• 0 Votes
    4 Posts
    382 Views
    A

    I'm interested in ballpark IMIX and IPERF over IPSEC throughput for these older models

    8 core CPU - C2758 any results from models SG-8860, C2758 4 core CPU C2558 SG-4860, E3845 MBT-4220 C2358 SG-2440 2 core E3826 MBT-2220 C2338 SG-2220

    Or -

    Where do these older boxes line up against the 4100 and 6100 appliances in terms IPSEC throughput?

    For ipsec throughput, are there general trends / corellations with core counts vs base cpu clockspeed vs number of tunnels

    acknowledging in practical terms, we're probably bottlenecked by the ISP's offnet traffic shaping

    Qualitatively, how does Wireguard throughput compare against IPSec without QAT acceleratoin on CE ?

    I'll assume past C3558 based appliances, perform roughly about the same as the 6100, assuming 1 gbit interfaces.

    I got side tracked with IPERF3 - the top google result points to an out of date windows binaries from 2016.
    Future readers looking for an IPERF3 Windows client, should visit the IPERF3 author/developers at https://software.es.net/iperf/ for a link to current binaries.

    Here's a data point from a pair of SG-2220 's

    2 core atom C2338, no QAT
    Running Plus ( 23.01 )
    Through NAT , minimal firewall rules, 500 to 600 mbit throughput ( Iperf3 , and netflix's fast.com )

    IPERF3 over IPSEC
    IPERF3 3.13, Windows clients on interface ETH1, and IPSEC ( async crypto on, AES-128-GCM VTI ) on ETH0
    I get between 275 and 350 mbit, depending on IPERF3 options, number of streams (-p) , uni vs bi directional etc.

    Packet capture of the IPSEC interface showed a 1360 byte TCP payload, in agreement with a 1400 byte MTU
    A back of the envelope calc yields about 33k packets per second.

    I couldn't get the windows binarier of IPERF3 to generate smaller frames. The MSS option may not be implemented on the windows version.

    (With AES disabled / misconfigured as QAT under system, advanced, misc, throughput was about 110 mbit. )

  • 0 Votes
    5 Posts
    807 Views
    L

    @ben_p In the UI, Diagnostics Menu | Command Prompt | Execute Shell Command

  • iperf bitrate differences... why?

    General pfSense Questions
    6
    0 Votes
    6 Posts
    2k Views
    gnitingG

    Yes, it is official, I am stupid! 🙄

    I use limiters and I had them also acting on my LAN interface! I've now updated the relevant firewall rule to only apply when "destination NOT LAN net." With that change, iperf is now back to normal.

    Connecting to host 192.168.7.1, port 5201 [ 5] local 192.168.7.2 port 58164 connected to 192.168.7.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 74.1 MBytes 622 Mbits/sec 0 840 KBytes [ 5] 1.00-2.00 sec 70.0 MBytes 587 Mbits/sec 0 1.53 MBytes [ 5] 2.00-3.00 sec 70.0 MBytes 587 Mbits/sec 0 1.70 MBytes [ 5] 3.00-4.00 sec 71.2 MBytes 598 Mbits/sec 1 1.24 MBytes [ 5] 4.00-5.00 sec 70.0 MBytes 587 Mbits/sec 0 1.37 MBytes [ 5] 5.00-6.00 sec 70.0 MBytes 587 Mbits/sec 0 1.47 MBytes [ 5] 6.00-7.00 sec 70.0 MBytes 587 Mbits/sec 0 1.55 MBytes [ 5] 7.00-8.00 sec 70.0 MBytes 587 Mbits/sec 0 1.61 MBytes [ 5] 8.00-9.00 sec 70.0 MBytes 587 Mbits/sec 1 1.18 MBytes [ 5] 9.00-10.00 sec 70.0 MBytes 587 Mbits/sec 0 1.26 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 705 MBytes 592 Mbits/sec 2 sender [ 5] 0.00-10.02 sec 703 MBytes 588 Mbits/sec receiver iperf Done.

    Thank you @johnpoz @stephenw10 for the hints and setting my mind on the right path.