Testing PFSense?

  • Hi,

    What is the best way to test pfsense based on pps, passthrough?


  • iperf on each side, probably.

  • pfsense 1 running iPerf server > pfsense 2 not running iPerf > pfsense3 running iPerf client.

    Pfsense 2 being the one being tested.  (or substitute anything that can run iPerf for pfsense 1 and 3)

    Anyway, thats how I'd do it.

  • LAYER 8 Global Moderator

    ^ exactly

    But lets add some common sense stipulations..  I would prob test traffic between 1 and 3 before putting 2 in the middle.

    This we you know what the upper limit of your test system is, this way if you hit or close to that limit you know your going to need faster test systems to know what the limit of pfsense is.

    Without this test you don't know if number is being limited by your test system.  But if you when you test 1 to 3 you get say 100K pps and when you add pfsense in the middle you only get 50k pps.. Then more than likely you know what pfsense can do.

    But if you see say 99K is that what it can do, or are you at the max speed your test system can test? Or what your test system can do with added latency of pfsense?  Pfsense may be able to do 200k pps – but your just not able to test that high with your current test system.

  • Yep.

  • LAYER 8 Global Moderator

    ^ heheheeh exactly!!

    I figured if someone is going to ask a question like this in the first place..  Prob lacking in super powers ;)

  • Indeed that is a good idea, I know about iperf but never tried it with 3 pfsense instances (client -> server, felt not right :P), the reason why I wanted to know this was because I wanted to experiment with 10gbit NIC's but seems like I have to put that on hold because I do not have enough of them yet :S

    Thanks for the idea :)

  • Seems like you can do it just fine if all 3 points can carry the bandwidth.  Only 1 necessarily HAS to be pfsense.

  • Netgate Administrator

    If you use something other than a pfSense/FreeBSD box make sure you using comparable settings. A Windows port I was using had a different default packet size which screwed up my results until I noticed.


  • LAYER 8 Global Moderator

    yeah I think on windows it defaults to 8kbytes – really small!!

    So you need to use the -w option most likely on both the client and server.  Also what version of iperf your using can change some stuff.. For windows there is the old 1.7, 2.02 and 2.05 and have seen compiled with cygwin some 3's

    So just understand what versions your running and what options might have changed, etc.  Make sure you use the right window size or you will be disappointed in the performance ;)

  • Yeah - The reason I initially said use 3 pfsense boxes is because, in theory if you use 3 identical builds then the throughput test will definitely be true.  If you are not someone who has lots of equipment to work with, this might be hard.

  • Netgate Administrator

    Devising some form of simple bandwidth test that can be carried out with the minimum of equipment would be a very good idea, IMHO. One of the most common questions in the hardware section of the forum is 'I have a WAN of X Mbps, what hardware will firewall that?' or 'What bandwidth can I expect from X hardware?'. The current hardware recommendations on the pfSense.org page are outdated. It would be very nice to have a user generated table of bandwidth vs hardware.
    The test would have to be well defined and easily carried out. Using iperf is not a bad staring point as long as the values are fixed. Even if the 'hardware' column was only CPU and NICs it would be very useful. Thoughts?


  • Well - If it were just a matter of cpu speed, you could use simple Non-Linear regression and curve fitting to predict it, but its not because all CPUs are not equal at all clock speeds nor are boards or memory.  I think the only way to do it would be to benchmark various CPUs with various boards and NICs and then post the results to a DB much the same way the cpu and video card benchmark sites do.

  • Netgate Administrator

    Exactly. I'm sure the dev team have thought about doing this before (the last time I suggested it perhaps!). There would be no point in starting anything without some sort of official sanction I think.


Log in to reply