Question About Network Performance

antonioremigio1

Hi,

I have a Host with VM Ware ESXi 7 installed with several VMs and a pfSense as an edge firewall in front of the VMs.

I have more than 150 users accessing an ERP client/server that is on some VMs behind pfSense.

My question is: How do I know if pfSense is supporting this traffic from connected users or if it is bottlenecking? Is there any way to have this metric?

I'm using e1000e for the VM Network and in the other vLANs I use VMXNET3 for the VMs.

I feel that the ERP does not have the desired performance when accessing from outside the network through pfSense.

Thanks.

Gertjan

@antonioremigio1 said in Question About Network Performance:

I'm using e1000e for the VM Network and in the other vLANs I use VMXNET3 for the VMs.

In short : a 1 Giga bit connection ?
pfSense, a software solution, can - I never saw this limit - handle 10 Gbits connections ...
And if you need more, get the big brother.

But you're using a emulated environment. That will introduce overhead and way to many factors so predicting performance is 'impossible'.
The good news is : the answer is just a few clicks away. Why didn't you test this already ?
You have the test environment, you have a mouse so you're good for the clicks, why waiting ?
"We", the ones reading your question, don't have all these factors ....

If you don't want to test, be sure that it works right out of the box "money back guaranteed" and all that, ditch the mystical factor : no VM - go for real.

Gblenn

@antonioremigio1 Exactly how have you set up your host wrt to the ports allocated to your ERP and pfsense? Do you share these ports or have you dedicated them to e.g. pfsense at least?

My experience running pfsense as a VM on Proxmox is that I have had no trouble maxing out at least 1G connections when using Proxmox paravirtualized network adapter (VirtIO). I have tested with E1000 but got notibly worse performance, which makes sense as it is emulated.

To make sure I can get max performance however, I have chosen to pass through my NIC's to pfsense (IOMMU). And currently on a 10G connection I am able to get just above 8Gbit/s through pfsense when testing with speedtest (whilst running Suricata in legacy mode).

If you on the other hand, share the port used for LAN with the port used for the ERP VM, I would expect a clear performance drop, to roughly half under heavy load?

My thinking is that I leave each function to the device that does it best, meaning routing to pfsense, switching to switches and virtualization to the hypervisor. So I dedicate two ports on the PVE host to pfsense (WAN and LAN), and I would also not share ports between any other VM's that I expect require high throughput, TrueNAS for example.

I guess what I'm saying is that for maximum performance, you would use three ports for your pfsense and ERP setup, and rely on the switch to handle traffic between pfsense LAN and ERP. Any other ports on the Host can be allocated to less demanding VM's...

stephenw10

@antonioremigio1 said in Question About Network Performance:

How do I know if pfSense is supporting this traffic from connected users or if it is bottlenecking?

Check the graphs in Status > Monitoring. Are you seeing traffic close to the maximum bandwidth? Are you seeing CPU usage close to 100%?