Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Abysmal performance of OpenSSL on pfSense under KVM

    Scheduled Pinned Locked Moved Virtualization
    4 Posts 2 Posters 750 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfbolt
      last edited by

      Running the OpenSSL speedtest for aes-256-cbc on a host system with dual Xeon E5-2620 v4 CPU's, I get ~300m 16-byte blocks a second: https://paste.c-net.org/SnuckBloods

      In a Linux VM, with 8 cores allocated to it, I get ~290m blocks: https://paste.c-net.org/SewageRonna

      On a pfSense VM, with 8 cores allocated to it, I get 1/10th of that performance: https://paste.c-net.org/DarlingWallet

      KVM is set up for host CPU pass-through, so AES-NI is visible and loaded on pfSense:
      https://paste.c-net.org/GoaliePickles

      Why is OpenSSL performing so poorly on my virtualized pfSense machine?

      1 Reply Last reply Reply Quote 0
      • P
        pfbolt
        last edited by

        I reproduced the problem with the LiveCD. The speed of OpenSSL is comparable to the native speed of the machine, until cryptodev is loaded: https://paste.c-net.org/DiddlyPhilly

        What gives?

        1 Reply Last reply Reply Quote 0
        • PippinP
          Pippin
          last edited by

          OpenSSL has built-in code to "talk" to hardware crypto device.
          So it's not a good idea to enable kernel crypto module (aesni.ko) as that will lead to more context switching (userland to kernel and back).

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 0
          • P
            pfbolt
            last edited by

            I thought AES-NI was going to be required from pfSense 2.5 onwards? At least it doesn't seem to be discouraged...

            I confirmed my LiveCD findings, however, by disabling cryptodev in the "Advanced" section of the KVM virtualized pfSense instance, leaving only AES-NI. OpenSSL runs at host-comparable speeds now. Use of the cryptodev module is what makes it slow.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.