How much throughput lost using pfSense?
-
Bidirectional iperf tests
Client1 <-> LAN1 <-> Client2 1.93Gb/s after 10 runs
Client1 <-> LAN1 <-> PFSense <-> LAN2 <-> Client2 1.95Gb/s after 10 runs
For me, same or faster. And that includes traffic shaping with CoDel and HFSC enabled on PFSense. Even though the switch and NICs should be able to handle line rate, HSFC + CoDel may help stabilize bandwidth since the bidirectional test is effectively multiple flows.
As for speed test on the Internet. I get the exact same speed with or without PFSense, but I only have a 100Mb connection.
-
I get what I pay for from my ISP, even through VPN, only lose 5 percent of total speed.
-
You can try with disabling packet filtering on pfsense to test if this will increase the speed - so you cann see if it is the packet filtering or something else.
But perhaps the broadcom NICs don't perform that well.Further it could be that only one CPU (core) is hitting its limit because not everything is multi-core capable in pfsense.
-
Connecting directly to my internet provider's modem, hitting 800-850Mbps on speedtests.
This is pending on the both failures in that measuring method.
1.- The pure modem is not performing firewall rules, doing NAT or any kind of SPI, with all three things you
will be loosing in normal 3% - 5% of the whole throughput an the WAN interface.
2.- Speed test´s should be for all of us reproduce able and not done over the Internet where many
other point of failures could be coming into that game! Please use iPerf or NetIO through the pfSense
firewall, with a client to server installation on two devices likes PCs.When placed back on bridge mode and using pfSense box, same speedtests hit roughly 600Mbps.
Only a router must be set to the "bridge mode", a real and pure modem is a bridge device, so I will assume
this is not a pure modem, but more a router in the so called bridge mode!? So if pfSense is not in the game
and this is a router given to you from your ISP, it could also being that this router is doing the most work over
a so called "silicon way" supported by an ASIC/FPGA, and pfSense is a x86 software firewall without such
supporting chips!Hardware capabilities aside, how much of a throughput reduction would be expected using pfSense "as is" (default firewall settings and no installed packages)?
With a full and fresh installation of pfSense and according to the right image likes 32Bit for 32Bit hardware
and 64Bit image for the 64Bit hardware it should be something between 3% - 5% and not more. But, and this
is a most done thinking false by many customers and users, your 200 € router is capable of doing pure SPI/NAT
without any firewall rules and now you are assuming that a small 200 € hardware will be able to realize that too
with pfSense, but please trust me, it isn´t the same as you might be thinking over! And yes others are right
if they say together with the right sorted hardware you will be able to archive and route without any problems
multiple 1 GBit/s at the WAN interface(s) with ease. But in general you will see something around ~940 MBit/s
because the TCP/IP overheat and performing out SPI/NAT and working out the firewall rules needs time and
this must be counted then on top of the ~940 MBit/s to be a real 1 GBit/s, please don´t forget this. -
Thank you all for your help. This is 100% a hardware limitation.
It dawned on me that when I had a 100Mbps connection, I "got what I paid for" because I never pushed the hardware to its upper limit - but that also means the general duty of a running pfSense box didn't affect the throughput in a significant or perceived way. Why would I expect that to change if I upgrade my ISP's internet speed? I wasn't thinking this through.
I'll stick with I have for now because in real-world performance I can't see sustaining speeds higher than 600Mbps anyway (other than in speedtests). And I'm not interested in upgrading hardware to achieve 200-300 more Mbps of throughout when the difference at these high speeds, IMO, is somewhat trivial. The upgrade to a gigabit connection from a 100Mbps was actually a promo, and I'm actually paying less than before, so I don't mind not getting the full 850Mbps+ my line is capable of. Seriously, this is first world problems! :)
Out of curiosity, is the SG-2220 appliance in the pfSense store capable of 'gigabit speeds'? Should my unit ever need replacing, I may just consider that as an option instead of building myself.
-
If you connection uses PPPoE your throughput is most likely limited by PPPoE being single threaded on pfSense.
https://redmine.pfsense.org/issues/4821
-
Not using PPPoE.
Looked at the activity again and it appears one cpu core is idle during the speedtest. And CPU usage is not maxed out either.
How would I make changes to utilize both cpu cores on WAN? (please bear with me as I'm not proficient in pfSense)
-
Not using PPPoE.
Are you sure with that? What you are using then instead?
How would I make changes to utilize both cpu cores on WAN? (please bear with me as I'm not proficient in pfSense)
Use something that is saturating that line.
-
@BlueKobold:
Are you sure with that? What you are using then instead?
The WAN interface required for my cable modem is DHCP.
Use something that is saturating that line.
-
I'm losing more than 50% throughput at the moment. Webservers behind pfSense are somewhere slowed down and i don't know why..
-
Why not start your own thread. Performance issues are almost always customer per person. No point in ruining someone else's thread by muddying up the discussion.