Real gigabit throughput
-
@FrontierDK said in Real gigabit throughput:
I get that the purpose of a firewall is to isolate one self. But doing research, I find tons of people compaining about poor throughput,
For pfSense or in general?
after which people are told to use hardware offloading, disable filters etc (in short - removing all security).
It depends on what you mean by "hardware offloading" in this context. There are some devices that have ASICs to enhance packet processing at very high speeds but these also tend to be less complicated devices which lack features found in firewalls like pfSense.
Disabling filters will gain performance but I find it difficult to believe anyone would tell you to do that on pfSense. It may be common for other more hardware-focused platforms (e.g. ubiquity), but not here.
And...in all found Youtube videos, throughput tests are done using local connections (and routing) only - no testing using 1Gbit WAN connections, with package filtering etc.
Most random tests you find online are not very well-defined. You would probably have trouble replicating their results. Which is why we publish as much information as we do about the test results on our site.
A few random facts:
- Testing with ipef3 is mostly a best-case large packet scenario. You'll probably get that high only for very large bulk transfers which aren't as common as you might think. It's useful from a raw performance standpoint but not reflective of real-world traffic patterns.
- IMIX testing is the best comparison for real-world traffic. There is no way to 100% replicate a typical user load for testing but IMIX gets the closest. The results will almost always be slower than iperf3 because there are very small and medium size packets mixed in which are more difficult to pass. But if a device can pass IMIX faster than the speed of a single port, that's a good sign that it will handle most common loads very well.
- In some cases you might also see 64-byte packet test results, these are a worst-case torture test. If something can pass line rate at that packet size, you know it will handle anything you can toss at it. These don't get published as often because it's not a common real-world scenario and if the numbers are low, it can look bad even if the device is capable of passing more than enough larger packets.
In terms of trusting results when comparing hardware, the most reliable figures would be, in order: 64-byte tests, IMIX tests, iperf tests (and other speed tests). If it were me researching hardware, I'd tend to go for the IMIX test results if the company publishes them.
Whether you look at the numbers with/without firewalling enabled depends on your scenario but most people are interesting in the numbers with firewalling enabled. L3 forwarding is nice to know for routing scenarios but it's a less common need. Mostly it gets included because it's a high number and shows what the hardware is capable of handling when unencumbered.
As for pfSense packages, those can certainly take a bite out of the potential total max throughput of any device, but there are so many different combinations and configurations that it's impossible to test even fairly common combinations reliably.
With pfSense, if someone is recommending hardware offload they are probably talking about encryption for VPNs. Using hardware with AES-NI built in, along with AEAD ciphers, can gain you tons of performance for VPNs. That would not impact total unencrypted throughput, however.
Ultimately whether or not you choose to believe the numbers on the site is up to you, but just because other vendors publish shady numbers doesn't mean Netgate does. For years, we didn't publish speed test numbers because we didn't have a reliable and repeatable set of test scenarios like those currently found on the page.
-
@FrontierDK said in Real gigabit throughput:
Has anyone here made their own PC which is able to actually do the 1Gbit (minus overhead)?
I have a Haswell i5 3.1ghz with Intel i350-T2. iperf TCP through the firewall is ~940Mbit/s, but I couldn't get the TCP segments any different than the default 1500bytes. I switched to UDP, but a single Windows client couldn't reach full 1Gb doing UDP. So I had to use both of my desktops to iperf UDP a remote public 1Gb iperf server. I was seeing 1.4mil+ pps ingress LAN and 1.4mil+ PPS egress WAN at 17% CPU interrupt spread across all 4 cores. That was with HFSC+codel traffic shaping enabled.
-
@Harvy66
Thank you for a very usefull answer -
No, just 1. And it's the one used by 99.999999% of the people owning a firewall: 1 wire to WAN, 1 wire to your PC. NAT + firewall are activated. That...is how most people use a firewall. So why not release the numbers on just that?
-
What are you replying to there?