10G NAT/Firewall performance problems
-
@farmwald said in 10G NAT/Firewall performance problems:
Yes, I'd like to understand why PFSense is so much better (30x) than OPNSense, given the same base OS.
Nope, not the same base OS. pfSense uses FreeBSD instead of OpenBSD.
-
Nope, not the same base OS. pfSense uses FreeBSD instead of OpenBSD.
They are also using HardendBSD...
Need help fast? Our support is available 24/7 https://www.netgate.com/support/
Do Not PM For Help!
-
@grimson
Thanks, I didn't realize that. I suppose it's likely that the problem is OpenBSD vs FreeBSD. 30x is a pretty big number, though so it must be a pretty serious problem with OpenBSD.By the way, I'd say that Wireguard is pretty mature, probably more secure than alternatives (due to the vastly smaller and well-examined code base), and it is substantially faster (3-10x in my tests across a wide range of processors), and much easier to understand and set up.
I think the disclaimers are overstated at this point but were probably justified a few years ago.
I'd like to think that "customers" had a choice. If I could help, I would, but I have no experience with BSD or PFSense development. If someone is able and willing to port it, I'm willing to contribute. -
@chrismacmahon said in 10G NAT/Firewall performance problems:
They are also using HardendBSD...
Which is actually FreeBSD. OPNSense is not using OpenBSD unless things have dramatically changed since I last tested it. Which was admittedly a while ago.
Steve
-
The pfSense devs are not against Wireguard in any way except that it wasn't really ready at the last review.
https://news.ycombinator.com/item?id=19187694
Steve
-
@stephenw10 said in 10G NAT/Firewall performance problems:
Which as actually FreeBSD. OPNSense is not using OpenBSD unless things have dramatically changed since I last tested it. Which was admittedly a while ago.
Steve
IIRC they were thinking about switching to OpenBSD the last time I looked at their page. Which was a bit over 2 years ago, as I currently see no reason to follow their progress.
-
I'm confused too. I did some web searches and pfsense and opnsense both claim to be based on FreeBSD.
PFSense 2.2.4 - FreeBSD 11.2-RELEASE-p4 (wth backports from HardenedBSD.)
OPNSense 19.1 - HardenedBSD 11.2So maybe there is an issue with HardenedBSD 11.2 vs FreeBSD 11.2.
-
TBH I doubt anyone here is interested in fixing performance issues with OPNSense, this is something you have to take up with them.
-
Set mss to 1300. 25x faster (2.5 Gbps) download.
So OPNSense fix was easy, going to try the same fix on OpenWRT.I guess PFSense has better defaults.
I'm quite serious about being willing to make financial contributions to Wireguard port to PFSense. PFSense seems "better" than OPNSense (after using it for a day), but I really need Wireguard.
I had lots of installation problem with OPNSense, but no problems with PFSense. Generally, PFSense seems a bit more serious and professional. -
@farmwald said in 10G NAT/Firewall performance problems:
I'm quite serious about being willing to make financial contributions to Wireguard port to PFSense.
https://forum.netgate.com/category/30/bounties good luck.
