J1900 performance
-
A lot of intriguing info here. I’m am looking to jump to Pfsense but not sure what hardware to go to yep. I have fiber to the home (1Gb/1Gb) and my FW does all my PPPOE. I currently have a J1900 Supermicro running Sophos UTM and with only firewall running, I have seen as high as 980 down and up. That was the NIU plugged right into my FW handling PPPOE wan side then into a TP Link managed switch then my PC all links Gb. I don’t run IPS or IDS as that cuts speed in half.
So two questions. What is the PPPOE issue referenced above?
And what hardware for PfSense can handle FW/IPS/IDS and maintain near Gb line speed?
Thanks!
W -
Short answer: Any Intel Core CPU with an Intel NIC. IMHO
Long answer:
I am using an old PC with an Intel 4 port NIC. Speed tests do not see a real difference behind pfSense or just my ATT router. I am not running any packages, just some rules.fiber -> ATT Router -> pfSense = about 980 up and down @20% CPU.
Intel(R) Core(TM) i3 CPU 540 @ 3.07GHz
4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
AES-NI CPU Crypto: NoUsing proper placement of PCs I did push it to around 1.7Gb, but ran out of desire to test further. Still did not make it busy.
-
It's this: https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics
The igb NICs in the J1900 could normally have 4 queues and all 4 cores servicing them. But with PPPoE all frames are sent to the same queue so only one core can service it. The single core performance of the J1900 is not that special. You won't see 1G over PPPoE using it with anything FreeBSD based.
Steve
-
@andyrh thank you!
-
@stephenw10 said in J1900 performance:
It's this: https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics
The igb NICs in the J1900 could normally have 4 queues and all 4 cores servicing them. But with PPPoE all frames are sent to the same queue so only one core can service it. The single core performance of the J1900 is not that special. You won't see 1G over PPPoE using it with anything FreeBSD based.
Steve
Thank you! So this is a FreeBSD thing? Just dipping my toe into PfSense so it’s educational. Do the i210 nics help with this at all? The Sophos thing I’ve been doing these last 5 years is Linux based I think.
-
Yes, it's a FreeBSD issue. There are no NICs I'm aware of that can hash the PPPoE frames with the on-board hardware.
The J1900 also seems to have worse than expected throughput even allowing for this. Not really sure why.
Steve.
-
@azcoyote yes it's freebsd. there are some kernel settings to change its behavior to be more like the way linux does it, but there have been not a lot of reports because (frankly) PPPoE is stupid for last mile connectivity and most ISPs have moved away from it--so there aren't a lot of people to play with it, and those that are left and using pfsense have mostly moved on to other hardware. (Talking about net.isr.dispatch=deferred and net.isr.maxthreads=-1)
-
@vamike "PPPoE is stupid for last mile connectivity" --> agreed
"most ISPs have moved away from it--so there aren't a lot of people to play with it" --> completely disagree; depends on what is your personal experience in your country with your ISP. In my country, the biggest Gbit fiber ISP uses PppoE, and they dont advertise when they gonna abandon it. So its still an issue for a lot of people.
Pcengines Apu2-3-4-5-6 are still sold in 2021, so if that's the choice of hardware for anybody as a home router for their Gigabit PppoE WAN, they will still face this bottleneck even in 2021 February.
-
Yeah, that is very location dependent. Here in the UK most soho level connections are DSL with PPPoE. None are Gigabit though so....
-
@soder fair enough. I'll amend to "my ISP got rid of PPPoE when FTTH was still delivered via 100Mbps ethernet, so it doesn't matter to me". :)
-
@stephenw10 said in J1900 performance:
Yeah, that is very location dependent. Here in the UK most soho level connections are DSL with PPPoE. None are Gigabit though so....
Hmmmm, CenturyLink in AZ does FTTH and it’s still PPPoE. So until they get away from that, PfSense would not be the best answer for me? This is my 5 year hardware/software review to find something that will do 1 Gb throughout with IDS/IPS on. I may lean to the UniFi Dream Machine Pro at this rate if I cannot find a solution via PfSense or Sophos.
-
If the CenturyLink FW is working at 1Gb, could you not just put the pfSense FW behind it? Let CenturyLink do the beloved PPPoE work and let pfSense do the rest.
I have ATT and I have to leave the ATT FW in-place for the connection to work. pfSense behind ATT and I still get better than 980Mbps. ( No IPS on pfSense) -
@andyrh I did a speed test then pulled the CL “firewall” right their tech left. My FW handles PPPOE better than theirs and VPN and so on. Putting it back isn’t an option as A) that CL router with 2.4 WiFi junk is a bottleneck & B) the less ISP hardware the better.
-
@azcoyote B) Agreed, if I could, I would ditch the ATT HW. A) I turn off the ATT WiFi, from time to time ATT turns it back on.
I hope you find what you are looking for.
-
pfSense will work fine there, you just need something with better single core performance that a J1900.
To be honest I'm not sure why anyone would buy a J1900 new at this point unless it was very cheap. That discussion has already happened in this thread though.
Steve
-
@andyrh said in J1900 performance:
@azcoyote B) Agreed, if I could, I would ditch the ATT HW. A) I turn off the ATT WiFi, from time to time ATT turns it back on.
I hope you find what you are looking for.
Thank you! A) what jerks!
B) does PfSense have a way/plan to address this in the future?
-
@stephenw10 said in J1900 performance:
pfSense will work fine there, you just need something with better single core performance that a J1900.
To be honest I'm not sure why anyone would buy a J1900 new at this point unless it was very cheap. That discussion has already happened in this thread though.Steve
Lol. For sure. My little J1900 was purchased 5 years ago so it’s gotta be time for a move to new hardware. It’s viable as just a simple FW with some basic rules. Buts that is definitely all.
-
There is:
https://github.com/MonkWho/pfattAnd there are ways to extract the cert from the router so you don't need it at all. I've never seen that on pfSense though. And both are completely unsupported.
Steve
-
@azcoyote said in J1900 performance:
@stephenw10 said in J1900 performance:
pfSense will work fine there, you just need something with better single core performance that a J1900.
To be honest I'm not sure why anyone would buy a J1900 new at this point unless it was very cheap. That discussion has already happened in this thread though.Steve
Lol. For sure. My little J1900 was purchased 5 years ago so it’s gotta be time for a move to new hardware. It’s viable as just a simple FW with some basic rules. Buts that is definitely all.
it would be fine without pppoe or on linux, but for pfsense you need to throw hardware at it. (or not--the ifr stuff might even work.) since you were planning to buy a unifi, you could spend the same money on beefier hardware. you really just need to decide what you want to use for software.
-
@stephenw10 said in J1900 performance:
There is:
https://github.com/MonkWho/pfattAnd there are ways to extract the cert from the router so you don't need it at all. I've never seen that on pfSense though. And both are completely unsupported.
Steve
Oofda. And I thought the VLAN magic I had to find to connect to my CL ONT was a trick. That is quite the process!
