Real gigabit throughput
-
Hi johnpoz, this is where I start to believe that the numbers are misleading.
Take the SG-5100. The page says
L3 Forwarding: 3.78 Gbps
Firewall: 1.84 GbpsBut...it only has 1 gigabit ports. So either they have invented a new way of pulling more than 1Gbit through a 1 Gbit port, or it's a combined number where LAN traffic or 2-way speed numbers are used?
Even the spec page for the Intel I210 says that it's max speed is 1Gbit. https://ark.intel.com/content/www/us/en/ark/products/64400/intel-ethernet-controller-i210-at.html
-
@FrontierDK said in Real gigabit throughput:
But...it only has 1 gigabit ports.
How is that... The 5100 has
4x GbE RJ45 Intel® SoC Integrated MAC 2 x GbE RJ45 Intel® i210
How do you figure that is only 1 port?
Any of those ports could be used for wan, so you could have multiple - but you could also be firewalling between local networks say traffic flowing between ports 3-4, while at the same time firewall traffic between ports 1-2, etc.
If anything is unclear on that page, is there also nat happening on the test. And not just firewall.. I would assume not, so sure your number might be lower if also natting.
-
@FrontierDK said in Real gigabit throughput:
I'm asking here for real-world experience, not synthetic UDP small-package tests
Most likely the Zyxel tests which you found to be inflated vs real-world usage were made using large packets, not small (e.g. 1500 byte packets vs 64-byte UDP). They might even have used Jumbo frames instead of 1500 byte packets. Passing line rate with small packets is much, much more difficult than passing the equivalent throughput in large packets.
The tests on the Netgate page for iperf3 are geared toward showing what it can do for best-case type scenarios with large packets (~1500 byes when you include overhead). The IMIX tests are closer to what you might experience with a real-world mix of live traffic from a variety of users on the network all at once.
@FrontierDK said in Real gigabit throughput:
But...it only has 1 gigabit ports. So either they have invented a new way of pulling more than 1Gbit through a 1 Gbit port, or it's a combined number where LAN traffic or 2-way speed numbers are used?
You can LAGG multiple ports together and use combined throughput in some scenarios (e.g. LACP) and exceed the port speed in aggregate.
That's where the last sentence in point 1 of the footnotes on the Netgate page comes in:
Throughput measurements are based upon maximum bidirectional traffic across all available ports.
-
Hey @jimp maybe I missed it, could maybe there be some clarification if firewalling numbers include actually doing nat or not.
-
I'd have to check, but the performance hit from pf comes from having pf enabled at all, I don't think NAT vs routing with pf on is significantly different.
-
Hence the difference between "L3 forwarding" and "Firewall" scenarios.
-
It would be nice with numbers where it would resemble a real-world normal scenario: 1 wire to the fiber box, 1 firewall with firewall + NAT enabled, and then 1 client computer.
These days, more and more ISPs are rolling out 1Gbit connections, and it's currently impossible to find any web site where a vendor is telling the numbers which could be expected with a typical installation...thus why I was asking the question: which firewall will actually deliver close to 1Gbit throughput. with firewall + NAT enabled?
-
Generally speaking, if the Netgate page states it will pass >1Gbit/s on multiple ports, it's safe to assume it can max out a single 1Gbit/s port.
So on the link I put above, if you look at the Firewall entry in the IMIX column for each device, if it shows greater than 1Gbit/s potential throughput, it will max out a 1Gbit/s port.
Publishing single port speeds would make that page a lot more complicated (since some devices have 1Gbit/s ports, some have 10Gbit/s ports, some of the devices with switches have 2.5Gbit/s internal uplinks, etc) and it would end up more confusing without adding much notable information.
-
How are you testing now where you are not seeing 1Gbps through the Zyxel?
For a lot of people they connect a client behind it and run a test against speedtest.net for example. As discussed that is actually large packets over multiple connections.
For a local iperf test, iperf3 server on the WAN side if the firewall, client on the LAN side, the hardware requirements are not huge. The E4500 Core2duo would do that, just, for example.
Steve
-
Hi stephenw10, I am using speedtest.net as you might have guessed.
My reason for asking for real-world throughput is also, that I have a local server with +40 domains, emails, FTP-service etc. and both web- and FTP logs show hacking attempts 24/7/365...so simple routing with no firewall (hardware offload) isn't exactly a great idea, in my eyes.
As someone once said it: "when you're online, you can connect to any PC in the world. But this also means that any PC can connect to you". AI-driven hacking is already out in the wild, so more than ever...firewalls are needed. ISPs are rolling out 1Gbit connections to every John Doe who wants to pay $80/month now, so a 1-wire CAT6 cable to the fiber box + misc. cables to LAN PCs is now also a typical scenario. Thus the original question - which Netgate box will actually do it? A simple Google search results with this as link #1: "Gigbit Internet is here. Where are the firewalls?" (Spiceworks). So it appears to be a valid question, imho. And any person believing that the numbers on the current product page is going to hold up in the real world, in a typical scenario, is going to be a sad customer.
-
The SG-5100 will pass 1Gbps in a test against speedtest.net with firewall and NAT enabled, the default config.
Assuming the line and server it tests against can generate it.Steve
-
@FrontierDK said in Real gigabit throughput:
But this also means that any PC can connect to you"
No it doesn't - the whole point of a firewall.
And any person believing that the numbers on the current product page is going to hold up in the real world,
So you think they are making up the tests results? Really? Do your own research then... simple search of sg3100 benchmark will show you youtube videos of people pushing gig through it..
Here is a thread were user had a switch causing him issues, using a sg3100 doing gig.. on a "speedtest" site
https://forum.netgate.com/topic/132615/new-sg-3100-with-gigabit-comcast-line-can-t-get-over-540mbps/7 -
I get that the purpose of a firewall is to isolate one self. But doing research, I find tons of people compaining about poor throughput, after which people are told to use hardware offloading, disable filters etc (in short - removing all security). And...in all found Youtube videos, throughput tests are done using local connections (and routing) only - no testing using 1Gbit WAN connections, with package filtering etc.
I'll continue doing research...
-
I have no idea what your going on about to be honest.. The first video that comes up about sg3100 benchmarking is doing it with suricata enabled as example. Still pushing gig..
So now your asking for netgate to publish benchmarking test with every possible combination of packages running?
tons of people complaining about what hardware? You find tons of people complaining about netgate hardware not being able to do what is stated on their page about its performance? Or you find shit where people asking hey I just got gig from X, but my laptop via wireless isn't seeing it sort of nonsense? But the router lists 1700 mbps on its box! ;)
-
@FrontierDK said in Real gigabit throughput:
Hi all.
Just got my Zyxel VPN100 yesterday, and the results are quite sad...so having a server with little more than 40 domains etc., I was thinking about putting a pfsense PC together with 10Gbit NICs together....
Has anyone here made their own PC which is able to actually do the 1Gbit (minus overhead)?
Certainly without any problems incl. Snort & pfblocker.
-
Local testing, using iperf3 for example, is the only way to get any sort of replicable, comparable result.
Just hitting speedtest.net is nice to see but it can vary just between tests at the same location let alone on different 1G connections to different servers.
Steve
-
@FrontierDK said in Real gigabit throughput:
I get that the purpose of a firewall is to isolate one self. But doing research, I find tons of people compaining about poor throughput,
For pfSense or in general?
after which people are told to use hardware offloading, disable filters etc (in short - removing all security).
It depends on what you mean by "hardware offloading" in this context. There are some devices that have ASICs to enhance packet processing at very high speeds but these also tend to be less complicated devices which lack features found in firewalls like pfSense.
Disabling filters will gain performance but I find it difficult to believe anyone would tell you to do that on pfSense. It may be common for other more hardware-focused platforms (e.g. ubiquity), but not here.
And...in all found Youtube videos, throughput tests are done using local connections (and routing) only - no testing using 1Gbit WAN connections, with package filtering etc.
Most random tests you find online are not very well-defined. You would probably have trouble replicating their results. Which is why we publish as much information as we do about the test results on our site.
A few random facts:
- Testing with ipef3 is mostly a best-case large packet scenario. You'll probably get that high only for very large bulk transfers which aren't as common as you might think. It's useful from a raw performance standpoint but not reflective of real-world traffic patterns.
- IMIX testing is the best comparison for real-world traffic. There is no way to 100% replicate a typical user load for testing but IMIX gets the closest. The results will almost always be slower than iperf3 because there are very small and medium size packets mixed in which are more difficult to pass. But if a device can pass IMIX faster than the speed of a single port, that's a good sign that it will handle most common loads very well.
- In some cases you might also see 64-byte packet test results, these are a worst-case torture test. If something can pass line rate at that packet size, you know it will handle anything you can toss at it. These don't get published as often because it's not a common real-world scenario and if the numbers are low, it can look bad even if the device is capable of passing more than enough larger packets.
In terms of trusting results when comparing hardware, the most reliable figures would be, in order: 64-byte tests, IMIX tests, iperf tests (and other speed tests). If it were me researching hardware, I'd tend to go for the IMIX test results if the company publishes them.
Whether you look at the numbers with/without firewalling enabled depends on your scenario but most people are interesting in the numbers with firewalling enabled. L3 forwarding is nice to know for routing scenarios but it's a less common need. Mostly it gets included because it's a high number and shows what the hardware is capable of handling when unencumbered.
As for pfSense packages, those can certainly take a bite out of the potential total max throughput of any device, but there are so many different combinations and configurations that it's impossible to test even fairly common combinations reliably.
With pfSense, if someone is recommending hardware offload they are probably talking about encryption for VPNs. Using hardware with AES-NI built in, along with AEAD ciphers, can gain you tons of performance for VPNs. That would not impact total unencrypted throughput, however.
Ultimately whether or not you choose to believe the numbers on the site is up to you, but just because other vendors publish shady numbers doesn't mean Netgate does. For years, we didn't publish speed test numbers because we didn't have a reliable and repeatable set of test scenarios like those currently found on the page.
-
@FrontierDK said in Real gigabit throughput:
Has anyone here made their own PC which is able to actually do the 1Gbit (minus overhead)?
I have a Haswell i5 3.1ghz with Intel i350-T2. iperf TCP through the firewall is ~940Mbit/s, but I couldn't get the TCP segments any different than the default 1500bytes. I switched to UDP, but a single Windows client couldn't reach full 1Gb doing UDP. So I had to use both of my desktops to iperf UDP a remote public 1Gb iperf server. I was seeing 1.4mil+ pps ingress LAN and 1.4mil+ PPS egress WAN at 17% CPU interrupt spread across all 4 cores. That was with HFSC+codel traffic shaping enabled.
-
@Harvy66
Thank you for a very usefull answer -
No, just 1. And it's the one used by 99.999999% of the people owning a firewall: 1 wire to WAN, 1 wire to your PC. NAT + firewall are activated. That...is how most people use a firewall. So why not release the numbers on just that?