Recreating IPERF3 over IPSEC Traffic tests on older EOLS units, to compare with current models
There are IPERF3, IMIX over IPSEC Traffic number for current model hardware at the store.
I'd like to estimate how current models might compare against our existing EOS / EOL'd Factory Edition models,
that have also been upgraded to Plus edition.
Are more details available about how the IPERF3 / IMIX tests were setup that would let setup a similar traffic test?
What iperf3 parameters were used?
Or, has Netgate already done this work for me , and have already published IPERF3 / IMIX over IPSEC numbers for
for EOL'd units updated to run Plus 23.01, thus saving me from setting up a lab?
I'm assuming the physical setup was a
linux iperf3 client , a pair of pfsense+ appliances with an ipsec tunnel between them, and another linux box running an iperf3 server,
With allow allow on the firewall rules tab.
stephenw10 Netgate Administrator last edited by
Which particular hardware did you have in mind?
There are more details about the testing in this blog post:
Dobby_ last edited by
What iperf3 parameters were used?
iperf3 is best to use between two units as a sender and a receiver, but only through pfSense.
Or, has Netgate already done this work for me , and
have already published IPERF3 / IMIX over IPSEC
iperf will be nice for testing, but the "real world" traffic
is often totally different.
for EOL'd units updated to run Plus 23.01, thus saving
me from setting up a lab?
That also EoL units will be able to install version 23.01 is in my eyes a well done or goody!
I'm interested in ballpark IMIX and IPERF over IPSEC throughput for these older models
8 core CPU - C2758 any results from models SG-8860, C2758 4 core CPU C2558 SG-4860, E3845 MBT-4220 C2358 SG-2440 2 core E3826 MBT-2220 C2338 SG-2220
Where do these older boxes line up against the 4100 and 6100 appliances in terms IPSEC throughput?
For ipsec throughput, are there general trends / corellations with core counts vs base cpu clockspeed vs number of tunnels
acknowledging in practical terms, we're probably bottlenecked by the ISP's offnet traffic shaping
Qualitatively, how does Wireguard throughput compare against IPSec without QAT acceleratoin on CE ?
I'll assume past C3558 based appliances, perform roughly about the same as the 6100, assuming 1 gbit interfaces.
I got side tracked with IPERF3 - the top google result points to an out of date windows binaries from 2016.
Future readers looking for an IPERF3 Windows client, should visit the IPERF3 author/developers at https://software.es.net/iperf/ for a link to current binaries.
Here's a data point from a pair of SG-2220 's
2 core atom C2338, no QAT
Running Plus ( 23.01 )
Through NAT , minimal firewall rules, 500 to 600 mbit throughput ( Iperf3 , and netflix's fast.com )
IPERF3 over IPSEC
IPERF3 3.13, Windows clients on interface ETH1, and IPSEC ( async crypto on, AES-128-GCM VTI ) on ETH0
I get between 275 and 350 mbit, depending on IPERF3 options, number of streams (-p) , uni vs bi directional etc.
Packet capture of the IPSEC interface showed a 1360 byte TCP payload, in agreement with a 1400 byte MTU
A back of the envelope calc yields about 33k packets per second.
I couldn't get the windows binarier of IPERF3 to generate smaller frames. The MSS option may not be implemented on the windows version.
(With AES disabled / misconfigured as QAT under system, advanced, misc, throughput was about 110 mbit. )