Speed of bridged ports?

  • I am running a dedicated hardware pfsense box that has physical 1GB adapters.

    I have configured the WAN and OPT1 ports as a bridged pair.  The WAN port goes to my cable modem and the OPT1 goes to a NAT router.

    When i do a speed test from behind the NAT router i get about 98Mbps when pfsense is inline and if i plug the NAT router into the cable modem directly i get around 170Mbps.

    Are bridged ports limited to 100Mbps?
    Have i likely configured something wrong?

    PS go easy on me, this is first time I have ever installed pfsense! (i really like it!)

  • Looks like this maybe a coincidental Comcast issue.  Would still be nice to know if bridged ports should run at full speed.

  • LAYER 8 Global Moderator

    pfsense is really designed to replace your nat router..  Why do you want to put it in bridge mode between internet and your existing nat router?  What would be the point of such a setup??

  • Haha yes it's odd approach (but there are enough docs about it that many still do it.)

    In this case it's because I am running a ubiquiti unifi system.  Their USG provides other insights when it is used as a router / firewall.  Those of us running that don't want to loose those insights, but there is no way to turn the USG into a passive sensor (I.e bridge it's WAN / LAN port at layer 2 and perform zero NAT, firewall and routing functions.

    Luckily Ubiquiti are a company and are listening and will try and fix.  In the meantime the transparent firewall mode of pfsense was interesting experiment.  It works really well and doesn't seem to impact latency or functionality in any way that matters.  Once the USG supports passive / bridge then the pfsense will be my NAT again.

    Anywho - there are times where one might want to use only passive features like suricata and squid without NAT firewall.  Pfsense is a great general purpose platform for that.

    Our crazy path to that got us to here http://community.ubnt.com/t5/UniFi-Routing-Switching/Intrusion-Prevention-Detecton/td-p/1594810/highlight/true if you are interested. Again more of a thought experiment than a best practice :-)

  • LAYER 8 Global Moderator

    "use only passive features like suricata and squid without NAT firewall."

    Then do that what does that have to do with pfsense??  So your wanting to run pfsense in transparent mode because you want to run a package??

    That really makes no sense at all.. If you want X then run X, why would you use a highly modded version of freebsd that is designed to be your nat router to run those packages?  Its like a previous thread where guy wanted to run pfsense just to run unbound.. WTF??

    Yes I can see where transparent mode has some use cases..  Like when you want to put it front of your public network..

    But you stated in your OP you were not doing any firewall functions
    "I.e bridge it's WAN / LAN port at layer 2 and perform zero NAT, firewall and routing functions."

    So do you think that bridging has no hit on your throughput?  How do you think packet gets from nic 1 to nic 2?  What hardware are you running this on?  How you would normally passthru traffic and view that traffic would be with a hardware tap if you were worried about the performance hit on the packet flow.

  • See there's your problem - using logic and sense while evaluating how i got here:-)

    I had no idea what pfsense could and couldn't do before i started this.  Never used it until a week ago, only marginally aware of it. I had the perception that it is a platform of components that one can use.  You see pfsense as a firewall - i see it is a comprehensive 'security platform' of things i can use as i see fit. Both are true.

    I don't need the pfsense firewall / NAT(because i can't turn off the one i have.. and don't want to double NAT or double firewall)

    As such all the outbound connections i want to block with my off the shelf pfsense box are done at the squidguard / suricata level.

    This can be done in one of two locations - between the cable modem and my router or between my router and the rest of the network.  Either way i need to bridge as I want it transparent, i don't want to mess around with wpad.

    pfsense gives me easy to use turnkey system to do this, i don't want to install linux - i have no no interest in maintaining a linux machine -  i bought a box with pfsense installed that does the job i need it to in an easy way is great - not sure why you are so horrified about what pfsense modules / features and packages I do or don't choose to use

    I wasn't worried about the performance - I was just checking to see if the bridging might be causing the drop in throughput - turns out comcast mucked up my connection - pfsense in transparent mode has no impact in my scenario (home use)

    I have a turnkey tool that does what I need it to and easy to get working and maintain - bloody brilliant in my book.  If you want to install a linux distro and install packages on that  etc etc more power to you i won't judge.  But that's not for me.  Having just learnt about security onion - maybe that's more suited to my need, thats where i will play and experiment next.

    So consider this just a journey of discovery for me - i now understand what pfsense is.  I have made no call on what I will finally do.  And if and when UBNT let me turn off the firewall / NAT on my USG device i will do that and likely revert the pfsense to non-bridged mode and use it as my NAT and firewall at that point.

Log in to reply