Have a gigabit ISP connection. less than half is delivered via PFsense (I can't

SynxSynx

Hey all,

I have pfsense 2.2.6 running on this http://www.jetway.com.tw/jw/barebone_view.asp?productid=1012&proname=JBC373F38-525-B%20/%20JBC373F38W-525-B

I'm using a single ethernet for my wan, and a single ethernet for my lan.

No matter what I try, CF card, Physical HDD, MSATA SSD, Sata SSD I cannot get over 450mbps coming off of the wan. There's 4gb of ram installed and I feel that hardware it's self at least meets requirements.

Are there any tips you guys could provide me so that I'm able to increase my up\downstream speed to (as close as possible) to the gigabit speeds? At home I run a multitude of applications that require quite a bit of throughput.

Aluminum

I would point at your under-powered cpu, the D525 is a very old atom from before they did any real architecture improvements.

Derelict

Yeah I wouldn't expect the atom D525 to forward much faster than that. I have the same CPU at home (but even older with a PCI Intel daughter card) but I only have 100/10.

Guest

I have pfsense 2.2.6 running on this http://www.jetway.com.tw/jw/barebone_view.asp?productid=1012&proname=JBC373F38-525-B%20/%20JBC373F38W-525-B

What kind of pfSense version you are running? (32Bit or 64Bit)
So this can be owed to many points, not only the CPU can be to slow for that throughput
it can also be that you RAM is to slow too and gets saturated. And last but not least if you
are only using the 32Bit version it could on top based also on this circumstance.

I'm using a single ethernet for my wan, and a single ethernet for my lan.

If you are only using the 32Bit version of pfSense it could also be that there are not finding
any new drivers their way in, because the 32Bit system will be not long times maintained
anymore, so with the 64Bit version you could also getting fresh or newer drivers for your
NICs that are better then the older ones that are in usage for now or actual.

No matter what I try, CF card, Physical HDD, MSATA SSD, Sata SSD I cannot get over 450mbps coming off of the wan. There's 4gb of ram installed and I feel that hardware it's self at least meets requirements.

How you are measuring the throughput in real? From one device to another using iPerf or NetIO?
Please be aware of the speedtest websites in the Internet.

Are there any tips you guys could provide me so that I'm able to increase my up\downstream speed to (as close as possible) to the gigabit speeds? At home I run a multitude of applications that require quite a bit of throughput.

What packets are installed and running on your pfSense installation?
If I had to guess, you're being limited by your 667MHz ram speed too more than anything.
The packet filter, the IP forwarding parts, and even NAT (part of pf, but run at a different phase) all
hit the memory system. It's likely not that your CPU can't keep up, it's that your memory system is saturated.

I would try out the following if able to test it out;

• Activate PowerD (hi adaptive)
  It could be that your CPU is only running one frequency
• high up the mbuf size to 100.000 footprints to 500.000
  Be careful if not enough memory is there inside you could end up in a booting loop.
• Do a full and fresh install on a mSATA
  please use the 64Bit image of pfSense for this and then activate the TRIM support
• high up the system memory (RAM) if needed and results are that the throughput is
  climbing up based on high up the mbuf size.
• Do measuring only with NetIO or iPerf from client to server through the pfSense firewall
  and not over the well known speedtest websites in the Internet.
• I try out with the lastest 64bit pfsense version 2.3 would be also a really nice hint to see
  what is coming out based on newer drivers and other changes inside of the entire pfSense
  code or system.
• if version 2.3 is installed (fresh and full) activate perhaps  one time netmap-fwd to see
  what is going on then, also if this will be not production ready now, you might be seeing
  what is coming at next and you may want to wait with buying new hardware.

And if all is not really working well for you and/or let the entire WAN throughput not grow up
you should be thinking on buying new and stronger hardware. And not once again the lower
end Intel Atom SoC go by a really strong one to have more and longer fun with it.

hardsense

Just to share  my pfSense experience for 1 month with older hardware:

Ookla result shown I can easily maxed out 950/800 Mbps with 7 yrs old hardware on my 1Gbps internet fiber connection.

Board -> GA-945GCMX-S2 (rev. 6.6) , BIOS F6i -> http://www.gigabyte.com/products/product-page.aspx?pid=2521#ov

CPU -> Intel Core 2 Duo E6320 without AES-NI
RAM -> DDR2 2x2 GB
HDD -> 2.5 inch old SATA II 250G from laptop
OS -> pfSense 2.2.6
NIC -> Intel D33862 dual socket

Installation was very smooth , cold/warm boot are surprisingly  quick.
Due to power utilization of older hardware , I'm now trying out with newer hardware.

sudonim

@hardsense: Who is your ISP? Is there any kind of authentication? Is it direct cat 5 to the fiber ONT?

hardsense

I think I'm behind some kind of transparent proxy. I use Cat6 for cabling.

According to the forum ,  iperf test is the most accurate way of testing the actual speed. I have yet to try it out iperf test but the old system is gone.

SynxSynx

@BlueKobold:

What kind of pfSense version you are running? (32Bit or 64Bit)

32 bit.

it can also be that you RAM is to slow too and gets saturated.

Probably not. It's DDR3 12800 4gb.

If you are only using the 32Bit version of pfSense it could also be that there are not finding
any new drivers their way in, because the 32Bit system will be not long times maintained
anymore

Okay, I understand a little bit, but this box is old, as are the NIC's I don't really think there's too much of a difference between 32 and 64 bit. I mean my CPU maxxes out at 30% when I'm downloading a 10gb file.

How you are measuring the throughput in real? From one device to another using iPerf or NetIO?
Please be aware of the speedtest websites in the Internet.

Both IPERF hosted by my ISP as well as OOKLA hosted by my ISP

Are there any tips you guys could provide me so that I'm able to increase my up\downstream speed to (as close as possible) to the gigabit speeds? At home I run a multitude of applications that require quite a bit of throughput.

What packets are installed and running on your pfSense installation?

I don't understand what you mean.

If I had to guess, you're being limited by your 667MHz ram speed too more than anything.
The packet filter, the IP forwarding parts, and even NAT (part of pf, but run at a different phase) all
hit the memory system. It's likely not that your CPU can't keep up, it's that your memory system is saturated.

Again, it's not the RAM. This is a brand spanking new install of pfsense, there's no firewall rules, no nat, no nothing.

Guest

I don't understand what you mean.

I was only asking you for installed packets like Snort, Squid Suricata and ClamAV that can also heavily
narrow down the entire throughput or WAN speed.

Again, it's not the RAM. This is a brand spanking new install of pfsense, there's no firewall rules, no nat, no nothing.

NAT is a part from the pf (packet filter) and is usually switched on by default, as I see it right.

Did you ever try out to install the 64Bit pfSense version? The Intel Atom D525 is a 64Bit CPU or SoC.

jimp

What sort of WAN? (DHCP? PPPoE?) If your WAN is PPPoE it could be hitting this as well: https://redmine.pfsense.org/issues/4821

That said, those Jetway 525-B boxes are crap, honestly. We sold them for a while and had a lot come back failed, and they won't even boot 2.2 or later properly from CF (needs SATA or mSATA). Between the overheating and dodgy Realtek NICs, I would not expect much from them. I'm shocked you managed 450Mbit/s. I have one here that I only fire up if I need a foot warmer.

hardsense

"Both IPERF hosted by my ISP as well as OOKLA hosted by my ISP"

I have my doubts on the ISP hosted bandwidth tools since you don't have any visibility on how they implement tools in their enverionment.

Use the Sergey Nosov's table "iperf - Mbits/sec - Window size: 64 KB" and do the actual test.

here's the link for the table -> https://www.orderfactory.com/articles/pfSense-Snort/network-perimeter.html  and let us know the result.