How much throughput lost using pfSense?

MikeV7896

Unfortunately, hardware plays a big role in pfSense's performance, so you can't throw out hardware capabilities.

I can push 900+ Mbps with pfSense on a Celeron J1900 CPU (quad-core, 2.0 GHz) and IIRC (it's been a while since I last tested this) the CPU load was only about 1/3. There are pfSense systems designed to push gigabits worth of data through per second, with 10Gb interfaces. Of course they have faster processors to be able to handle that load (pfSense has one with 2 x 10Gb SFP+ slots and an Atom C2758 8-core CPU).

To actually answer your question… how much performance is lost using pfSense? None. The real question is whether the hardware that pfSense is running on can process the load you're trying to push through it.

David19

So, if all hardware specs are capable of sustained speeds at whatever speed available through the ISP (let's say for this particular area, 800mbps is capable), pfSense working as a firewall and/or NAT WILL NOT slow down that throughput at all? I always thought even if the hardware is capable, you won't achieve max speeds from your internet provider because of packet filtering, etc…

Obviously the weakest link will determine the upper limit - and I understand hardware is most often the culprit when looking at speeds approaching 1000mbps. For reference, my box has an Intel Atom D2550 (1.86GHz, dual core) and Dual Broadcom 57788. I understand that may very well be the 'weakest link' and the reason I'm hitting an upper limit of 600mbps versus 800+mbps connected directly to the ISP modem. I was just curious how much of that reduction can be attributed to pfSense 'doing its job'

Harvy66

Bidirectional iperf tests

Client1 <-> LAN1 <-> Client2 1.93Gb/s after 10 runs

Client1 <-> LAN1 <-> PFSense <-> LAN2 <-> Client2 1.95Gb/s after 10 runs

For me, same or faster. And that includes traffic shaping with CoDel and HFSC enabled on PFSense. Even though the switch and NICs should be able to handle line rate, HSFC + CoDel may help stabilize bandwidth since the bidirectional test is effectively multiple flows.

As for speed test on the Internet. I get the exact same speed with or without PFSense, but I only have a 100Mb connection.

xman111

I get what I pay for from my ISP,  even through VPN,  only lose 5 percent of total speed.

Nachtfalke

You can try with disabling packet filtering on pfsense to test if this will increase the speed - so you cann see if it is the packet filtering or something else.
But perhaps the broadcom NICs don't perform that well.

Further it could be that only one CPU (core) is hitting its limit because not everything is multi-core capable in pfsense.

Guest

Connecting directly to my internet provider's modem, hitting 800-850Mbps on speedtests.

This is pending on the both failures in that measuring method.
1.- The pure modem is not performing firewall rules, doing NAT or any kind of SPI, with all three things you
will be loosing in normal 3% - 5% of the whole throughput an the WAN interface.
2.- Speed test´s should be for all of us reproduce able and not done over the Internet where many
other point of failures could be coming into that game! Please use iPerf or NetIO through the pfSense
firewall, with a client to server installation on two devices likes PCs.

When placed back on bridge mode and using pfSense box, same speedtests hit roughly 600Mbps.

Only a router must be set to the "bridge mode", a real and pure modem is a bridge device, so I will assume
this is not a pure modem, but more a router in the so called bridge mode!? So if pfSense is not in the game
and this is a router given to you from your ISP, it could also being that this router is doing the most work over
a so called "silicon way" supported by an ASIC/FPGA, and pfSense is a x86 software firewall without such
supporting chips!

Hardware capabilities aside, how much of a throughput reduction would be expected using pfSense "as is" (default firewall settings and no installed packages)?

With a full and fresh installation of pfSense and according to the right image likes 32Bit for 32Bit hardware
and 64Bit image for the 64Bit hardware it should be something between 3% - 5% and not more. But, and this
is a most done thinking false by many customers and users, your 200 € router is capable of doing pure SPI/NAT
without any firewall rules and now you are assuming that a small 200 € hardware will be able to realize that too
with pfSense, but please trust me, it isn´t the same as you might be thinking over! And yes others are right
if they say together with the right sorted hardware you will be able to archive and route without any problems
multiple 1 GBit/s at the WAN interface(s) with ease. But in general you will see something around ~940 MBit/s
because the TCP/IP overheat and performing out SPI/NAT and working out the firewall rules needs time and
this must be counted then on top of the ~940 MBit/s to be a real 1 GBit/s, please don´t forget this.

David19

Thank you all for your help. This is 100% a hardware limitation.

It dawned on me that when I had a 100Mbps connection, I "got what I paid for" because I never pushed the hardware to its upper limit - but that also means the general duty of a running pfSense box didn't affect the throughput in a significant or perceived way. Why would I expect that to change if I upgrade my ISP's internet speed? I wasn't thinking this through.

I'll stick with I have for now because in real-world performance I can't see sustaining speeds higher than 600Mbps anyway (other than in speedtests). And I'm not interested in upgrading hardware to achieve 200-300 more Mbps of throughout when the difference at these high speeds, IMO, is somewhat trivial. The upgrade to a gigabit connection from a 100Mbps was actually a promo, and I'm actually paying less than before, so I don't mind not getting the full 850Mbps+ my line is capable of. Seriously, this is first world problems! :)

Out of curiosity, is the SG-2220 appliance in the pfSense store capable of 'gigabit speeds'? Should my unit ever need replacing, I may just consider that as an option instead of building myself.

fragged

If you connection uses PPPoE your throughput is most likely limited by PPPoE being single threaded on pfSense.

https://redmine.pfsense.org/issues/4821

David19

Not using PPPoE.

Looked at the activity again and it appears one cpu core is idle during the speedtest. And CPU usage is not maxed out either.

How would I make changes to utilize both cpu cores on WAN? (please bear with me as I'm not proficient in pfSense)

Guest

Not using PPPoE.

Are you sure with that? What you are using then instead?

How would I make changes to utilize both cpu cores on WAN? (please bear with me as I'm not proficient in pfSense)

Use something that is saturating that line.

David19

@BlueKobold:

Are you sure with that? What you are using then instead?

The WAN interface required for my cable modem is DHCP.

Use something that is saturating that line.

eekcat

I'm losing more than 50% throughput at the moment. Webservers behind pfSense are somewhere slowed down and i don't know why..

Harvy66

Why not start your own thread. Performance issues are almost always customer per person. No point in ruining someone else's thread by muddying up the discussion.