Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Performance with- and without pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    25 Posts 5 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      doktornotor Banned
      last edited by

      Have you tried on a sane box without any packages?

      1 Reply Last reply Reply Quote 0
      • ivorI Offline
        ivor
        last edited by

        After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

        1 Reply Last reply Reply Quote 0
        • M Offline
          Mr. Jingles
          last edited by

          @doktornotor:

          Have you tried on a sane box without any packages?

          No, I don't have a sane box: only pfsense ( ;D ;D ;D ;D ;D ).

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            @ivor:

            After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install.

            Well… afraid changing HW will not help if it ends up again like this:

            :o :o :o

            1 Reply Last reply Reply Quote 0
            • F Offline
              firewalluser
              last edited by

              @Mr.:

              1. Via pfsense, to speedtest.telenet.be: 140 down.
              2. PC directly plugged into modem: 199 down (30 secs later from 1).

              Your comparing apples and oranges.

              Pfsense manages the states, your modem is essentially stateless and thus no processing or other required overhead to ensure people dont backbone into your system is taking place.

              Try another stateful fw and see how it compares to pfsense, or give pfsense some faster processing capabilities and see how it compares.

              https://en.wikipedia.org/wiki/Stateful_firewall

              Also try a basic setup as Dok suggested as well in case you may have misconfigured anything.

              In pfsense, do backups of the config changes, theres also a facility which maintains the last 10 changes so you can download it as an XML file and compare in a XML editor if thats a way of working you prefer when comparing changes quickly and easily.

              fwiw.

              Edit. Its also worth pointing out, hard disks are the slowest part of the system so any top end Intel Xeon can be made to drag its arse so to speak with a super slow spin disk like a laptop spin disk, likewise a simple celeron with a SSD HD can match the mighty Xeon in some performance tests, as it depends on what instructions are used in the chip amongst other things. The instructions not in a chip have to be emulated in the OS hence a performance hit, so identify the right HW is also useful if thinking about getting some other equipment involved.

              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

              Asch Conformity, mainly the blind leading the blind.

              1 Reply Last reply Reply Quote 0
              • M Offline
                Mr. Jingles
                last edited by

                @ivor:

                After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

                Thanks, Igor  ;D

                I will not do that. Because: ever since 2.0 none of the upgrades worked. As such, every upgrade required me to do a fresh install and customize all my packages, and my firewall rules, and aliases, by hand. That takes you 2 days. Admins replied in the past "config restore works, must be something on your side". May be what it is, but I've wasted far too much time on the 'set it and forget it' firewall.

                My Zyxel bloatware didn't have all the features pfsense seems to have, but then again, it also didn't suck so much time (our most precious asset in life, together with health, says dr. economics…) out of me.

                6 and a half billion people know that they are stupid, agressive, lower life forms.

                1 Reply Last reply Reply Quote 0
                • ivorI Offline
                  ivor
                  last edited by

                  @doktornotor:

                  Well… afraid changing HW will not help if it ends up again like this:

                  :o :o :o

                  That goes without saying : ) In the other hand, I've seen some pretty "heavy" pfSense configs, and as long as everything was configured correctly… it worked without issues.

                  Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                  1 Reply Last reply Reply Quote 0
                  • ivorI Offline
                    ivor
                    last edited by

                    @Mr.:

                    @ivor:

                    After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

                    Thanks, Igor  ;D

                    I will not do that. Because: ever since 2.0 none of the upgrades worked. As such, every upgrade required me to do a fresh install and customize all my packages, and my firewall rules, and aliases, by hand. That takes you 2 days. Admins replied in the past "config restore works, must be something on your side". May be what it is, but I've wasted far too much time on the 'set it and forget it' firewall.

                    My Zyxel bloatware didn't have all the features pfsense seems to have, but then again, it also didn't suck so much time (our most precious asset in life, together with health, says dr. economics…) out of me.

                    Then I will just link my reply to you from here https://forum.pfsense.org/index.php?topic=96795.msg540411#msg540411

                    Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      Mr. Jingles
                      last edited by

                      @doktornotor:

                      @ivor:

                      After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install.

                      Well… afraid changing HW will not help if it ends up again like this:

                      :o :o :o

                      You're trolling me, Dok (you may do so by now, as I've discovered you're not the bad wulf  ;D ). That pic is old: squid and squidguard are gone.

                      I previously also posted top, but will do it again:

                      
                      last pid: 76817;  load averages:  0.15,  0.20,  0.21                                                                                                                                                                 up 0+04:35:42  19:13:08
                      63 processes:  1 running, 58 sleeping, 4 zombie
                      CPU:  0.6% user,  0.0% nice,  0.6% system,  0.8% interrupt, 98.0% idle
                      Mem: 360M Active, 2175M Inact, 1205M Wired, 528K Cache, 2009M Buf, 12G Free
                      Swap: 32G Total, 32G Free
                      
                        PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
                      14853 root          8  20    0  1984M  1881M uwait   1   6:11   0.88% suricata
                      22287 root         15  20    0   219M 92964K nanslp  0   1:22   0.68% ntopng
                      14138 root        150  20    0   193M 21948K uwait   0   0:25   0.00% filterdns
                      23911 root          1  20    0 14656K  2436K select  1   0:20   0.00% syslogd
                      96188 nobody        1  20    0 19060K  3516K select  0   0:11   0.00% darkstat
                      63665 root          1  20    0 21720K  5852K select  1   0:07   0.00% openvpn
                      30669 root          1  20    0 12456K  2180K select  0   0:06   0.00% apinger
                      71884 unbound       2  20    0 88488K 32700K kqread  0   0:05   0.00% unbound
                      17917 root          3  52    0 24572K  4716K uwait   0   0:03   0.00% redis-server
                      49979 dhcpd         1  20    0 24812K 13732K select  1   0:02   0.00% dhcpd
                      39033 root          1  20    0 50788K 10960K kqread  0   0:02   0.00% lighttpd
                      66015 root          1  20    0 21720K  5832K select  0   0:02   0.00% openvpn
                      65501 root          2  20    0   783M   386M nanslp  0   0:01   0.00% snort
                      99052 root          1  20    0 14540K  2080K select  0   0:01   0.00% powerd
                      79354 root          1  52   20 17136K  2708K wait    0   0:01   0.00% sh
                        249 root          1  20    0   224M 23864K kqread  1   0:01   0.00% php-fpm
                      27472 root          1  20    0 16804K  2340K bpf     1   0:01   0.00% filterlog
                      89390 root          1  20    0 55720K  7336K bpf     0   0:00   0.00% bandwidthd
                      91338 root          1  20    0 55720K  7252K bpf     0   0:00   0.00% bandwidthd
                      90609 root          1  20    0 55720K  7236K bpf     0   0:00   0.00% bandwidthd
                      89470 root          1  20    0 55720K  7312K bpf     0   0:00   0.00% bandwidthd
                      90317 root          1  20    0 55720K  7276K bpf     0   0:00   0.00% bandwidthd
                      91063 root          1  20    0 55720K  7248K bpf     0   0:00   0.00% bandwidthd
                      90849 root          1  20    0 55720K  7292K bpf     0   0:00   0.00% bandwidthd
                      89712 root          1  20    0 55720K  7288K bpf     0   0:00   0.00% bandwidthd
                      26816 root          1  20    0 28164K 18052K select  1   0:00   0.00% ntpd
                      14226 root          1  52    0 16664K  2524K nanslp  1   0:00   0.00% cron
                       6133 root          1  20    0 43604K  6296K select  0   0:00   0.00% mpd5
                      30999 root          1  20    0 28344K  3004K piperd  1   0:00   0.00% rrdtool
                      99043 uucp          1  20    0 18832K  2580K nanslp  1   0:00   0.00% upsmon
                      40664 root          1  20    0 55624K  6216K select  1   0:00   0.00% sshd
                      40320 root          6  20    0   737M 16308K usem    0   0:00   0.00% radiusd
                        264 root          1  40   20 19024K  2580K kqread  1   0:00   0.00% check_reload_status
                      24280 root          1  20    0   224M 37024K accept  0   0:00   0.00% php-fpm
                      28002 root          1  20    0 18780K  2344K select  0   0:00   0.00% inetd
                        277 root          1  20    0 13164K  4464K select  1   0:00   0.00% devd
                      41275 root          1  24    0 17136K  2756K wait    0   0:00   0.00% sh
                      40969 root          2  20    0 14748K  2312K nanslp  1   0:00   0.00% sshlockout_pf
                      54468 root          1  40    0 12404K  2008K nanslp  1   0:00   0.00% minicron
                      43186 root          1  35    0 17476K  3856K pause   1   0:00   0.00% tcsh
                      41378 root          1  52    0 17136K  2664K wait    1   0:00   0.00% sh
                      76817 root          1  20    0 21988K  3152K CPU0    0   0:00   0.00% top
                       7016 root          1  20    0 32420K  5228K select  0   0:00   0.00% sshd
                      72822 root          1  20    0 12408K  2224K kqread  0   0:00   0.00% dhcpleases
                      42562 root          1  20    0 43568K  2800K wait    0   0:00   0.00% login
                      58733 root          2  20    0 14748K  2312K nanslp  0   0:00   0.00% sshlockout_pf
                       7202 root          2  20    0 14748K  2220K nanslp  0   0:00   0.00% sshlockout_pf
                      42883 root          1  21    0 17136K  2776K wait    1   0:00   0.00% sh
                      42916 root          1  52    0 17136K  2660K ttyin   0   0:00   0.00% sh
                      18833 nagios        1  52    0 23180K  4956K select  1   0:00   0.00% nrpe2
                      98998 root          1  52    0 18832K  2552K piperd  0   0:00   0.00% upsmon
                      54781 root          1  20    0 12404K  2008K nanslp  0   0:00   0.00% minicron
                      96433 nobody        1  52    0 19060K  2396K sbwait  0   0:00   0.00% darkstat
                      71115 root          1  52   20  8304K  1952K nanslp  1   0:00   0.00% sleep
                      54289 root          1  20    0 12404K  1996K wait    1   0:00   0.00% minicron
                      54475 root          1  21    0 12404K  1996K wait    1   0:00   0.00% minicron
                      55145 root          1  21    0 12404K  1996K wait    1   0:00   0.00% minicron
                        266 root          1  52   20 19024K  2404K kqread  1   0:00   0.00% check_reload_status
                      55546 root          1  20    0 12404K  2008K nanslp  1   0:00   0.00% minicron
                      
                      

                      I'm not saying my hardware could not be the cause, but from looking into these numbers I don't get that impression.

                      6 and a half billion people know that they are stupid, agressive, lower life forms.

                      1 Reply Last reply Reply Quote 0
                      • F Offline
                        firewalluser
                        last edited by

                        @Mr.:

                        @ivor:

                        After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

                        Thanks, Igor  ;D

                        I will not do that. Because: ever since 2.0 none of the upgrades worked.

                        Just the other day I installed a 2.2.2 backup onto 2.2.0 and got the warning message on the console pointing out some things may not work as the backup is from a later version of pfsense. It still worked complete with rules & snort no problem, and the Firmware upgrade to bring it up to 2.2.2 worked fine.

                        As such, every upgrade required me to do a fresh install and customize all my packages, and my firewall rules, and aliases, by hand. That takes you 2 days.

                        10 mins max in my experience and thats even when reediting the XML backups to change IP addresses and names.

                        Admins replied in the past "config restore works, must be something on your side". May be what it is, but I've wasted far too much time on the 'set it and forget it' firewall.

                        Check out the backup and restore, others have and will draw their own conclusions about whether it works or not.

                        For me it works even when using a backup from a later version of pfsense in an earlier installation of pfsense as mentioned above. Not many other systems have that backward compatibility even with mainstream server backup facilities.

                        My Zyxel bloatware didn't have all the features pfsense seems to have, but then again, it also didn't suck so much time (our most precious asset in life, together with health, says dr. economics…) out of me.

                        In a true DMZ using 2 firewalls, https://en.wikipedia.org/wiki/DMZ_%28computing%29#Dual_firewall

                        Keep your Zyxel doing what you are happy with it doing and make the pfsense fill the gaps. How about that for a solution?

                        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                        Asch Conformity, mainly the blind leading the blind.

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          doktornotor Banned
                          last edited by

                          Well seriously, if you want to test performance/throughput… You realize, that each packet on that box is copied at least 5 times? (snort, suricata, ntopng, bandwidthd, darkstat...)

                          1 Reply Last reply Reply Quote 0
                          • ivorI Offline
                            ivor
                            last edited by

                            @doktornotor:

                            Well seriously, if you want to test performance/throughput… You realize, that each packet on that box is copied at least 5 times? (snort, suricata, ntopng, bandwidthd, darkstat...)

                            Look at the size of config backup. https://forum.pfsense.org/index.php?topic=96795.msg540460#msg540460 I think maybe he should send it to us (pfSense support) for dissection.

                            Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                            1 Reply Last reply Reply Quote 0
                            • M Offline
                              Mr. Jingles
                              last edited by

                              @firewalluser:

                              Keep your Zyxel doing what you are happy with it doing and make the pfsense fill the gaps. How about that for a solution?

                              Thank you for your reply, kind problem solving suggestion  ;D

                              The problem is: I got so fed up with the Zyxel crap I threw it away and thought pfsense was my new great love (after WIFE and my Rottweilers, my dearest loves of all).

                              The 'funny' thing is: I'm only a stupid economist, so you all guys can shoot me when it comes to IT knowledge. As a side effect, I work for one of the biggest Fortune-500 companies in the world, as a country CFO. As such country IT is on my desk too. My IT admins (they're not noobs, PhD's from serious tech universities) also tell me they have problems with pfsense in their test environments. That only helps me think maybe I'm not always the stupid noob  :-[

                              6 and a half billion people know that they are stupid, agressive, lower life forms.

                              1 Reply Last reply Reply Quote 0
                              • ivorI Offline
                                ivor
                                last edited by

                                @Mr.:

                                The 'funny' thing is: I'm only a stupid economist, so you all guys can shoot me when it comes to IT knowledge. As a side effect, I work for one of the biggest Fortune-500 companies in the world, as a country CFO. As such country IT is on my desk too. My IT admins (they're not noobs, PhD's from serious tech universities) also tell me they have problems with pfsense in their test environments. That only helps me think maybe I'm not always the stupid noob  :-[
                                [/quote]

                                Working for Fortune-500 company doesn't make you somehow universally knowledgeable. Same goes for PhD's.

                                pfSense isn't zyxel for a reason, it takes time and knowledge to configure pfSense correctly. That being said, I'm surprised you didn't reach out to pfSense support or got official pfSense appliance since you do work for Fortune-500 company.

                                Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                1 Reply Last reply Reply Quote 0
                                • M Offline
                                  Mr. Jingles
                                  last edited by

                                  pfSense isn't zyxel for a reason, it takes time and knowledge to configure pfSense correctly

                                  And less bugs, and better documentation. Which is not pointing at this thread, but at other topics.

                                  @ivor:

                                  Working for Fortune-500 company doesn't make you somehow universally knowledgeable.

                                  There is a reason why I am the self proclaimed eternal noob on this forum. I never said I am 'universally knowledgeable'. If I were I wouldn't be asking here for help.

                                  Same goes for PhD's.

                                  I have two of these titles. We like to think we know more about our fields than the one zillion 'For dummies' people who google their way to the next point-and-click. My field is economics, theirs is designing IT-infrastructures in the broadest sense. I seem to be an expert in economics yet a noob in networking (still no good book to be found, out of the gazillion books written), my admins are experts in their field yet noobs in economics. Life.

                                  That being said, I'm surprised you didn't reach out to pfSense support or got official pfSense appliance since you do work for Fortune-500 company.

                                  You may be surprised all you want, I will enlighten you: this is my home setup. pfsense support and pfsense appliances are too expensive for home users. And pfsense is not ready for a Fortune-500 company, so my admins only play with pfsense as they play with around 100000 projects. I even have budget for them to play with.

                                  6 and a half billion people know that they are stupid, agressive, lower life forms.

                                  1 Reply Last reply Reply Quote 0
                                  • ivorI Offline
                                    ivor
                                    last edited by

                                    That is simply not true. pfSense is being used in almost every possible industry available…  I don't want to start a argument, but what you're saying is wrong and you've pointed out multiple times that you're not exactly the most knowledgeable person regarding pfSense or IT. That's just a bad corporate-drone philosophy, which is completely false.

                                    Not to mention that you compared pfSense with SAP in a different thread, which is literally the most hated product by any knowledgeable admin of Fortune-500 companies.

                                    Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                    1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      Mr. Jingles
                                      last edited by

                                      @ivor:

                                      Not to mention that you compared pfSense with SAP in a different thread, which is literally the most hated product by any knowledgeable admin of Fortune-500 companies.

                                      I will leave it at this, Igor.

                                      6 and a half billion people know that they are stupid, agressive, lower life forms.

                                      1 Reply Last reply Reply Quote 0
                                      • ivorI Offline
                                        ivor
                                        last edited by

                                        @Mr.:

                                        I will leave it at this, Igor.

                                        It's Ivor actually. I'd suggest you have a really honest conversation with admins in your company regarding SAP.

                                        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                        1 Reply Last reply Reply Quote 0
                                        • M Offline
                                          Mr. Jingles
                                          last edited by

                                          @ivor:

                                          @Mr.:

                                          I will leave it at this, Igor.

                                          It's Ivor actually. I'd suggest you have a really honest conversation with admins in your company regarding SAP.

                                          I'll not leave it at this, Igor, I'll respond to this since you're seriously pissing me off. Yes, seriously.

                                          and you've pointed out multiple times that you're not exactly the most knowledgeable person regarding pfSense or IT

                                          I am the eternal noob on pfsense. But I also have two PhD's in economics from universities most people only dream of. Meaning: 'tmight be that the problem with pfsense is that it isn't perfect (if you catch my drift), nor is the documentation.

                                          You comfortably moved in 'or IT', by means of a fallacy. You should make that less obvious.

                                          You should not bully me about SAP, and me 'having to talk to my admins about SAP'. It so happens I have that very special badge SAP issues to very few people, very-few-people, they even have an official word for that badge.

                                          I was doing SAP in 1992, for Walldorf. And ever since. You are probably referencing a friend of yours who didn't pass the exams, and found SAP way too difficult. Which might very well be true: it is about 140 zillion times more complex than pfsense.

                                          You've managed to piss me off more than any other person on this forum in my years here, Igor, with your insults.

                                          Bless you.

                                          6 and a half billion people know that they are stupid, agressive, lower life forms.

                                          1 Reply Last reply Reply Quote 0
                                          • ivorI Offline
                                            ivor
                                            last edited by

                                            @Mr.:

                                            @ivor:

                                            @Mr.:

                                            I will leave it at this, Igor.

                                            It's Ivor actually. I'd suggest you have a really honest conversation with admins in your company regarding SAP.

                                            I'll not leave it at this, Igor, I'll respond to this since you're seriously pissing me off. Yes, seriously.

                                            and you've pointed out multiple times that you're not exactly the most knowledgeable person regarding pfSense or IT

                                            I am the eternal noob on pfsense. But I also have two PhD's in economics from universities most people only dream of. Meaning: 'tmight be that the problem with pfsense is that it isn't perfect (if you catch my drift), nor is the documentation.

                                            You comfortably moved in 'or IT', by means of a fallacy. You should make that less obvious.

                                            You should not bully me about SAP, and me 'having to talk to my admins about SAP'. It so happens I have that very special badge SAP issues to very few people, very-few-people, they even have an official word for that badge.

                                            I was doing SAP in 1992, for Walldorf. And ever since. You are probably referencing a friend of yours who didn't pass the exams, and found SAP way too difficult. Which might very well be true: it is about 140 zillion times more complex than pfsense.

                                            You've managed to piss me off more than any other person on this forum in my years here, Igor, with your insults.

                                            Bless you.

                                            What you do and for how long is really not my concern. However, how people behave on forum is something that concerns me. So please, change your attitude and behave politely. I too found your multiple threads annoying and full of false accusations yet I was nice and polite in attempt to reason with you.

                                            That being said, since you're obviously not paying attention, my name is Ivor, not Igor. Perhaps you should pay more attention with your pfSense config as well.

                                            Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.