2.2 pf Performance?
-
Anyone benchmarked the performance of pf in pfSense 2.2? I know FreeBSD 10.x includes a SMP-friendly version of pf, so I was wondering if anyone here had a "before and after" metric or even just a general sense of increased packet filtering performance?
We run several 10Gb/s connected pfSense boxes and will be upgrading from 2.1 to 2.2 soon, so I was wondering if anyone out there had any anecdotes about the performance factor…
-
The person who was doing the majority of the FreeBSD SMP firewall changes was running the SMP PF on production routers that were moving tens of gigabits per second. The average packet size on the Internet is 576bytes, which would be some pretty good PPS if moving tens of gigabits per second. I don't think there was any information, like traffic shaping or what kind of rules he was using, but the new firewall makes SMP a lot better and helps shift any bottlenecks into other parts of the system.
How this will work with PFSense or more custom setups, like traffic shaping, I'd like to know that also.
All I know is even with PFSense 2.1.x, my box was only at 4% load at 1.3Gb/s WAN-NAT-LAN, but with 1500 byte packets. I couldn't figure out how to get the packets smaller. Windows iPerf doesn't honor MTU settings.
-
One of the busiest production installs I've seen, nearing 2 Gbps of Internet throughput of a mix of packet sizes, had their CPU usage cut nearly in half after upgrade. Similar circumstances, where you have tens or hundreds of thousands or more simultaneous connections and multi-hundred Mbps or more, should see a noticeable decrease in CPU usage.
For most people, you aren't hitting it hard enough relative to your hardware's capability to notice much difference.