Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Performance with- and without pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    25 Posts 5 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ivorI Offline
      ivor
      last edited by

      After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

      Need help fast? Our support is available 24/7 https://www.netgate.com/support/

      1 Reply Last reply Reply Quote 0
      • M Offline
        Mr. Jingles
        last edited by

        @doktornotor:

        Have you tried on a sane box without any packages?

        No, I don't have a sane box: only pfsense ( ;D ;D ;D ;D ;D ).

        6 and a half billion people know that they are stupid, agressive, lower life forms.

        1 Reply Last reply Reply Quote 0
        • D Offline
          doktornotor Banned
          last edited by

          @ivor:

          After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install.

          Well… afraid changing HW will not help if it ends up again like this:

          :o :o :o

          1 Reply Last reply Reply Quote 0
          • F Offline
            firewalluser
            last edited by

            @Mr.:

            1. Via pfsense, to speedtest.telenet.be: 140 down.
            2. PC directly plugged into modem: 199 down (30 secs later from 1).

            Your comparing apples and oranges.

            Pfsense manages the states, your modem is essentially stateless and thus no processing or other required overhead to ensure people dont backbone into your system is taking place.

            Try another stateful fw and see how it compares to pfsense, or give pfsense some faster processing capabilities and see how it compares.

            https://en.wikipedia.org/wiki/Stateful_firewall

            Also try a basic setup as Dok suggested as well in case you may have misconfigured anything.

            In pfsense, do backups of the config changes, theres also a facility which maintains the last 10 changes so you can download it as an XML file and compare in a XML editor if thats a way of working you prefer when comparing changes quickly and easily.

            fwiw.

            Edit. Its also worth pointing out, hard disks are the slowest part of the system so any top end Intel Xeon can be made to drag its arse so to speak with a super slow spin disk like a laptop spin disk, likewise a simple celeron with a SSD HD can match the mighty Xeon in some performance tests, as it depends on what instructions are used in the chip amongst other things. The instructions not in a chip have to be emulated in the OS hence a performance hit, so identify the right HW is also useful if thinking about getting some other equipment involved.

            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

            Asch Conformity, mainly the blind leading the blind.

            1 Reply Last reply Reply Quote 0
            • M Offline
              Mr. Jingles
              last edited by

              @ivor:

              After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

              Thanks, Igor  ;D

              I will not do that. Because: ever since 2.0 none of the upgrades worked. As such, every upgrade required me to do a fresh install and customize all my packages, and my firewall rules, and aliases, by hand. That takes you 2 days. Admins replied in the past "config restore works, must be something on your side". May be what it is, but I've wasted far too much time on the 'set it and forget it' firewall.

              My Zyxel bloatware didn't have all the features pfsense seems to have, but then again, it also didn't suck so much time (our most precious asset in life, together with health, says dr. economics…) out of me.

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • ivorI Offline
                ivor
                last edited by

                @doktornotor:

                Well… afraid changing HW will not help if it ends up again like this:

                :o :o :o

                That goes without saying : ) In the other hand, I've seen some pretty "heavy" pfSense configs, and as long as everything was configured correctly… it worked without issues.

                Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                1 Reply Last reply Reply Quote 0
                • ivorI Offline
                  ivor
                  last edited by

                  @Mr.:

                  @ivor:

                  After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

                  Thanks, Igor  ;D

                  I will not do that. Because: ever since 2.0 none of the upgrades worked. As such, every upgrade required me to do a fresh install and customize all my packages, and my firewall rules, and aliases, by hand. That takes you 2 days. Admins replied in the past "config restore works, must be something on your side". May be what it is, but I've wasted far too much time on the 'set it and forget it' firewall.

                  My Zyxel bloatware didn't have all the features pfsense seems to have, but then again, it also didn't suck so much time (our most precious asset in life, together with health, says dr. economics…) out of me.

                  Then I will just link my reply to you from here https://forum.pfsense.org/index.php?topic=96795.msg540411#msg540411

                  Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    Mr. Jingles
                    last edited by

                    @doktornotor:

                    @ivor:

                    After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install.

                    Well… afraid changing HW will not help if it ends up again like this:

                    :o :o :o

                    You're trolling me, Dok (you may do so by now, as I've discovered you're not the bad wulf  ;D ). That pic is old: squid and squidguard are gone.

                    I previously also posted top, but will do it again:

                    
                    last pid: 76817;  load averages:  0.15,  0.20,  0.21                                                                                                                                                                 up 0+04:35:42  19:13:08
                    63 processes:  1 running, 58 sleeping, 4 zombie
                    CPU:  0.6% user,  0.0% nice,  0.6% system,  0.8% interrupt, 98.0% idle
                    Mem: 360M Active, 2175M Inact, 1205M Wired, 528K Cache, 2009M Buf, 12G Free
                    Swap: 32G Total, 32G Free
                    
                      PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
                    14853 root          8  20    0  1984M  1881M uwait   1   6:11   0.88% suricata
                    22287 root         15  20    0   219M 92964K nanslp  0   1:22   0.68% ntopng
                    14138 root        150  20    0   193M 21948K uwait   0   0:25   0.00% filterdns
                    23911 root          1  20    0 14656K  2436K select  1   0:20   0.00% syslogd
                    96188 nobody        1  20    0 19060K  3516K select  0   0:11   0.00% darkstat
                    63665 root          1  20    0 21720K  5852K select  1   0:07   0.00% openvpn
                    30669 root          1  20    0 12456K  2180K select  0   0:06   0.00% apinger
                    71884 unbound       2  20    0 88488K 32700K kqread  0   0:05   0.00% unbound
                    17917 root          3  52    0 24572K  4716K uwait   0   0:03   0.00% redis-server
                    49979 dhcpd         1  20    0 24812K 13732K select  1   0:02   0.00% dhcpd
                    39033 root          1  20    0 50788K 10960K kqread  0   0:02   0.00% lighttpd
                    66015 root          1  20    0 21720K  5832K select  0   0:02   0.00% openvpn
                    65501 root          2  20    0   783M   386M nanslp  0   0:01   0.00% snort
                    99052 root          1  20    0 14540K  2080K select  0   0:01   0.00% powerd
                    79354 root          1  52   20 17136K  2708K wait    0   0:01   0.00% sh
                      249 root          1  20    0   224M 23864K kqread  1   0:01   0.00% php-fpm
                    27472 root          1  20    0 16804K  2340K bpf     1   0:01   0.00% filterlog
                    89390 root          1  20    0 55720K  7336K bpf     0   0:00   0.00% bandwidthd
                    91338 root          1  20    0 55720K  7252K bpf     0   0:00   0.00% bandwidthd
                    90609 root          1  20    0 55720K  7236K bpf     0   0:00   0.00% bandwidthd
                    89470 root          1  20    0 55720K  7312K bpf     0   0:00   0.00% bandwidthd
                    90317 root          1  20    0 55720K  7276K bpf     0   0:00   0.00% bandwidthd
                    91063 root          1  20    0 55720K  7248K bpf     0   0:00   0.00% bandwidthd
                    90849 root          1  20    0 55720K  7292K bpf     0   0:00   0.00% bandwidthd
                    89712 root          1  20    0 55720K  7288K bpf     0   0:00   0.00% bandwidthd
                    26816 root          1  20    0 28164K 18052K select  1   0:00   0.00% ntpd
                    14226 root          1  52    0 16664K  2524K nanslp  1   0:00   0.00% cron
                     6133 root          1  20    0 43604K  6296K select  0   0:00   0.00% mpd5
                    30999 root          1  20    0 28344K  3004K piperd  1   0:00   0.00% rrdtool
                    99043 uucp          1  20    0 18832K  2580K nanslp  1   0:00   0.00% upsmon
                    40664 root          1  20    0 55624K  6216K select  1   0:00   0.00% sshd
                    40320 root          6  20    0   737M 16308K usem    0   0:00   0.00% radiusd
                      264 root          1  40   20 19024K  2580K kqread  1   0:00   0.00% check_reload_status
                    24280 root          1  20    0   224M 37024K accept  0   0:00   0.00% php-fpm
                    28002 root          1  20    0 18780K  2344K select  0   0:00   0.00% inetd
                      277 root          1  20    0 13164K  4464K select  1   0:00   0.00% devd
                    41275 root          1  24    0 17136K  2756K wait    0   0:00   0.00% sh
                    40969 root          2  20    0 14748K  2312K nanslp  1   0:00   0.00% sshlockout_pf
                    54468 root          1  40    0 12404K  2008K nanslp  1   0:00   0.00% minicron
                    43186 root          1  35    0 17476K  3856K pause   1   0:00   0.00% tcsh
                    41378 root          1  52    0 17136K  2664K wait    1   0:00   0.00% sh
                    76817 root          1  20    0 21988K  3152K CPU0    0   0:00   0.00% top
                     7016 root          1  20    0 32420K  5228K select  0   0:00   0.00% sshd
                    72822 root          1  20    0 12408K  2224K kqread  0   0:00   0.00% dhcpleases
                    42562 root          1  20    0 43568K  2800K wait    0   0:00   0.00% login
                    58733 root          2  20    0 14748K  2312K nanslp  0   0:00   0.00% sshlockout_pf
                     7202 root          2  20    0 14748K  2220K nanslp  0   0:00   0.00% sshlockout_pf
                    42883 root          1  21    0 17136K  2776K wait    1   0:00   0.00% sh
                    42916 root          1  52    0 17136K  2660K ttyin   0   0:00   0.00% sh
                    18833 nagios        1  52    0 23180K  4956K select  1   0:00   0.00% nrpe2
                    98998 root          1  52    0 18832K  2552K piperd  0   0:00   0.00% upsmon
                    54781 root          1  20    0 12404K  2008K nanslp  0   0:00   0.00% minicron
                    96433 nobody        1  52    0 19060K  2396K sbwait  0   0:00   0.00% darkstat
                    71115 root          1  52   20  8304K  1952K nanslp  1   0:00   0.00% sleep
                    54289 root          1  20    0 12404K  1996K wait    1   0:00   0.00% minicron
                    54475 root          1  21    0 12404K  1996K wait    1   0:00   0.00% minicron
                    55145 root          1  21    0 12404K  1996K wait    1   0:00   0.00% minicron
                      266 root          1  52   20 19024K  2404K kqread  1   0:00   0.00% check_reload_status
                    55546 root          1  20    0 12404K  2008K nanslp  1   0:00   0.00% minicron
                    
                    

                    I'm not saying my hardware could not be the cause, but from looking into these numbers I don't get that impression.

                    6 and a half billion people know that they are stupid, agressive, lower life forms.

                    1 Reply Last reply Reply Quote 0
                    • F Offline
                      firewalluser
                      last edited by

                      @Mr.:

                      @ivor:

                      After reading this https://forum.pfsense.org/index.php?topic=96795.msg540158#msg540158 I think there's something fundamentally wrong with your pfSense install. Do a clean install without any config, preferably on a different machine and to test speeds.

                      Thanks, Igor  ;D

                      I will not do that. Because: ever since 2.0 none of the upgrades worked.

                      Just the other day I installed a 2.2.2 backup onto 2.2.0 and got the warning message on the console pointing out some things may not work as the backup is from a later version of pfsense. It still worked complete with rules & snort no problem, and the Firmware upgrade to bring it up to 2.2.2 worked fine.

                      As such, every upgrade required me to do a fresh install and customize all my packages, and my firewall rules, and aliases, by hand. That takes you 2 days.

                      10 mins max in my experience and thats even when reediting the XML backups to change IP addresses and names.

                      Admins replied in the past "config restore works, must be something on your side". May be what it is, but I've wasted far too much time on the 'set it and forget it' firewall.

                      Check out the backup and restore, others have and will draw their own conclusions about whether it works or not.

                      For me it works even when using a backup from a later version of pfsense in an earlier installation of pfsense as mentioned above. Not many other systems have that backward compatibility even with mainstream server backup facilities.

                      My Zyxel bloatware didn't have all the features pfsense seems to have, but then again, it also didn't suck so much time (our most precious asset in life, together with health, says dr. economics…) out of me.

                      In a true DMZ using 2 firewalls, https://en.wikipedia.org/wiki/DMZ_%28computing%29#Dual_firewall

                      Keep your Zyxel doing what you are happy with it doing and make the pfsense fill the gaps. How about that for a solution?

                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                      Asch Conformity, mainly the blind leading the blind.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        Well seriously, if you want to test performance/throughput… You realize, that each packet on that box is copied at least 5 times? (snort, suricata, ntopng, bandwidthd, darkstat...)

                        1 Reply Last reply Reply Quote 0
                        • ivorI Offline
                          ivor
                          last edited by

                          @doktornotor:

                          Well seriously, if you want to test performance/throughput… You realize, that each packet on that box is copied at least 5 times? (snort, suricata, ntopng, bandwidthd, darkstat...)

                          Look at the size of config backup. https://forum.pfsense.org/index.php?topic=96795.msg540460#msg540460 I think maybe he should send it to us (pfSense support) for dissection.

                          Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            Mr. Jingles
                            last edited by

                            @firewalluser:

                            Keep your Zyxel doing what you are happy with it doing and make the pfsense fill the gaps. How about that for a solution?

                            Thank you for your reply, kind problem solving suggestion  ;D

                            The problem is: I got so fed up with the Zyxel crap I threw it away and thought pfsense was my new great love (after WIFE and my Rottweilers, my dearest loves of all).

                            The 'funny' thing is: I'm only a stupid economist, so you all guys can shoot me when it comes to IT knowledge. As a side effect, I work for one of the biggest Fortune-500 companies in the world, as a country CFO. As such country IT is on my desk too. My IT admins (they're not noobs, PhD's from serious tech universities) also tell me they have problems with pfsense in their test environments. That only helps me think maybe I'm not always the stupid noob  :-[

                            6 and a half billion people know that they are stupid, agressive, lower life forms.

                            1 Reply Last reply Reply Quote 0
                            • ivorI Offline
                              ivor
                              last edited by

                              @Mr.:

                              The 'funny' thing is: I'm only a stupid economist, so you all guys can shoot me when it comes to IT knowledge. As a side effect, I work for one of the biggest Fortune-500 companies in the world, as a country CFO. As such country IT is on my desk too. My IT admins (they're not noobs, PhD's from serious tech universities) also tell me they have problems with pfsense in their test environments. That only helps me think maybe I'm not always the stupid noob  :-[
                              [/quote]

                              Working for Fortune-500 company doesn't make you somehow universally knowledgeable. Same goes for PhD's.

                              pfSense isn't zyxel for a reason, it takes time and knowledge to configure pfSense correctly. That being said, I'm surprised you didn't reach out to pfSense support or got official pfSense appliance since you do work for Fortune-500 company.

                              Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                              1 Reply Last reply Reply Quote 0
                              • M Offline
                                Mr. Jingles
                                last edited by

                                pfSense isn't zyxel for a reason, it takes time and knowledge to configure pfSense correctly

                                And less bugs, and better documentation. Which is not pointing at this thread, but at other topics.

                                @ivor:

                                Working for Fortune-500 company doesn't make you somehow universally knowledgeable.

                                There is a reason why I am the self proclaimed eternal noob on this forum. I never said I am 'universally knowledgeable'. If I were I wouldn't be asking here for help.

                                Same goes for PhD's.

                                I have two of these titles. We like to think we know more about our fields than the one zillion 'For dummies' people who google their way to the next point-and-click. My field is economics, theirs is designing IT-infrastructures in the broadest sense. I seem to be an expert in economics yet a noob in networking (still no good book to be found, out of the gazillion books written), my admins are experts in their field yet noobs in economics. Life.

                                That being said, I'm surprised you didn't reach out to pfSense support or got official pfSense appliance since you do work for Fortune-500 company.

                                You may be surprised all you want, I will enlighten you: this is my home setup. pfsense support and pfsense appliances are too expensive for home users. And pfsense is not ready for a Fortune-500 company, so my admins only play with pfsense as they play with around 100000 projects. I even have budget for them to play with.

                                6 and a half billion people know that they are stupid, agressive, lower life forms.

                                1 Reply Last reply Reply Quote 0
                                • ivorI Offline
                                  ivor
                                  last edited by

                                  That is simply not true. pfSense is being used in almost every possible industry available…  I don't want to start a argument, but what you're saying is wrong and you've pointed out multiple times that you're not exactly the most knowledgeable person regarding pfSense or IT. That's just a bad corporate-drone philosophy, which is completely false.

                                  Not to mention that you compared pfSense with SAP in a different thread, which is literally the most hated product by any knowledgeable admin of Fortune-500 companies.

                                  Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                  1 Reply Last reply Reply Quote 0
                                  • M Offline
                                    Mr. Jingles
                                    last edited by

                                    @ivor:

                                    Not to mention that you compared pfSense with SAP in a different thread, which is literally the most hated product by any knowledgeable admin of Fortune-500 companies.

                                    I will leave it at this, Igor.

                                    6 and a half billion people know that they are stupid, agressive, lower life forms.

                                    1 Reply Last reply Reply Quote 0
                                    • ivorI Offline
                                      ivor
                                      last edited by

                                      @Mr.:

                                      I will leave it at this, Igor.

                                      It's Ivor actually. I'd suggest you have a really honest conversation with admins in your company regarding SAP.

                                      Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                      1 Reply Last reply Reply Quote 0
                                      • M Offline
                                        Mr. Jingles
                                        last edited by

                                        @ivor:

                                        @Mr.:

                                        I will leave it at this, Igor.

                                        It's Ivor actually. I'd suggest you have a really honest conversation with admins in your company regarding SAP.

                                        I'll not leave it at this, Igor, I'll respond to this since you're seriously pissing me off. Yes, seriously.

                                        and you've pointed out multiple times that you're not exactly the most knowledgeable person regarding pfSense or IT

                                        I am the eternal noob on pfsense. But I also have two PhD's in economics from universities most people only dream of. Meaning: 'tmight be that the problem with pfsense is that it isn't perfect (if you catch my drift), nor is the documentation.

                                        You comfortably moved in 'or IT', by means of a fallacy. You should make that less obvious.

                                        You should not bully me about SAP, and me 'having to talk to my admins about SAP'. It so happens I have that very special badge SAP issues to very few people, very-few-people, they even have an official word for that badge.

                                        I was doing SAP in 1992, for Walldorf. And ever since. You are probably referencing a friend of yours who didn't pass the exams, and found SAP way too difficult. Which might very well be true: it is about 140 zillion times more complex than pfsense.

                                        You've managed to piss me off more than any other person on this forum in my years here, Igor, with your insults.

                                        Bless you.

                                        6 and a half billion people know that they are stupid, agressive, lower life forms.

                                        1 Reply Last reply Reply Quote 0
                                        • ivorI Offline
                                          ivor
                                          last edited by

                                          @Mr.:

                                          @ivor:

                                          @Mr.:

                                          I will leave it at this, Igor.

                                          It's Ivor actually. I'd suggest you have a really honest conversation with admins in your company regarding SAP.

                                          I'll not leave it at this, Igor, I'll respond to this since you're seriously pissing me off. Yes, seriously.

                                          and you've pointed out multiple times that you're not exactly the most knowledgeable person regarding pfSense or IT

                                          I am the eternal noob on pfsense. But I also have two PhD's in economics from universities most people only dream of. Meaning: 'tmight be that the problem with pfsense is that it isn't perfect (if you catch my drift), nor is the documentation.

                                          You comfortably moved in 'or IT', by means of a fallacy. You should make that less obvious.

                                          You should not bully me about SAP, and me 'having to talk to my admins about SAP'. It so happens I have that very special badge SAP issues to very few people, very-few-people, they even have an official word for that badge.

                                          I was doing SAP in 1992, for Walldorf. And ever since. You are probably referencing a friend of yours who didn't pass the exams, and found SAP way too difficult. Which might very well be true: it is about 140 zillion times more complex than pfsense.

                                          You've managed to piss me off more than any other person on this forum in my years here, Igor, with your insults.

                                          Bless you.

                                          What you do and for how long is really not my concern. However, how people behave on forum is something that concerns me. So please, change your attitude and behave politely. I too found your multiple threads annoying and full of false accusations yet I was nice and polite in attempt to reason with you.

                                          That being said, since you're obviously not paying attention, my name is Ivor, not Igor. Perhaps you should pay more attention with your pfSense config as well.

                                          Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            doktornotor Banned
                                            last edited by

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.