Making pfsense faster
-
Hi
In Sweden we can test our connection against a government server. It is set up so customers can get real facts about the speed. Because the government has set this server up and released a test program, every ISP is trying to get the best connection against this server.I notice something today. When making a direct connection to Internet without going through pfsense, it get 93 Mbit/sec download and 81 Mbit/sec upload. When going through pfsense, I get ~50 Mbit/sec upload and download.
Looking at "top" I can see that my processor is working ~50%, under these tests, to serve interrupts.So, am not a linux guru. What should I test (different commands) so I can understand what is making this drawback in speed?
Desktop computer
pfsense 2006-12-12 snapshot
Pentium III 800 Mhz
Onboard lan (10/100) with connection to LAN
NETGEAR FA311 10/100 with connection to WAN
512 MB RAM (PC100)
No pfsense plugins except time server.
-
Looks like your system is too weak for the speed that you need. Try getting better nics that don't cause so much interrupt time and maybe upgrade your CPU.
-
There was a throughput speed comparison for the embedded Soekris and PC-engines platforms as well as a PC some time ago.
If memory serves me right, a P300 can handle up to 18 MBit or so and up to 3 MBit with IPsec.Looks like you are playing in the ballpark with your 800MHz machine.
But, as Hoba mentioned, good (read: more expensive) NICs have their advantages over cheapoes…don't know what you're using, though.
Cheers
jahonix
-
Get Intel Nics and your problems will go away and your throughput dubble.
-
These NIC's work great:
http://www.intel.com/network/connectivity/products/pro1000mt_dual_server_adapter.htm
-
Thank you guys for helping me out on this one.
I can probably buy the PCI version of Intel PRO/1000 PT Dual Port Server Adapter but their will be nothing left to spend on a new CPU or new computer. I guess the desktop version, Intel PRO/1000 GT Desktop Adapter is out of the question here?
I can choose to buy a computer with ~1.8Ghz CPU, 512 RAM for the same money as the server nic. So, what should I choose? Will the server nic solve all my problems without having to upgrade the rest of my computer hardware?
-
Thank you guys for helping me out on this one.
I can probably buy the PCI version of Intel PRO/1000 PT Dual Port Server Adapter but their will be nothing left to spend on a new CPU or new computer. I guess the desktop version, Intel PRO/1000 GT Desktop Adapter is out of the question here?
I can choose to buy a computer with ~1.8Ghz CPU, 512 RAM for the same money as the server nic. So, what should I choose? Will the server nic solve all my problems without having to upgrade the rest of my computer hardware?
Well the NIC I suggested is an all in one solution. Meaning they will work in either a pci 32 or 64 bus. I would consider upgrading your NIC first. They can be had at a decent price. I got my dual pro1000 mt from ebay for under 50$US. Another one is listed here: http://cgi.ebay.com/INTEL-PRO-1000-MT-PCI-X-DUAL-PORT-GIGABIT-NIC_W0QQitemZ170061886651QQihZ007QQcategoryZ51196QQssPageNameZWDVWQQrdZ1QQcmdZViewItem
-
@sdale:
Well the NIC I suggested is an all in one solution. Meaning they will work in either a pci-express, pci 32 or 64 bus. I would consider upgrading your NIC first. They can be had at a decent price. I got my dual pro1000 mt from ebay for under 50$US. Another one is listed here: Ebay link
It says the seller only ship to the USA. Am in Europe.
I have searched a bunch of auction and second hand sites for Intel Server cards without success. The retail price for the MT card is $195. Can you guys recommend another server nic that I can search for?
-
Does it have to be a Gigabit NIC?
In one of my pfSense boxes this does what it's supposed to:
http://cgi.ebay.de/ws/eBayISAPI.dll?ViewItem&item=160041275319&ssPageName=ADME:B:EF:DE:2
It is a 100MBit dual NIC from Compaq with Intel chipset. They are cheaper on other auctions.
Beware of the dual Adaptec NICs. When I was into buying one, BSD wasn't supporting them. But that ~may~ have changed.Jahonix
-
It says the seller only ship to the USA. Am in Europe.
I have searched a bunch of auction and second hand sites for Intel Server cards without success. The retail price for the MT card is $195. Can you guys recommend another server nic that I can search for?Any Intel chipset based NIC will be good for what you need. They will be expensive, but they are some of the best NIC's around.
-
@sdale:
Any Intel chipset based NIC will be good for what you need. They will be expensive, but they are some of the best NIC's around.
So are you saying that a Intel PRO desktop nic will work?
I believe that anyway.I have run new tests. Not on pfsense but on another firewall. ~90 mbit/sec with my computer hardware. I will switch back to pfsense when the WAN dhcp problem is solved.
-
Intel Pro NIC should be good. One other thing you might want to try is enabling device polling under System>Advanced. If your NICs support this feature it should increase your throughput.
-
How do you know if the device polling works? I have two 3com cards in my mashine, with polling..
-
Have a look at status>interfaces. It should note "polling" somewhere along the lines if it is enabled and the nic supports it.
-
Also, gig nics usually have bigger buffers, which in turn causes less interrupts (on equivalent speed traffic to a 100Mbit NIC). Gig cards are the way to go if you can get them in your budget.
–Bill
-
With a P3 733 and a Intel Dual port MT 1000 I can do 220Mbit.
Without polling.I also have good experience with the Intel 100Mbit cards and the 3Com 3c905 cards.
vr an rl are not safe a choice.
-
Have a look at status>interfaces. It should note "polling" somewhere along the lines if it is enabled and the nic supports it.
Current snapshot (12/23) have this or just HEAD?? I have intel nics that I have polling enabled that I think are suppose to support it but nothing in the status/interfaces page..
-
Looks like I was wrong and it is not noted at status>interfaces. Go to diagnostics>command and run "ifconfig" from there. You should the "polling" noted there somewhere when enabled and supported by the nic.
-
http://yourpfsense.com/status.php will also show if the NICs are running with polling.
-
cool… that and then some.. forgot about this page, used it in monowall.. TX!
-
Hardware is SO cheap these days that griping about performance on an almost archaic P3 machine is silly. Given that an off the shelf firewall with similar features/performance to pfsense will cost you thousands of dollars you might better serve your organization by doing some education on what things really cost rather than wasting time trying to squeeze more blood from a stone. If you want good performance invest in good hardware.
EDIT :: For reference I still use a handful of P3 systems in critical applications without any trouble. However with traffic sometimes maxing my gigabit fiber connection my firewall isnt a place where I try to save money. It is THE MOST CRITICAL point of my network. For those with less demanding requirements less hardware will certainly do. I recently picked up a Dell poweredge server with dual p3-1.4ghz cpus and 2 gig of ram for 300 dollars. Even has a gig-e ethernet port and raid controller in it. Hard to go wrong with these machines. If you're on a budget look on ebay and you might be surprised at the class of machine that you can get for the money. Some of them even still have warranty coverage. Be sure to check the service tags on their support site.
