Real gigabit throughput

johnpoz

@FrontierDK said in Real gigabit throughput:

But this also means that any PC can connect to you"

No it doesn't - the whole point of a firewall.

And any person believing that the numbers on the current product page is going to hold up in the real world,

So you think they are making up the tests results? Really? Do your own research then... simple search of sg3100 benchmark will show you youtube videos of people pushing gig through it..

Here is a thread were user had a switch causing him issues, using a sg3100 doing gig.. on a "speedtest" site
https://forum.netgate.com/topic/132615/new-sg-3100-with-gigabit-comcast-line-can-t-get-over-540mbps/7

FrontierDK

I get that the purpose of a firewall is to isolate one self. But doing research, I find tons of people compaining about poor throughput, after which people are told to use hardware offloading, disable filters etc (in short - removing all security). And...in all found Youtube videos, throughput tests are done using local connections (and routing) only - no testing using 1Gbit WAN connections, with package filtering etc.

I'll continue doing research...

johnpoz

I have no idea what your going on about to be honest.. The first video that comes up about sg3100 benchmarking is doing it with suricata enabled as example. Still pushing gig..

So now your asking for netgate to publish benchmarking test with every possible combination of packages running?

tons of people complaining about what hardware? You find tons of people complaining about netgate hardware not being able to do what is stated on their page about its performance? Or you find shit where people asking hey I just got gig from X, but my laptop via wireless isn't seeing it sort of nonsense? But the router lists 1700 mbps on its box! ;)

iqjet

@FrontierDK said in Real gigabit throughput:

Hi all.

Just got my Zyxel VPN100 yesterday, and the results are quite sad...so having a server with little more than 40 domains etc., I was thinking about putting a pfsense PC together with 10Gbit NICs together....

Has anyone here made their own PC which is able to actually do the 1Gbit (minus overhead)?

Certainly without any problems incl. Snort & pfblocker.

stephenw10

Local testing, using iperf3 for example, is the only way to get any sort of replicable, comparable result.

Just hitting speedtest.net is nice to see but it can vary just between tests at the same location let alone on different 1G connections to different servers.

Steve

jimp

@FrontierDK said in Real gigabit throughput:

I get that the purpose of a firewall is to isolate one self. But doing research, I find tons of people compaining about poor throughput,

For pfSense or in general?

after which people are told to use hardware offloading, disable filters etc (in short - removing all security).

It depends on what you mean by "hardware offloading" in this context. There are some devices that have ASICs to enhance packet processing at very high speeds but these also tend to be less complicated devices which lack features found in firewalls like pfSense.

Disabling filters will gain performance but I find it difficult to believe anyone would tell you to do that on pfSense. It may be common for other more hardware-focused platforms (e.g. ubiquity), but not here.

And...in all found Youtube videos, throughput tests are done using local connections (and routing) only - no testing using 1Gbit WAN connections, with package filtering etc.

Most random tests you find online are not very well-defined. You would probably have trouble replicating their results. Which is why we publish as much information as we do about the test results on our site.

A few random facts:

• Testing with ipef3 is mostly a best-case large packet scenario. You'll probably get that high only for very large bulk transfers which aren't as common as you might think. It's useful from a raw performance standpoint but not reflective of real-world traffic patterns.
• IMIX testing is the best comparison for real-world traffic. There is no way to 100% replicate a typical user load for testing but IMIX gets the closest. The results will almost always be slower than iperf3 because there are very small and medium size packets mixed in which are more difficult to pass. But if a device can pass IMIX faster than the speed of a single port, that's a good sign that it will handle most common loads very well.
• In some cases you might also see 64-byte packet test results, these are a worst-case torture test. If something can pass line rate at that packet size, you know it will handle anything you can toss at it. These don't get published as often because it's not a common real-world scenario and if the numbers are low, it can look bad even if the device is capable of passing more than enough larger packets.

In terms of trusting results when comparing hardware, the most reliable figures would be, in order: 64-byte tests, IMIX tests, iperf tests (and other speed tests). If it were me researching hardware, I'd tend to go for the IMIX test results if the company publishes them.

Whether you look at the numbers with/without firewalling enabled depends on your scenario but most people are interesting in the numbers with firewalling enabled. L3 forwarding is nice to know for routing scenarios but it's a less common need. Mostly it gets included because it's a high number and shows what the hardware is capable of handling when unencumbered.

As for pfSense packages, those can certainly take a bite out of the potential total max throughput of any device, but there are so many different combinations and configurations that it's impossible to test even fairly common combinations reliably.

With pfSense, if someone is recommending hardware offload they are probably talking about encryption for VPNs. Using hardware with AES-NI built in, along with AEAD ciphers, can gain you tons of performance for VPNs. That would not impact total unencrypted throughput, however.

Ultimately whether or not you choose to believe the numbers on the site is up to you, but just because other vendors publish shady numbers doesn't mean Netgate does. For years, we didn't publish speed test numbers because we didn't have a reliable and repeatable set of test scenarios like those currently found on the page.

Harvy66

@FrontierDK said in Real gigabit throughput:

Has anyone here made their own PC which is able to actually do the 1Gbit (minus overhead)?

I have a Haswell i5 3.1ghz with Intel i350-T2. iperf TCP through the firewall is ~940Mbit/s, but I couldn't get the TCP segments any different than the default 1500bytes. I switched to UDP, but a single Windows client couldn't reach full 1Gb doing UDP. So I had to use both of my desktops to iperf UDP a remote public 1Gb iperf server. I was seeing 1.4mil+ pps ingress LAN and 1.4mil+ PPS egress WAN at 17% CPU interrupt spread across all 4 cores. That was with HFSC+codel traffic shaping enabled.

FrontierDK

@Harvy66
Thank you for a very usefull answer

FrontierDK

No, just 1. And it's the one used by 99.999999% of the people owning a firewall: 1 wire to WAN, 1 wire to your PC. NAT + firewall are activated. That...is how most people use a firewall. So why not release the numbers on just that?

stephenw10

What are you replying to there?