Lanner Inc. FW7535D



  • Hi,

    We just purchased the Lanner Inc. FW7535 to replace a Alix 2C3. The VPN throughput was lacking severly and the internet connection will also be upgraded to 120mbit which requires gigabit ports. The box is a bit empty, although they do supply a power cord and the sata drive connector and the drive screws. There is no manual, quick start guide or cd provided with the system.

    Front:
    http://iserv.nl/files/pics/lanner-fw7535/fw7535-above-front.jpg

    The FW7535 has 6 Intel Gigabit ports, the 1st is a older type Intel which works in 1.2.3. The others are a bit newer which are only supported in 2.0.
    It has a Intel Atom D510 processor coupled with a single 1GB DDR2 SO DIMM from Kingston. There is 1 free memory slot available and 1 free miniPCI-e slot for a wireless card or hardware crypto card. We are finally ditching the mini-pci cards, Yay. There are 2 sata ports available on the motherboard and a breakout cable for VGA and PS2 are provided for legacy software that doesn't speak USB keyboard.

    Inside:
    http://iserv.nl/files/pics/lanner-fw7535/fw7535-underside-open.jpg

    I wrote the nanoBSD version of pfSense 2.0 BETA4 to a Sandisk Extreme 3 CF card. For some reason the system refused to boot with the Sandisk Extreme 4 card I have here.

    A note on the BIOS of this system, by default the console redirection is enabled. This causes the pfSense 2.0 boot loader to stop. You can enter the bios by connecting a serial cable to the device with the supplied cable.

    Set the serial speed to 115200 and when you see the BIOS screen press TAB to enter it. Here you can set the "remote access console redirect option" to "disabled after post". This because the FreeBSD bootloader already uses the serial port for the console in the nanoBSD images.





    After assigning the first port as the LAN and the 2nd as the WAN port I've setup a iperf server and did a few performance tests with a standard NAT setup and a port forward on WAN. This to facilitate bidirectional performance testing.

    Wonderful website sponsored by the US government:
    http://nces.ed.gov/nceskids/createagraph/default.aspx?ID=e92dd120c4324894b8ee2feaf8139511

    dual stream via port forward.
    [ ID] Interval       Transfer     Bandwidth
    [  4]  0.0-10.0 sec    252 MBytes    211 Mbits/sec
    [  5]  0.0-10.0 sec    257 MBytes    215 Mbits/sec
    Single stream lan to wan
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec    579 MBytes    485 Mbits/sec

    Dividing the 200mbit throughput by the 1500byte frame size gives roughly 140k pps in a bidirectional setup.

    Considering my issue was the lackluster IPsec throughput on the Alix 2C3, even with glxsb loaded. (roughly 10mbit) I hoped for a good performance leap.
    For this I connected the FW7535 to the external 100mbit switch (HP Procurve 2650) where the production external CARP cluster lives. I added a IPsec tunnel between the FW7535 (2.0 BETA4) and this system (1.2.3 RELEASE). I proceeded testing the single stream and bidirectional throughput for the various cyphers that are provided by racoon.

    IPsec:

    First up is a tunnel with AES 128bit
    duplex stream
    [ ID] Interval       Transfer     Bandwidth
    [  5]  0.0-10.2 sec  33.7 MBytes  27.6 Mbits/sec
    [  4]  0.0-10.2 sec  32.0 MBytes  26.2 Mbits/sec
    single stream
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  65.8 MBytes  55.1 Mbits/sec

    And ofcourse AES 256 bit
    duplex stream
    [ ID] Interval       Transfer     Bandwidth
    [  4]  0.0-10.0 sec  29.9 MBytes  25.1 Mbits/sec
    [  5]  0.0-10.3 sec  29.6 MBytes  24.1 Mbits/sec
    single stream
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  59.6 MBytes  50.0 Mbits/sec

    That is a rather small difference between the 128 bit and 256 bit cyphers. I omitted the results for AES 192 bit as these were smack in the middle.

    I then tested blowfish, I left the bits on the 2.0 system set to "auto". This produced a rather awkard result in the bidirectional test.
    duplex stream
    [ ID] Interval       Transfer     Bandwidth
    [  5]  0.0-10.0 sec  29.2 MBytes  24.4 Mbits/sec
    [  4]  0.0-10.2 sec  41.2 MBytes  33.8 Mbits/sec
    single stream
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  72.8 MBytes  60.9 Mbits/sec

    I then set blowfish to 128 bit on the 2.0 system. This produced a bit more predictable result.
    duplex stream
    [ ID] Interval       Transfer     Bandwidth
    [  5]  0.0-10.0 sec  34.7 MBytes  29.1 Mbits/sec
    [  4]  0.0-10.2 sec  36.5 MBytes  29.9 Mbits/sec
    single stream
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  73.6 MBytes  61.7 Mbits/sec

    And ofcourse no IPsec tunnel can be forgotten without the almost standard 3DES encyrption. And it is as almost always the slowest of them.
    duplex stream
    [ ID] Interval       Transfer     Bandwidth
    [  4]  0.0-10.1 sec  21.3 MBytes  17.7 Mbits/sec
    [  5]  0.0-10.4 sec  26.4 MBytes  21.4 Mbits/sec
    single stream
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  48.2 MBytes  40.5 Mbits/sec

    I tested the legacy single DES encryption as well, it's faster but it's not recommended since good alternatives like blowfish exist.
    duplex stream des
    [ ID] Interval       Transfer     Bandwidth
    [  4]  0.0-10.1 sec  33.9 MBytes  28.0 Mbits/sec
    [  5]  0.0-10.3 sec  33.5 MBytes  27.3 Mbits/sec
    single stream
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  68.1 MBytes  57.1 Mbits/sec

    The uncommon CAST128 is similar in performance to single DES and still slower over blowfish.
    duplex stream cast128
    [ ID] Interval       Transfer     Bandwidth
    [  5]  0.0-10.1 sec  34.7 MBytes  28.8 Mbits/sec
    [  4]  0.0-10.2 sec  34.1 MBytes  27.9 Mbits/sec
    single stream
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  69.4 MBytes  58.1 Mbits/sec

    Good performance numbers across the board atleast. It doesn't compare to the throughput of a Core 2 Duo system though. But it is atleast on par with a P3 1Ghz, say, a Dell Optiplex GX150.



  • Thank you for that.

    For comparison against similar pfSense boxes near the same speed category, look at this:
    http://www.hacom.net/kb/ipsec-performance-pfsense-firewall-appliance


Log in to reply