSenseIncluding a performance test with a D525 system:
http://www.smallnetbuilder.com/security/security-howto/31476-build-your-own-utm-with-pfsense-part-4?showall=&start=1Not directly comparable though as they are running iperf on pfSense and also running Snort. And it's 1.2.3. Really good read though. ย :)
Steve
-
I'd suggest a low power supermicro chassis with a X9SCM motherboard coupled with a low power i3 or xeon. Passive cooling will work apart from the PSU fan. Should be pretty quiet and HEAPS more powerful.
