Throughput limited in transparent bridge?!

  • Hi,
    as mentioned in this thread I configured a PC with two 1 Gb/s nics to a transparent bridge.
    The firewalling works quite well, but i only get half of the throughput through the bridge.
    For example, if I copy a large file (iso file) from an external PC to one internal pc behind the bridge, I only get 50mb/s copy speed. This happens in both directions.
    The CPU of the firewall is an "Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz" and sits at around 15% usage while copying.
    When I connect the internal PC directly to the external switch I can copy files with full gigabit speed, nearly 110mb/s.

    Any hints, from where the limiting can come from? I didn´t configure anything (aware) about traffic limiting or similar in the pfsense box.


  • After some internet research, I slowly come to the assumption that the bridge device per se can only run as a half-duplex device "by design" and therefore delivers a throughput of only 500 mbit/s.
    Could someone please confirm that to me?

    Thank you very much

  • LAYER 8 Global Moderator

    What did you think was going to happen?

    Why do you think everyone says get a switch vs bridging ports?
    Yes bridging is going to be a performance hit! It should only be done when actually required!!! To accomplish X... If you can do X a different way you should!
    Why are you not just routing vs trying to bridge.. Or just use a switch if you need ports on the same L2?

  • Sorry, I´m new to this business and I haven´t thought about this specific theme yet.
    The network constellation I´m working with in this case is given and sadly I´m not able to change anything about it.

    Nevertheless, thanks for the clarification about the bridge.

  • @menace

    Does my post here help you?

    Disregard the bullet point for creating limiters and floating rules. Apply firewall rules to the interfaces that are members of the bridge. Performance increase? 😀

  • @uptownVagrant
    sadly your posted didn´t help for me. I tryed to apply the rules to the bridge member interfaces, but didn´t get any better performance. I´m still stuck at about 500 mbit througput.

    I have to come back to the "bridge only half duplex" thing.
    At the moment we have a transparent network-bridge running, which is dividing two network segments (same IP range on both sides of the bridge). The bridge is running on a physical server with open Suse. There is nothing special configured, only the two NICs are combined to a bridge and ip tables rules are set for the filtering. No IP adress is given, the bridge has to be configured / monitored via the local console of the server.
    Ironically in this scenario I have full 1 Gbit speed through the firewall bridge. A server "behind" the bridge can copy with nearly full 110 mb/s speed from a machine on the other side of the bridge, with firewall rules enabled.
    So now I´m wondering why we don´t have the "bridge only half duplex" thing in this scenario?
    Because of this I´m reviewing about my consideration from above that bridges can only run in half duplex mode...

  • @menace it does work but I noticed I had a limiter still configured in the uploaded xml on the other post. I used a single Flent client on the LAN side of the bridge and a single netperf server on the WAN side.

    Here is an updated config below. Images show GigE saturation at most points during the two minute test:



    Edit 1:
    And just for fun here's what the Flent graph looks like when FQ and BBR are enabled on the Netperf server on the WAN side. Much better efficiency with regard to the congestion control.

  • @uptownVagrant
    many thanks for your help!!
    I imported your config on my firewall and played around with it a bit. Sadly I didn`t get any more performance in relation to the stuck traffic at about 500 mbit/s I had before.

    The PC I´m testing with has 1 Gbit onboard lan and two 1 Gbit Intel nics. The two Intel ones are the nics I´ve been using the whole time. After testing with your config I desided to switch the "LAN" port from the Intel nic to the onboard nic.


    After changing this I could get full 1 Gbit/s (110 Mb/s) copy speed through the firewall-bridge, at least in one direction.
    The other direction still makes only about 60Mb/s, probably because of the Intel nic on the WAN port.

    So in my opinion, I struggled the whole time with some incompatible ore crappy network cards in my specific hardware constellation, which caused my traffic bottleneck through the bridge...
    In principle, my configuration was correct the whole time, unfortunately it was not the hardware...

Log in to reply