PPPoE bridge to another firewall
-
Hello, I recently upgraded to fiber at my house, and the connection is using PPPoE. There is an ONT that hands ethernet off to an ISP provided Zyxel router, and from there I pass the connection to my Fortigate firewall.
I tried moving the connection directly from the ONT to my fortigate, which works fine, but I get extremely low bandwidth and 100% CPU usage on the fortigate (Fortigate 60D). The ISP provided router does have the option to put the WAN port into bridge mode, but that still puts most of the processing work on the fortigate, resulting in under 300mb/s out of my 1gb/s connection.
Is it possible to use pfsense to initiate the PPPoE connection, and then bridge it to my fortigate so I end up with a publicly routable IP on the WAN interface of my fortigate? I have a pfsense VM running, I got the WAN interface configured with PPPoE, but I cant figure out how to get it to bridge the connection the way i want it to, so any advice would be greatly appreciated.
Thank you,
Smoblikat -
No, you can't bridge the public IP from a PPPoE connection to another interface. If you have a routed subnet you could pass that to an internal interface.
The Fortigate probably can't use it's ASICs for that and has to use the CPU only which usually only runs the control plane.
Steve
-
@stephenw10 Thank you for the reply, from what ive seen it didnt seem possible, but its good to hear it confirmed.
That also is the exact reason for why my Fortigate has such low performance with PPPoE, it cant offload any of that processing to its NPU/ASIC, so it has to do all the work on the regular ARM processor.
Looks like the Fortigate 60F has their newer V4 processor, I might just save up and buy one of those eventually. Until then I will just let the ISP router handle the PPPoE auth, and forward everything through a /30 to my forti.
Thanks for the help!
-
I mean you may be able to replace the Fortigate with pfSense and solve it that way. Depending on what you're doing.
-
@stephenw10 Yes I could, though I prefer working with the fortigate as opposed to pfsense.
I still may run a test just using pfsense as the router, id like to see how my xeons handle gigabit PPPoE.
-
Be aware that the way pfSense/FreeBSD handles PPPoE restricts the NICs to one queue and hence one CPU core.
Steve
-
@stephenw10 Thats interesting that you mention that, my fortigate seems to behave the same way. For whatever reason, downloading things when using PPPoE shows the low bandwidth, and 100% CPU usage on a single core, but when testing upload speeds, I get almost all of the bandwidth, and the load gets spread across multiple cores (no 100% spikes per core).
Do you know why there is such a discrepancy in performance when comparing download vs upload speeds? Is this common when using PPPoE? This is my first time using this, up until now its all been normal ethernet/DHCP from the ISP.
Im definitely going to test this when I get home, the server pfsense is running on is using Xeon E5-2690V2's, so im hoping that the per core performance is enough to handle the bandwidth. I was able to borrow a fortigate 60E to test with, I get nearly full bandwidth through that device when doing all of the PPPoE stuff on it (topped out at 900/900), but that was on a almost completely blank config, im not sure how it would handle the connection if I had any amount of policies/NGFW stuff running, hence me wanting to jump up to the 60F.
-
@smoblikat said in PPPoE bridge to another firewall:
Xeon E5-2690V2
Should be fine on that.
It's because they cannot use RSS for PPPoE traffic as the required hash functions are present only for IP traffic. Better discussed here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203856Steve
-
@stephenw10 Very interesting, im going to read up on this some more.
I did put the pfsense box on full WAN duty, its just connected to the forti with a /30 private link. Performance is great, without much tweaking I was able to get full speeds up and down, CPU usage was even at 18-19% for both tests. I might just stick to this anyway, maybe ditch my forti until I buy the 60F, id rather just deal directly with the box that holds the WAN address.
I appreciate the help Steve.
