Pfsense 1 LAN cable with VLANS internet speed?



  • Hello,

    I am planning to install pfSense to a laptop and i have a Netgear Managed switch. So just i know that it can using VLAN to have 1 LAN cable and then connect WAN cable to the switch as a separete VLANS, so you can use that on pfSense as Gateway. This ok but;

    How about the internet speed performance of internet because the gateway and LAN going through 1 cable to the switch?



  • @erbalo

    The total of everything passing through that cable will be limited to whatever the connection is capable of. Of course, there will be a small amount lost to the additional overhead of the 4 byte VLAN tags. So, the answer depends on what bandwidth you get from your ISP. If 1 Gb, then you will take a hit. If only 100 Mb, then you likely wouldn't notice much difference.



  • @JKnott 1GB should be fine :) but it isn't. Just this is also be ok for the LAN side speeds ?


  • LAYER 8 Global Moderator

    Vlans share the bandwidth of the physical connection.. If your routing traffic from vlan x to vlan y on the same physical link - you do the math ;)



  • @erbalo

    You have to look at your usage to determine the impact. You are sharing a cable & connection, instead of using multiple cables. An example would be offices where VoIP phones are connected via VLAN over the same cable as computer data. Compared to a Gb connection, the amount of data used by VoIP is trivial. Also, while you're on the phone, you might not be using the computer. Will you notice the hit? Probably not. On the other hand, where you're using a VLAN to carry ISP traffic from the modem and then send it out again, over the same cable, then yes, you might see a significant hit.



  • @JKnott

    Here's another example. I have a 75 Mb package (actually over 90 Mb) from my ISP. My switch is capable of 1 Gb. If I did that, you you think I would see much of a difference, with all that spare bandwidth available?



  • @johnpoz On my case

    • I create a VLAN10 on the switch port1
    • I create port 2 trunk on the switch for pfsense
    • I create port 3 untagged vlan0 for LAN side.
    • I create port 4 VLAN 20 for something guest laptop.

    Just because WAN is connected to port1 (it is on VLAN10 right?..) gooing over untagged port 3 should be no problem.

    But on the laptop i should have the problem right? because it is than vlan 10 to vlan 20?



  • @JKnott Yes really i should see that. That is normal. But if i download i packege 50mbps from internet thats my max from my ISP, then should be that ok right?



  • @erbalo

    You're asking questions that we can't answer. The answer depends entirely on how you use your network, including traffic loads etc.. The only answer we can give is you're sharing a connection. If that causes a hit, it depends entirely on your traffic, which is something we have no idea about.

    In the example of VoIP, there'd likely be no noticeable hit. If you had 2 or more heavily used servers, yeah, you would likely see a hit.

    Bottom line, it all depends on how much traffic you have and how much spare capacity in that one cable.


  • LAYER 8 Global Moderator

    What device are you doing this on, a 3100 with switch ports? Those are not sharing the same physical port..

    Here is where you run into physical interface bandwidth constraints.

    Say on pfsense igb1 you have vlan X and vlan Y.. And not your routing traffic from device on vlan X to device on vlan Y.. You are sharing the same physical interface and will be limited by its speed.. Be it 10, 100 or gig or even 10ge..

    If you only have 1 physical interface from pfsense to the switch.. Than any vlans that route through pfense and then back to the switch will be limited by the speed of this physical interface..

    From you description I am not exactly sure what your doing.. Since you make no mention of creating any vlans on pfsense - if your switch is doing the routing between vlans.. Then only time will traffic will go through this connection to pfsense if going say to the internet connected to pfsense.

    If I get time today I will put boxes on vlans and show you an iperf test between the 2 of them... It will be a good reference post for when this comes up - which is quite a bit to be honest.

    In the process of updating a sg2440 with 2.4.5p1 and setting up to ship to remote office - almost done.. My schedule looks pretty clear after that - so sure I will do a bit of examples ;)


  • LAYER 8 Global Moderator

    Ok... Here is 2 tests.. 1 where the networks are on their own physical interfaces

    layout..
    iperf server 192.168.9.10
    iperf client 192.168.200.10

    twophysicalnics.jpg

    $ iperf3.exe -c 192.168.9.10 -B 192.168.200.10                                  
    warning: Ignoring nonsense TCP MSS 466688                                       
    Connecting to host 192.168.9.10, port 5201                                      
    [  5] local 192.168.200.10 port 50165 connected to 192.168.9.10 port 5201       
    [ ID] Interval           Transfer     Bitrate                                   
    [  5]   0.00-1.00   sec   108 MBytes   903 Mbits/sec                            
    [  5]   1.00-2.00   sec   113 MBytes   949 Mbits/sec                            
    [  5]   2.00-3.00   sec   114 MBytes   954 Mbits/sec                            
    [  5]   3.00-4.00   sec   113 MBytes   949 Mbits/sec                            
    [  5]   4.00-5.00   sec   114 MBytes   957 Mbits/sec                            
    [  5]   5.00-6.00   sec   113 MBytes   950 Mbits/sec                            
    [  5]   6.00-7.00   sec   113 MBytes   949 Mbits/sec                            
    [  5]   7.00-8.00   sec   113 MBytes   949 Mbits/sec                            
    [  5]   8.00-9.00   sec   113 MBytes   948 Mbits/sec                            
    [  5]   9.00-10.00  sec   113 MBytes   950 Mbits/sec                            
    - - - - - - - - - - - - - - - - - - - - - - - - -                               
    [ ID] Interval           Transfer     Bitrate                                   
    [  5]   0.00-10.00  sec  1.10 GBytes   946 Mbits/sec                  sender    
    [  5]   0.00-10.01  sec  1.10 GBytes   944 Mbits/sec                  receiver  
                                                                                    
    iperf Done.                                                                     
    

    So that is maxing out gig.. Couldn't ask for anything more on gig wire..

    Now here pfsense is routing between the networks over the same wire.. Same client and server machines - Just changed the switch config to put the client interface on different vlan. And put this vlan on the same physical interface used for vlan 9 (lan on pfsense) igb0

    vlans-samephysical.jpg

    $ iperf3.exe -c 192.168.9.10 -B 192.168.66.10
    warning: Ignoring nonsense TCP MSS 466688
    Connecting to host 192.168.9.10, port 5201
    [  5] local 192.168.66.10 port 50367 connected to 192.168.9.10 port 5201
    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-1.00   sec   107 MBytes   895 Mbits/sec
    [  5]   1.00-2.00   sec   111 MBytes   933 Mbits/sec
    [  5]   2.00-3.00   sec   112 MBytes   940 Mbits/sec
    [  5]   3.00-4.00   sec   112 MBytes   939 Mbits/sec
    [  5]   4.00-5.00   sec   112 MBytes   941 Mbits/sec
    [  5]   5.00-6.00   sec   111 MBytes   930 Mbits/sec
    [  5]   6.00-7.00   sec   112 MBytes   940 Mbits/sec
    [  5]   7.00-8.00   sec   110 MBytes   925 Mbits/sec
    [  5]   8.00-9.00   sec   111 MBytes   934 Mbits/sec
    [  5]   9.00-10.00  sec   111 MBytes   931 Mbits/sec
    - - - - - - - - - - - - - - - - - - - - - - - - -
    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-10.00  sec  1.08 GBytes   931 Mbits/sec                  sender
    [  5]   0.00-10.00  sec  1.08 GBytes   930 Mbits/sec                  receiver
    

    So not much difference because its duplex and no other traffic on the wire.. Bit of traffic maybe, the overhead of the vlan tags mentioned, etc..

    But now sending traffic to the internet through pfsense through that same igb0 interface via speed test from client on that same vlan 9 network.. 500Mbps..

    Now look at my iperf test..

    $ iperf3.exe -c 192.168.9.10 -B 192.168.66.10
    warning: Ignoring nonsense TCP MSS 466688
    Connecting to host 192.168.9.10, port 5201
    [  5] local 192.168.66.10 port 50444 connected to 192.168.9.10 port 5201
    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-1.00   sec  38.6 MBytes   324 Mbits/sec
    [  5]   1.00-2.00   sec  37.1 MBytes   311 Mbits/sec
    [  5]   2.00-3.00   sec  26.2 MBytes   220 Mbits/sec
    [  5]   3.00-4.00   sec  49.0 MBytes   411 Mbits/sec
    [  5]   4.00-5.00   sec  51.0 MBytes   428 Mbits/sec
    [  5]   5.00-6.00   sec  52.0 MBytes   436 Mbits/sec
    [  5]   6.00-7.00   sec  51.8 MBytes   434 Mbits/sec
    [  5]   7.00-8.00   sec  52.4 MBytes   439 Mbits/sec
    [  5]   8.00-9.00   sec  51.1 MBytes   429 Mbits/sec
    [  5]   9.00-10.00  sec  51.1 MBytes   429 Mbits/sec
    - - - - - - - - - - - - - - - - - - - - - - - - -
    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-10.00  sec   460 MBytes   386 Mbits/sec                  sender
    [  5]   0.00-10.01  sec   460 MBytes   386 Mbits/sec                  receiver
    
    iperf Done.
    

    So there will be a performance hit when you share bandwidth of physical connection with vlans - because your sharing the capabilities of the interface... But without understanding your traffic flows, and amount of traffic that will be routed intervlan or using that interface going somewhere else, it hard to say if you will notice it or not..

    Here is what I would suggest.. If you have the physical ports available on your switch and your router.. Then leverage them for your different networks so that vlans do not share physical ports..

    If you do not have enough ports... Then put the vlans that do not talk to each other or use lower amounts of bandwidth on the same physical interface.. Example I put my wireless vlans on the same physical interface of pfsense... Since they would never be able to use full gig anyway, and they don't talk to each other..


Log in to reply