PFSense in huge traffic enviroment problem



  • Hello everybody!!

    We are testing a configuration of PFsense in a "HUGE" traffic enviroment in a L2 bridge scenario, with a really big packet rate and result haven´t been satisfactory.

    PFsense is running on a Huawei Server V3 Class with big performance, a lot of cpu(20 cores) and RAM(64 Gb), 2x10 Gb network ports. Then, with a professinal traffic generator equipment, without any DENY rule, the only rule on bridge is PASS all,…traffic across the bridge only rises 1.5 Gbs, and the strange thing is when i mark "Disable all packet filtering" on "system_advanced_firewall" tab, then traffic rises 3.7 Gbs with the same test. I´m not pretty sure about what´s happening, do it is necessary some kind of optimization, some parameters need to be modified??

    Any help will be really appreciated!!



  • I think you should consider commercial support. (portal.pfsense.org)

    Afaik, freebsd won't get anywhere near 10Gbe forwarding/firewalling. The developers are your best bet to get the most throughput out of your hardware.


  • LAYER 8 Global Moderator

    Not sure where you would get the idea that freebsd can not do 10ge?  Sure there is prob some hardware constraints on what is supported that can do it, and some tweaking might be needed.

    Here
    https://wiki.freebsd.org/NetworkPerformanceTuning

    But I would agree your going to want to reach out to commercial support for such an endeavor..



  • @johnpoz:

    Not sure where you would get the idea that freebsd can not do 10ge?  Sure there is prob some hardware constraints on what is supported that can do it, and some tweaking might be needed.

    from: https://blog.pfsense.org/?p=1866
    from: https://forum.pfsense.org/index.php?topic=114270.msg635591#msg635591
    from: https://forum.pfsense.org/index.php?topic=113862.msg634832#msg634832



  • I´m not pretty sure about what´s happening, do it is necessary some kind of optimization, some parameters need to be modified??

    In normal you will getting out something between 2 GBit/s and 4 GBit/s from a real 10 GBit/s connection, pending on the used protocols
    and services and yours 3,7 GBit/s will be then optimally placed in there and underfeed that clearly fine.

    So if you want to tell us more about your real hardware that is used, we might be able to come more to the one or other point.
    As an example, if you are installing a Chelsio T520 NIC that is really good driver sorted under FreeBSD or pfSense, it would be
    perhaps showing up other results then yours. If you are using Intel Xeon E5 dual CPU set up it could really be that you will have
    a good chance to handle that amount of speed fine. But please don´t get me wrong here at this point, it will be nice to know what
    throughput you will archive through the pfSense firewall using NetIO or iPerf v3.

    Is this pfSense installation a native install or inside of a VM?
    What CPU @0,0GHz and cores is that installation build?

    Can we achieve 10 gigabit speeds using OpenBSD or FreeBSD ?
    [flow 1]  0.0-30.0 sec  32.7 GBytes  9.35 Gbits/sec
    [flow 2]  0.0-30.0 sec  31.8 GBytes  9.12 Gbits/sec

    To get 10 GBit/s in a test environment let you get out in the real life perhaps between 2 GBit/s and 4 GBit/s pending on the use
    protocols and/or offered services. For sure this can be differ each from another based on the used hardware and the done tunings
    in the software. Perhaps if you have the luck and they (pfSense team and/or developers) helps you out you could be doing some
    real life tests for them, because not all cases and environments are identically and so they are able to get also more out about that!?


Log in to reply