Performance / Hardware
-
The so-called 'advanced-dmz' feature on the ONU/router I am forced to use by the ISP failed on Friday for no apparent reason forcing me back to using PPPoE on pfsense again. The performance of the current hardware is insufficient, the link is 3G/3G and when using PPPoE I can't even get half of that. Can anyone clarify what hardware is needed to get this working since I need to either upgrade or switch to something else and at the moment I'd prefer upgrading.
-
Did you mean with 3G/3G this, 3GBit/s down and
3Gbit/s up?- 3 GBit/s upload
- 3 GBit/s download
If you are using the pfSense behind a router, you could get from there a private IP like 192.168.1.1/24 (255.255.255.0)
and then you will be not need to use PPPoE any more and
gets on top of this all multi CPU threading. So with PPPoE
you will be pinned or nailed to one CPU core and with that
you will only see one queue at the WAN port!- What is your entire hardware for pfSense?
Bare metal or VM? - What is you NIC for the WAN Port to the ONT/ONU?
Intel or Realtek, or........ - What CPU is here installed?
Cores/HT and GHz
-
@dobby_ I need proper exposure for the firewall so as of now it needs to run the pppoe since the bridging has failed and I need fine-grain control of my edge.
Yes, the link is 3 Gbit/sec symmetric over pppoe. The firewall is mostly filtering known-bad actors and doing the Masq.
What I am after is what hardware would be requires to have sufficient headroom for the current link and handle a small upgrade.
-
@ahutton said in Performance / Hardware:
Yes, the link is 3 Gbit/sec symmetric over pppoe.
Intel i3, i5 or i7 with 4 cores and raw CPU GHz power is counting then. I would also perhaps give an Intel Xeon
E3-12xxv3 a try. Maybe on a board that fit in all three different CPUs, they are often able to get cheap on eBay.But in real I would be more tending to a router with
DOCSIS 3.1 (or what your ISP is offering or needing)
standard in front of the pfSense firewall. -
@dobby_ unfortunately there is no removable SFP+ ONU on this model or I'd have just swapped it over, joined the vlan and no problem.. which means I'm stuck with the provided ONU/router/AP.
-
@ahutton said in Performance / Hardware:
@dobby_ unfortunately there is no removable SFP+ ONU on this model or I'd have just swapped it over, joined the vlan and no problem.. which means I'm stuck with the provided ONU/router/AP.
For sure I can feel with you, but then you will need a
CPU that is able to serve fully 3 GBit/s symmetrically at
the WAN for the entire load! And with a sufficient router
in front of you may profiting from the more CPU Cores and
Hyperthreading on top of it, because then the entire WAN traffic is running over more queues at the WAN port! That
means one queue for one CPU core! -
Be sure to note the tweaks here.
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics -
@stephenw10 said in Performance / Hardware:
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics
Steve,
Are these PPPoE tweaks required on Netgate hardware (eg 6100) or are they already encapsulated within the tweaking Netgate already provides to their own products?Default on 6100:
[23.01-RELEASE][admin@Router-8.*******.me]/root: sysctl net.isr.dispatch net.isr.dispatch: direct [23.01-RELEASE][admin@Router-8.*******.me]/root:The link you suggest points at other links warning of potential issues with ALTQ, Limiters, IPsec etc, so I have been reluctant to try changing it from 'direct' to 'deferred'.
️ -
I have found that they did not cause a problem with shaping for me. But, no, they are not applied by default. Setting net.isr.dispatch to differed can give a significant throughout bump on pppoe WANs.
-
@stephenw10 Thanks for that and I will give it a go if it helps the cpu load.
️ -
I added a System Tunable via the GUI via System/Advanced/System Tunables/Edit
Edit Tunable Tunable: net.isr.dispatch Value: deferred Description: PPPoE single core tuning [default value=direct]Although I resorted to the CLI just to check the setting had changed:
[23.05-RELEASE][admin@Router-8.*******.me]/root: sysctl net.isr.dispatch net.isr.dispatch: deferred [23.05-RELEASE][admin@Router-8.*******.me]/root:I'll monitor the cpu load and any impact elsewhere.
️
