Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense maximum throughput

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 4 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Yes, it really depends on what traffic you put through it with those packages. Your VPN encryption speed is probably going to be the bottle neck there though so you could test with iperf.
      However you test it though you should have the two machines generating and receiving the traffic separate to the firewall. Running iperf on the pfSense box is not a fair test.

      Steve

      Edit: typos

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        Is bit torrent a fair test? i couldn't find a standard approach in google search.
        All Commercial products have throughput comparison tables for their packages in different hardwares.
        Have they some code in their packages to measure performance?
        How can i do the same work on pfsense?

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Commercial firewall producers usually want to put the biggest numbers they can in the spec sheet. The numbers you see are often the result of a tuned test with abnormally large packets and are almost always the summed throughput of many interfaces. So you often see products rated at firewall thoughput of several Gbps when they are using 1Gbps NICs.

          iperf can give you big numbers if that's what your after. Torrent traffic is a much tougher test, some would argue better test, because it's usually many many small packets from many sources.

          Steve

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            thank you very much stephen  :)

            1 Reply Last reply Reply Quote 0
            • P Offline
              podilarius
              last edited by

              I was referring to running iperf on a machine behind the firewall to a publicly available one. I test with bittorrent also.

              1 Reply Last reply Reply Quote 0
              • H Offline
                Harvy66
                last edited by

                @stephenw10:

                Commercial firewall producers usually want to put the biggest numbers they can in the spec sheet. The numbers you see are often the result of a tuned test with abnormally large packets and are almost always the summed throughput of many interfaces. So you often see products rated at firewall thoughput of several Gbps when they are using 1Gbps NICs.

                iperf can give you big numbers if that's what your after. Torrent traffic is a much tougher test, some would argue better test, because it's usually many many small packets from many sources.

                Steve

                Iperf does let you set the MTU of the connection. I was running some IPerf tests the other night and with my default MTU, doing a single test showed my 1min average packets/sec around 7k and when I set the MTU parameter to 128, I was getting about 15k packets/second average. Now the tests only lasted a few seconds, but I made sure to run them within the minute. The tests only lasted about 10 seconds, so if I multiply 15k by 6, that's 90k packets/sec. Even with such small packets, the traffic graph was showing about 940mbits/sec.

                The MTU must not have been fully respected or Windows was grouping packets together, because I was using -N to disable naggle, but an MTU of 128 is about 1/9th the size of 1500, so I should have seen a mix of 9x the packets or less throughput. I should have wiresharked it to see the real packet sizes, but my firewall is magnitudes faster than my connection already.

                You could try something like -P 100 to make iperf use 100 TCP connections, possibly higher assuming it supports that many.

                1 Reply Last reply Reply Quote 0
                • P Offline
                  podilarius
                  last edited by

                  You can use -t to run the test longer.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    @Harvy66:

                    I was getting about 15k packets/second average. Now the tests only lasted a few seconds, but I made sure to run them within the minute. The tests only lasted about 10 seconds, so if I multiply 15k by 6, that's 90k packets/sec.

                    This doesn't make sense.
                    Your test period was only ~10s so the average may not be that good, you would see less jitter across multiple tests with a longer period, but that doesn't mean the figure is not valid. 15K pps for 10 seconds would give you 150K packets total or for 1 minute 900K packets total but the rate is still 15Kpps. Multiplying by 6 is a meaningless calculation.  ;)

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      Harvy66
                      last edited by

                      @stephenw10:

                      @Harvy66:

                      I was getting about 15k packets/second average. Now the tests only lasted a few seconds, but I made sure to run them within the minute. The tests only lasted about 10 seconds, so if I multiply 15k by 6, that's 90k packets/sec.

                      This doesn't make sense.
                      Your test period was only ~10s so the average may not be that good, you would see less jitter across multiple tests with a longer period, but that doesn't mean the figure is not valid. 15K pps for 10 seconds would give you 150K packets total or for 1 minute 900K packets total but the rate is still 15Kpps. Multiplying by 6 is a meaningless calculation.  ;)

                      Steve

                      I'm not saying it's fully representative of a full 1min run, but if a 60 second average is 15k when I was only running for 10 seconds, then simple math says that I had to have been averaging 90kpps for 10 seconds in order to reach 15kpps average. The other 50 seconds was ~0 pps.  x*10/60=15,000  solve for x

                      ok.. so decided just to use "-t 120" and see what my new max is
                      iperf -c 192.168.1.1 -f m -p 5001 -w 2M -M 128 -N -P 8 -t 120 -m -l 16KB

                      [ ID] Interval      Transfer    Bandwidth
                      [ 10]  0.0-120.0 sec  1683 MBytes  118 Mbits/sec
                      [ 10] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [  9]  0.0-120.0 sec  1682 MBytes  118 Mbits/sec
                      [  9] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [  6]  0.0-120.0 sec  1682 MBytes  118 Mbits/sec
                      [  6] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [  8]  0.0-120.0 sec  1682 MBytes  118 Mbits/sec
                      [  8] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [  5]  0.0-120.0 sec  1681 MBytes  118 Mbits/sec
                      [  5] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [  4]  0.0-120.0 sec  1681 MBytes  118 Mbits/sec
                      [  4] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [  7]  0.0-120.0 sec  1682 MBytes  118 Mbits/sec
                      [  7] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [  3]  0.0-120.0 sec  1682 MBytes  118 Mbits/sec
                      [  3] MSS size 1 bytes (MTU 41 bytes, unknown interface)
                      [SUM]  0.0-120.0 sec  13456 MBytes  940 Mbits/sec

                      LAN in-pass 1min avg was 80.11kpps. Not 90k,but I was doing rounding on rounding. Pretty close. So, yeah, drop down the MTU to make the test more stressful.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Hmm, so you're saying the test ran for a minute but was only sending traffic for the first 10 seconds?  :-
                        That's not normally how iperf functions. Running the test longer simply gives you more data to avarage across so you are less likely to see glitches. However I see you have a long command line string so maybe you're using something I don't. In fact I see it's reporting a '1 minute average' so that makes sense. Seems odd that it would do that when the test is less than 1min though.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • H Offline
                          Harvy66
                          last edited by

                          @stephenw10:

                          Hmm, so you're saying the test ran for a minute but was only sending traffic for the first 10 seconds?  :-
                          That's not normally how iperf functions. Running the test longer simply gives you more data to avarage across so you are less likely to see glitches. However I see you have a long command line string so maybe you're using something I don't. In fact I see it's reporting a '1 minute average' so that makes sense. Seems odd that it would do that when the test is less than 1min though.

                          Steve

                          Sorry, I was using the PPS RRD graph, which shows in 1min averages. I have not noticed a PPS real-time graph in PFSense, so the average is the best I had.

                          As for why I did a short test, I didn't notice the "-t" flag that someone so graciously pointed out :

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            @Harvy66:

                            Sorry, I was using the PPS RRD graph

                            Ah, that explains my confusion.  ;)
                            Anyway, 940Mbps, looks like you've got some strong numbers there.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • ? This user is from outside of this forum
                              Guest
                              last edited by

                              iperf measure overall performance.  i want to find a solution to measure throughput for specific package in pfsense, like dansguardian, firewalling, snort, … .

                              1 Reply Last reply Reply Quote 0
                              • P Offline
                                podilarius
                                last edited by

                                snort and other programs are usually based on state openings. To me the best way to test is with a BitTorrent of your favorite Linux distro, or several all at the same time.

                                1 Reply Last reply Reply Quote 0
                                • ? This user is from outside of this forum
                                  Guest
                                  last edited by

                                  Dear podilarius,
                                  I need to create torrent files with default tracker URI and seed them from server side.  then i should open torrent files in client side. average of "Down Speed" is my throughput.
                                  Am i right?

                                  1 Reply Last reply Reply Quote 0
                                  • P Offline
                                    podilarius
                                    last edited by

                                    If they are running concurrently add the averages. Otherwise yes, just average out the connections. This really will test snort. To test dansguardian, you would need to have an html spider doing out and hitting lots of different sites. Again, average or add the averages.

                                    1 Reply Last reply Reply Quote 0
                                    • ? This user is from outside of this forum
                                      Guest
                                      last edited by

                                      thanks a lot,
                                      What about firewalling? is bittorent a good choice with a pass rule?
                                      I want to measure maximum users(Concurrent Sessions) and new sessions per second too.
                                      do you know a tool for this purpose?

                                      1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        podilarius
                                        last edited by

                                        Try Google. look for a firewall test program or suite. There might be a free one. Please let us know what you found, used, and the results. I don't have a strong enough connection to test the limits of my hardware.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Concurrent sessions is where pfSense really stands out as a firewall device. Just add more RAM if you need more. Have a look at this thread to see what can be acheived. I have no idea what you might test it with though.
                                          https://forum.pfsense.org/index.php?topic=72810.0

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • ? This user is from outside of this forum
                                            Guest
                                            last edited by

                                            There isn't any free network firewall test program that can measure firewall throughput and max. concurrent sessions. Commercial products are spirent avalanche and breakingpoint firestorm.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.