QoS impact on LAN to WAN bandwidth, hardware requirements?
-
I have long admired pfsense from a distance, but my Draytek 2130 consumer router with hardware NAT was able to keep up with my humble Comcast 50/5 Mb connection for the past 5 years. I upgraded the modem and service to 250/25, with the consequence being the discovery that (I think) hardware NAT is not usable in the context of QoS in a consumer router. If I try and set the available bandwidth in QoS anywhere near what is actually available it stutters VoIP. Other applications often running are FTP and bittorrent.
So my PFSense question regards WAN to LAN NAT bandwidth with QoS in use. I would like to get significant margin over my 250/25Mb connection. 1Gb symmetric would be nice for future proof and all, but I suspect I would pay dearly for that.
Can anybody here point me to a resource regarding the impact QoS has on the hardware required for a given bandwidth? I have seen a list on this site here, but it says stuff like "home office" and "remote worker" as opposed to actual bandwidth. Not to mention the impact I assume QoS will have.
-
pfSense is a 100% software firewall/QoS system. I think ALTQ (the QoS sub-system) introduces about 10-20% CPU overhead.
Check the "Hardware" sub-forum for some real-world examples of what speeds you can expect. https://forum.pfsense.org/index.php?board=5.0
Bittorrent will mess up almost everything unless you limit it's download & upload speeds. It's easiest to use the bittorrent client's bandwidth limiting capabilities rather than relying on your router's QoS.
-
pfSense is a 100% software firewall/QoS system. I think ALTQ (the QoS sub-system) introduces about 10-20% CPU overhead.
Check the "Hardware" sub-forum for some real-world examples of what speeds you can expect. https://forum.pfsense.org/index.php?board=5.0
Bittorrent will mess up almost everything unless you limit it's download & upload speeds. It's easiest to use the bittorrent client's bandwidth limiting capabilities rather than relying on your router's QoS.
Although I can and do limit bittorrent bandwidth within the program, I have been successful confining both bittorrent and FTP to a small range of high-numbered ports. I then set these port ranges as low priority. It does appear to work, at least with my current router.
While a VoIP phone call doesn't need much bandwidth, a facetime video call or software download does. Dynamic allocation of bandwidth is a great thing.
-
HFSC gives you strong control over bandwidth distribution while allowing other classes of flows to use spare capacity. I have a pretty over-powered system of an i5 3ghz quad and Intel i350-T2, and I'm only seeing about 10% cpu usage when running at 2Gb/s(1Gb full-duplex). Even when I used iperf to forcefully push 960kpps 64byte UDP packets, I was only seeing about 7% cpu usage. Seems UDP is much easier to process than TCP, probably because of the state validation.
The network card is the single most important part. The second is the CPU. You really don't need a high frequency CPU, just one with a decent amount of cache and not something like an Atom that has been aggressively optimized for low power. My next system, whenever that may be, will target 2.5ghz and 8 cores with decent cache.
-
HFSC gives you strong control over bandwidth distribution while allowing other classes of flows to use spare capacity. I have a pretty over-powered system of an i5 3ghz quad and Intel i350-T2, and I'm only seeing about 10% cpu usage when running at 2Gb/s(1Gb full-duplex). Even when I used iperf to forcefully push 960kpps 64byte UDP packets, I was only seeing about 7% cpu usage. Seems UDP is much easier to process than TCP, probably because of the state validation.
The network card is the single most important part. The second is the CPU. You really don't need a high frequency CPU, just one with a decent amount of cache and not something like an Atom that has been aggressively optimized for low power. My next system, whenever that may be, will target 2.5ghz and 8 cores with decent cache.
Thanks for the info, HFSC sounds like what I need. I'll have to read up on it, whether traffic is prioritized by DSCP tag (fine for outgoing as I control the tags) or port number and/or IP address (incoming, can't rely on DSCP tags).
All the sub-kilobuck appliances sold at the pfsense store use flavors of Atom like the SG-2220 or SG-4860. I'm not sure I need any more ports than WAN and LAN, as I have a Netgear GS716Tv3, which I think can do VLAN for traffic segregation. If I could figure out how to use it.
What do you think are reasonable CPUs for QoS-ing the entirety of 250Mb or greater cable connection, if not the Atom appliances? I do use VPN occasionally, although highest performance here, while nice, is not a huge deal. So I would want a processor with AES-NI also? Intel NICs are a given, from what I've read.
Thanks for the help,