IPSEC Performance on 7100
-
Hello everyone, this is my third post. Thank you all for your previous help with migrating from a bridge to a LAG, everything went smoothly.
I’m back with a new question :) It’s about IPSec performance. I have a 900 Mbps internet connection, and when I run an iperf3 test through this tunnel (from the outside to pfSense), I’m capped at around 400–600 Mbps it fluctuates a lot! (lows of 300 and highs of 700).
The CPU immediately jumps to ~80%. The issue is that we wanted to run backups through it, but it’s very slow. I’ve already tried a lot of things: MSS Clamping, AES-GCM, QAT, etc. (When we backup the cpu goes to 92%+)
I’m just wondering if this is normal (I compared it to the IMIX results for the 6100, which seems similar to me, and the results are almost identical).
All this to figure out if, for my needs, I should switch to an 8200/8300 (by the way, there’s no IMIX test for the 8300) or if the 7100 is supposed to be better and this is a different issue.
I know I also have peering issues, but I think these are the two bottlenecks.
Thanks in advance for your answers
-
@Nariolato can you test to something behind pfSense and not to pfSense itself?
-
@SteveITS Yes I've done it, it's the same result (I've tested on 2 hosts behind pfsense).
Maybe I just don't have the right appliance for what I want to achieve (backup)
-
@Nariolato That looks about right to me. When I had a 7100 with a OpenVPN tunnel to a 6100 we could not get above ~700Mb/s. When we could get wiregaurd to work we were in the ~800Mb/s range.
-
Imagine I need to backup for ~8 hours because of the size of the backup and the bottlneck of the CPU. Will the 7100 still be alive ? Or any threat of crash ?
-
@Nariolato I have been running pfSense >10 years and I have never crashed it by moving data. That is its job.
-
@Nariolato said in IPSEC Performance on 7100:
Imagine I need to backup for ~8 hours because of the size of the backup and the bottlneck of the CPU. Will the 7100 still be alive ? Or any threat of crash ?
I have a radio station customer that uses a couple of HP Thinclients from the 2015ish era.. Multiple audio streams and multiple camera streams from the radio transmitter site. They work for years without restart.
