Gigabit Throughput

TheQuank

Howdy! I'm on a gigabit cable connection and can't get much more then 230 meg though my pfSense firewall. I've checked all the interfaces are at 1000baseT full duplex with no errors. I'm only running one VPN that isn't used for internet traffic. Hardware is below and doesn't seem to be taxed in anyway:

Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
Current: 1998 MHz, Max: 3000 MHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
4 GB of RAM

Running 2.4.4-RELEASE-p1 (amd64)

I see a bunch of advise to disable snort, traffic shaping, and other services, but I'm just running simple NAT. Where should I look next?

stephenw10

Mmm, you should be able to pass 1Gbps of firewall+NAT with that in general. But....

How are you testing?

Are you running any packages?

What NICs do you have?

Steve

TheQuank

I've got a TP-Link addon card and the on-motherboard one. As for packages;

apcupsd
bandwithd
iperf
nmap
openvpn-client-export

thanks for the help!!

stephenw10

How do those NICs appear in Interfaces > Assignments though?

em0 and em1? re0? Some thing else?

Steve

TheQuank

Sorry, I should have included that, WAN (TP-Link) is re0 and LAN is em0.

stephenw10

Ok, well the re NIC isn't going to be helping there but I'd still expect far more than 280Mbps.

But how exactly are you testing that?

Really I would like to see an iperf3 test with a client on one side of the firewall and server on the other.

Steve

marvosa

There are several areas to look at... cables, switch, packages, limiters, traffic shaping, are you virtualized, is the testing box even able to push/pull gigabit speeds, etc, etc... but TBH... you lost me at Core 2 Duo and a TP-Link NIC... ;)

The Core 2 Duo E8400 is almost an 11-year-old CPU... which means 11-year-old architecture throughout the box. Let's all have an honest moment of reflection and think about what the average residential internet speeds were at the beginning of 2008... maybe 10, 20, 30 Mbit if you were lucky? Now fast forward ~11 years... where 1, 2, and 10 Gbit speeds are available in residential areas ... which is 35-1000 times faster than what was available to most people back then... are we really expecting a 10+ year old desktop with a cheap TP-Link NIC to reliably route and filter traffic @ 1 Gbit throughput? To me, the logical answer to that question is no.

While hardware may not be your only issue... I can almost guarantee it's a contributing factor. Save yourself the dozens of hours (if not multiple weeks) banging your head against the wall and upgrade your hardware (NIC's included)... then re-assess.

heper

@marvosa said in Gigabit Throughput:

are we really expecting a 10+ year old desktop with a cheap TP-Link NIC to reliably route and filter traffic @ 1 Gbit throughput? To me, the logical answer to that question is no.

the system itself will do that just fine, the TP-link nic will most likely be the culprit

netblues

@heper Instead of scratching your head, use iperf. You will need two pc with gigabit lan
Boot some dvd linux distro
Mint, debian, fedora, for example
Load/ install iperf and do a few tests
Pc to pc with just a cable
You should get 1g
Pc to pf internal int (run iperf on pf) get 1g

Pc to pf external int again measure 1g
If you see 1g everywhere and both ways then your options are

1. Establish plain routing via pf and test
2. Establish nat via pf and test
3. Setup a bridge with pf and test

Do monitor cpu usage on pf whole testing.
At this point you will have clear indications on what might be the issue

Apart from that, I would suspect congestion on your provider, but we need to rule out everything else.

marvosa

@heper said in Gigabit Throughput:

the system itself will do that just fine, the TP-link nic will most likely be the culprit

Can it do it mathematically in theory on paper? Possibly... but the question is... can 11-year-old desktop architecture reliably route and sustain 1 Gbit firewalled throughput (930-940+ Mbit) over a gigabit WAN?... my vote is no. And that isn't necessarily just my opinion... even the vendor recommends "Server-class Hardware" to push anything over 500 Mbit.

Don't get me wrong... I'm not saying the box won't "work"... but it's all a matter of what each person considers acceptable... will his box route traffic, yes... will it be fast, sure (relatively)... but will it reliably sustain 940+ Mbit/sec of firewalled, real-world traffic over the gigabit WAN he's paying for... my vote is doubtful. And to me, that's unacceptable. Barring a misconfiguration that ends up limiting bandwidth by design, anytime I don't see full bandwidth minus some overhead, I typically start assessing hardware and infrastructure.

TheQuank

Morning everyone, thanks for the comments! You'll have to forgive my ignorance as I'm a bit new to measuring throughput. I ran iperf between my desktop computer and the pfSense firewall and got in the 700s:

/root: iperf -c 192.168.5.121 -p 5201

Client connecting to 192.168.5.121, TCP port 5201
TCP window size: 64.2 KByte (default)

[ 3] local 192.168.5.1 port 56750 connected with 192.168.5.121 port 5201

write failed: Broken pipe
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 9.5 sec 884 MBytes 783 Mbits/sec

My desktop is behind three switches and crap wiring.

Next, I connected a laptop directly to the cable modem and got in the 800s on speedtest.net several times.

Then I attempted to use iperf on pfSense to contact several public servers I found and got results like below several times:

root: iperf -c speedtest.serverius.net -P 10

Client connecting to speedtest.serverius.net, TCP port 5001
TCP window size: 64.2 KByte (default)

[ 7] local 68.102.217.178 port 53624 connected with 178.21.16.76 port 5001
[ 11] local 68.102.217.178 port 29834 connected with 178.21.16.76 port 5001
[ 5] local 68.102.217.178 port 24828 connected with 178.21.16.76 port 5001
[ 9] local 68.102.217.178 port 53592 connected with 178.21.16.76 port 5001
[ 3] local 68.102.217.178 port 42250 connected with 178.21.16.76 port 5001
[ 10] local 68.102.217.178 port 44675 connected with 178.21.16.76 port 5001
[ 8] local 68.102.217.178 port 52098 connected with 178.21.16.76 port 5001
[ 12] local 68.102.217.178 port 29426 connected with 178.21.16.76 port 5001
[ 6] local 68.102.217.178 port 50963 connected with 178.21.16.76 port 5001
[ 4] local 68.102.217.178 port 41528 connected with 178.21.16.76 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-10.0 sec 2.75 MBytes 2.30 Mbits/sec
[ 8] 0.0-10.1 sec 4.50 MBytes 3.74 Mbits/sec
[ 12] 0.0-10.1 sec 4.38 MBytes 3.64 Mbits/sec
[ 11] 0.0-10.1 sec 4.38 MBytes 3.63 Mbits/sec
[ 9] 0.0-10.1 sec 2.75 MBytes 2.28 Mbits/sec
[ 10] 0.0-10.2 sec 4.50 MBytes 3.72 Mbits/sec
[ 3] 0.0-10.2 sec 4.50 MBytes 3.71 Mbits/sec
[ 6] 0.0-10.2 sec 4.38 MBytes 3.60 Mbits/sec
[ 4] 0.0-10.2 sec 4.38 MBytes 3.61 Mbits/sec
[ 7] 0.0-10.2 sec 2.75 MBytes 2.26 Mbits/sec
[SUM] 0.0-10.2 sec 39.2 MBytes 32.2 Mbits/sec

This is way lower than I got with speedtest.net from the desktop behind all the switches and crap wiring. so I'm not sure what to think of all this....

I did keep an eye on the CPU of the pfSense box during all the tests, and it didn't seem to climb to much. What should I try next?

Grimson

With such an old system, is the TP-Link card simple PCI or PCIe?

netblues

Iperf from cable modem.lan to wan eth?

stephenw10

Better to use iperf3. You can install that on pfSense to use from the command line with pkg install iperf3.
You can test reverse using that among other advantages.

Testing either from or to the firewall is not a good test as it's optimised for routing not serving but it can still be useful for proving out some things. With iperf3 you can run that test with -R to get the reverse test to prove out the LAN is at least capable of over 280Mbps.

You should try testing from your laptop using iperf against speedtest.serverius.net to prove that is a good server to test against. It may be limited to that speed anyway. It would be better to test against a local iperf3 server but otherwise find a public server that can do your WAN line rate when connected directly to the modem.

Steve

stephenw10

@marvosa said in Gigabit Throughput:

1 Gbit firewalled throughput (930-940+ Mbit) over a gigabit WAN?... my vote is no.

Unfortunately I don't have a Gigabit WAN to test with (I can only dream ) but in a local test with iperf3 client LAN side and iperf3 server WAN side, firewalling and NATing:

[2.4.4-RELEASE][root@7100.stevew.lan]/root: iperf3 -c 172.21.16.76
Connecting to host 172.21.16.76, port 5201
[  5] local 192.168.112.10 port 47156 connected to 172.21.16.76 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   112 MBytes   940 Mbits/sec    0    160 KBytes       
[  5]   1.00-2.00   sec   112 MBytes   941 Mbits/sec    0    160 KBytes       
[  5]   2.00-3.00   sec   112 MBytes   941 Mbits/sec    0    160 KBytes       
[  5]   3.00-4.00   sec   112 MBytes   936 Mbits/sec    0    160 KBytes       
[  5]   4.00-5.00   sec   112 MBytes   941 Mbits/sec    0    160 KBytes       
[  5]   5.00-6.00   sec   112 MBytes   941 Mbits/sec    0    160 KBytes       
[  5]   6.00-7.00   sec   111 MBytes   928 Mbits/sec    0    160 KBytes       
[  5]   7.00-8.00   sec   112 MBytes   939 Mbits/sec    0    160 KBytes       
[  5]   8.00-9.00   sec   112 MBytes   941 Mbits/sec    0    160 KBytes       
[  5]   9.00-10.00  sec   112 MBytes   941 Mbits/sec    0    160 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  1.09 GBytes   939 Mbits/sec    0             sender
[  5]   0.00-10.07  sec  1.09 GBytes   932 Mbits/sec                  receiver

iperf Done.

And during that the E8400 box shows:

last pid: 73219;  load averages:  1.23,  0.80,  0.56                                               up 0+00:31:22  17:23:52
233 processes: 6 running, 184 sleeping, 43 waiting
CPU:  8.0% user,  0.2% nice, 37.3% system, 37.1% interrupt, 17.5% idle
Mem: 348M Active, 243M Inact, 438M Wired, 196M Buf, 888M Free
Swap: 1894M Total, 1894M Free

  PID USERNAME   PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
  351 root        52    0   224M   191M CPU0    0   0:04  48.39% /usr/local/bin/suricata -i em0 -D -c /usr/local/etc/suric
   56 root        -8    -     0K    16K RUN     0   1:38  37.20% [md1]
   12 root       -92    -     0K   704K CPU0    0   1:53  37.20% [intr{irq261: em1:rx0}]
   12 root       -92    -     0K   704K WAIT    0   2:02  36.76% [intr{irq257: em0:rx0}]
   11 root       155 ki31     0K    32K RUN     1  26:12  18.42% [idle{idle: cpu1}]
   11 root       155 ki31     0K    32K RUN     0  25:13  12.20% [idle{idle: cpu0}]
   12 root       -92    -     0K   704K WAIT    1   0:05   1.52% [intr{irq258: em0:tx0}]
   12 root       -92    -     0K   704K WAIT    1   0:04   1.46% [intr{irq262: em1:tx0}]
  351 root        20    0   224M   191M uwait   1   0:01   1.00% /usr/local/bin/suricata -i em0 -D -c /usr/local/etc/suric
  351 root        20    0   224M   191M uwait   0   0:00   0.61% /usr/local/bin/suricata -i em0 -D -c /usr/local/etc/suric
73735 unbound     20    0 31992K 16828K kqread  0   0:00   0.52% /usr/local/sbin/unbound -c /var/unbound/unbound.conf{unbo
66520 root        37    0 97732K 37496K accept  1   0:01   0.24% php-fpm: pool nginx (php-fpm){php-fpm}
   12 root       -60    -     0K   704K WAIT    1   0:04   0.20% [intr{swi4: clock (0)}]
50995 root        20    0 50952K 39972K nanslp  1   0:00   0.13% /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfbl
54344 nobody     -22  r30  6500K  2608K nanslp  1   0:00   0.11% /usr/local/sbin/LCDd -c /usr/local/etc/LCDd.conf -u nobod
   12 root       -72    -     0K   704K WAIT    0   0:00   0.08% [intr{swi1: netisr 1}]
11335 root        20    0  9860K  4360K CPU1    1   0:00   0.08% top -aSH

So I'm going to vote yes. And yes even more if I wasn't running Suricata on that box!

Steve

netblues

As expected an old core2duo can route and nat 1 gigabit of traffic.
But the wan results above are horrible.
Something is completely flawed. Could it be mtu? the wan card?
i'd love to see some iperf3 tests cross box with local wan first.

JKnott

@netblues said in Gigabit Throughput:

Could it be mtu?

Normally, you get the best results with the largest MTU. That's usually 1500, but would be 1492 on ADSL.

netblues

@jknott That is competely true, however you get very bad results if mtu is needed to be less and fragmentation doesn;t work. I doubt its an mtu issue, however the speed differences via pfsense is huge, and is difficult to believe its the network card unless it is faulty.
A tp link ethernet might not be an intel igb, but still.

JKnott

@netblues said in Gigabit Throughput:

That is competely true, however you get very bad results if mtu is needed to be less and fragmentation doesn;t work.

If that's the case, you should see ICMP "too big" messages. Fragmentation doesn't happen as often as it used to, as it's not allowed on IPv6 and the do not fragment flag is often used on IPv4. With Linux, that flag is set on everything, but only TCP on Windows.

TheQuank

Howdy all! Sorry I'm a bit behind. The WAN card was only PCI so I swapped it out with a new PCIx one. So here's what I have now:

em0 00:0f:fe:c7:5e:bc (up) Intel(R) PRO/1000 Network Connection 7.6.1-k
re0 18:a6:f7:01:1e:d0 (up) RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigab

Here is iperf3 from the pfSense box cmd line with the new PCIx card:

root: iperf3 -c iperf.scottlinux.com -p 5201
Connecting to host iperf.scottlinux.com, port 5201
[ 5] local 68.102.220.240 port 7956 connected to 45.33.39.39 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.01 sec 5.23 MBytes 43.6 Mbits/sec 1 1.41 KBytes
[ 5] 1.01-2.00 sec 2.02 MBytes 17.0 Mbits/sec 1397 546 KBytes
[ 5] 2.00-3.00 sec 324 KBytes 2.65 Mbits/sec 45 2.85 KBytes
[ 5] 3.00-4.00 sec 912 KBytes 7.49 Mbits/sec 19 272 KBytes
[ 5] 4.00-5.00 sec 3.93 MBytes 33.0 Mbits/sec 0 288 KBytes
[ 5] 5.00-6.00 sec 4.16 MBytes 34.9 Mbits/sec 0 304 KBytes
[ 5] 6.00-7.00 sec 3.04 MBytes 25.5 Mbits/sec 14 157 KBytes
[ 5] 7.00-8.00 sec 2.35 MBytes 19.7 Mbits/sec 0 174 KBytes
[ 5] 8.00-9.00 sec 2.65 MBytes 22.2 Mbits/sec 0 190 KBytes
[ 5] 9.00-10.00 sec 2.82 MBytes 23.6 Mbits/sec 0 206 KBytes

---

[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 27.4 MBytes 23.0 Mbits/sec 1476 sender
[ 5] 0.00-10.24 sec 25.5 MBytes 20.9 Mbits/sec receiver

iperf Done.

I've not tried flipping the interfaces and trying with the Intel card yet.

Here is iperf3 from my desktop:

iperf-3.1.3-win64>iperf3.exe -c iperf.scottlinux.com -p 5201
Connecting to host iperf.scottlinux.com, port 5201
[ 4] local 192.168.5.121 port 63682 connected to 45.33.39.39 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 2.12 MBytes 17.8 Mbits/sec
[ 4] 1.00-2.00 sec 3.00 MBytes 25.1 Mbits/sec
[ 4] 2.00-3.00 sec 3.00 MBytes 25.2 Mbits/sec
[ 4] 3.00-4.00 sec 3.00 MBytes 25.2 Mbits/sec
[ 4] 4.00-5.00 sec 2.88 MBytes 24.1 Mbits/sec
[ 4] 5.00-6.00 sec 3.00 MBytes 25.1 Mbits/sec
[ 4] 6.00-7.00 sec 2.88 MBytes 24.1 Mbits/sec
[ 4] 7.00-8.00 sec 2.75 MBytes 23.1 Mbits/sec
[ 4] 8.00-9.00 sec 3.12 MBytes 26.2 Mbits/sec
[ 4] 9.00-10.00 sec 3.00 MBytes 25.2 Mbits/sec

---

[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 28.8 MBytes 24.1 Mbits/sec sender
[ 4] 0.00-10.00 sec 28.6 MBytes 24.0 Mbits/sec receiver

iperf Done.

Here is my connection from my desktop to the pfSense box:

iperf3.exe -c 192.168.5.1 -p 5201
Connecting to host 192.168.5.1, port 5201
[ 4] local 192.168.5.121 port 63707 connected to 192.168.5.1 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 105 MBytes 882 Mbits/sec
[ 4] 1.00-2.00 sec 111 MBytes 931 Mbits/sec
[ 4] 2.00-3.00 sec 108 MBytes 910 Mbits/sec
[ 4] 3.00-4.00 sec 110 MBytes 924 Mbits/sec
[ 4] 4.00-5.00 sec 111 MBytes 932 Mbits/sec
[ 4] 5.00-6.00 sec 107 MBytes 896 Mbits/sec
[ 4] 6.00-7.00 sec 112 MBytes 936 Mbits/sec
[ 4] 7.00-8.00 sec 111 MBytes 932 Mbits/sec
[ 4] 8.00-9.00 sec 111 MBytes 932 Mbits/sec
[ 4] 9.00-10.00 sec 75.5 MBytes 633 Mbits/sec

---

[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 1.04 GBytes 891 Mbits/sec sender
[ 4] 0.00-10.00 sec 1.04 GBytes 891 Mbits/sec receiver

iperf Done.

Where should I look next?