Half network performance compared to clean FreeBSD

  • I only get half network performance doing a simple bandwidth test on the LAN side using iperf3,  and this is on a clean pfsense install.
    If I do a clean install of FreeBSD I get full bandwidth, i.e. more than 100MB/s.

    router to client
    [  4]   9.00-10.00  sec  37.0 MBytes   310 Mbits/sec
    client to router
    [  4]   9.00-10.00  sec  49.8 MBytes   418 Mbits/sec

    What does pfsense change/modify in regards to the basic network setup on FreeBSD that is likely to have this effect?
    Or do you have any other clues what to do?

    SuperMicro X7SPE-H (Atom D510, chipset Intel ICH9R, 2xIntel 82574L NICs)

  • this question comes up every couple of days, but lets go again:

    default freebsd is configured as an endpoint / pfSense is configured as a router/firewall.
    freebsd doesn't do firewalling out of the box / pfSense does.
    Disabling firewalling on pfsense will increase your "bandwidth" performance somewhat … it won't be the same as clean freeBSD tho.

    to see' performance you should measure throughput, so instead of running iperf on pfSense run it like that:

    <iperf-client>  ---  <pfsense>---</pfsense></iperf-client>

  • Ahh….it suddenly changed things :-)

    Now I get 112/MBs and no impact on CPU usage at all! :-)

    [  4]   9.00-10.00  sec   112 MBytes   943 Mbits/sec

    I just expected that pfSense's router/firewall functionally wouldn't play any part if I did a router<->LAN test, but I guess I was wrong.
    I would of course expect a decrease in throughput going through the NAT/firewall (WAN <-> router <-> LAN).

    But this is of course not a in-real-life problem, as the pfsense rarely play any other server-role than being firewall.

    Running iperf3 on the router, not only I got the pure bandwidth, but it also used 100% usage.

    Thanks for clearing it out, and I'm sorry I missed the other threads about it…...I did search the forum but I guess I did a wrong search.

  • One of the many differences is iperf is in userland and packets moving to/from the network must go through kernel space to the userland, which is a lot of extra overhead. You can tweak the OS to be better at this, but sometimes comes as other costs. As a router/firewall, the packets stay in the kernel and certain optimizations can be done.

Log in to reply