Voodoo to get 10gb NIC working
-
I have done all sorts of tests but it refuses to work.
Is there any magic required to get 10gb NIC working on C2758 platform?
-
from the results of your tests in that thread it seems you're just CPU bound, and you are on an atom (granted a good one). pf/firewalling doesn't come free, 2gbps of traffic filtering on an atom is honestly pretty good (although I could be off the mark)
it went up even more with an MTU of 9000 as that's a lot less pps to filter
are you testing from a system on the lan, to the lan interface on the router? (eg which interface are you binding iperf to in pfsense). if you bind to lan and test from lan, you should get closer to 10gbps as it's not hitting pf, that rules out any OS issues slowing the physical card down. In your latest test, with pf disabled (ie no filtering) you hit basically 10gbps, which is exactly as it should be, so not seeing any issue so far. That rules out any weird system/OS variables limiting the cards performance, and the same reason you got 10bps in vanilla freebsd, it wasn't doing any packet filtering. It looks like you originally had slow throughput on pfsense even with no filtering but disabling TSO fixed that up
I would bind iperf3 to the wan address with PF on so you can test throughput all the way through pfsense making sure you're hitting pf and watch the cpu usage via top or htop (pkg install htop) to see if it's saturating your system. I'd imagine at 2gbps it is
if you're expecting 10gbps of 1500 mtu packet filtering firewall throughput on an atom, you're dreaming :) a 4790k or equivalent xeon would do good here, about three times the processing power of the atom you're running. If you search the forum for 10gbe pfsense you'll see getting that much throughput through the firewall is basically voodoo at this point, especially with certain packages. no doubt, there's people out there who are doing it, but generally they brute forced the problem with a thousand dollars worth of xeons
tldr: not getting close to 10gbps throughput on the interface itself with no packet filtering = something's going on. however only getting 2gbps of firewall throughput on a C2758 = pretty good, honestly
-
tldr: not getting close to 10gbps throughput on the interface itself with no packet filtering = something's going on. however only getting 2gbps of firewall throughput on a C2758 = pretty good, honestly
In normal, on other systems or on other OS (routers or firewalls) you may get also only
something between 2 GBit/s till 3 GBit/s as a real throughput, this is normal and nothing
wrong with. I personally think it is something based on the configuration, because the
XG-2758 is also coming sorted with two 10 GBit/s interfaces. But this is perhaps pending
on the special tunings and pfSense version that comes along with that devices.I would try out, if there will be the chance to realize it, a bigger CPU and RAM, let us say
something such a Intel Xeon E3-12xxv3 >@3,0GHz or an Intel Xeon E526xxv3 this is may
be a better chance to get more out of that. On the LAN side you might be getting more out
of that, because pf and NAT is not done there and together with a bigger or stronger switch
you will see total other numbers, pending on the capability of the NIC to fully offload VLAN
and other options!What is the real WAN speed you get from your ISP trumee?
-
Wouldn't you want the highest ghz possible for that kind of throughput since the firewall is technically doing the work single threaded?
I'd try to see what a 4GHZ+ chip would do. Maybe even overlocked with some cooling.
IPC is the name of the game - specifically single core IPC performance.
-
I'd try to see what a 4GHZ+ chip would do. Maybe even overlocked with some cooling.
Perhaps it would be nice to set it up in a VM, then it might be nit really bounded to the single CPU Core
or am I wrong now?