SG-2440 gigabit throughput?



  • I received my SG-2440 about a month ago.
    I have no additional plugins installed.

    If I connect any one of my computers directly to my gigabit service, I get roughly 920Mbps each way.
    As soon as I put the SG-2440 in the middle, those speeds drop to 580/640Mbps.

    Are there any tweaks I can install to improve throughput?
    My WAN is a DHCP connection and my ISP assures me that there is no "double-NAT" issue.

    Prior to switching to pfSense, I was using m0n0wall for about 8 years, 5+ of those years on an ALIX board. I "upgraded" because m0n0wall is EOL and my ALIX only have 10/100 hardware.

    For the most part I'm happy with pfSense, but I'm still struggling with a few things (e.g., I can't figure out how to "bridge" the LAN ports together…ideally, I could get opt1 and opt2 to operate like they are a switch connected to LAN, but that's a minor concern compared to my throughput issues).

    Thanks for reading!



  • Have you tried with multiple streams? The CPU is low frequency, but has multiple cores.



  • Do you mean multiple network connections?
    When I run the speed tests, I've done it with 4 computers at the same time all connecting to something like Speed Test and then looking at what pfSense reports the throughput as. That's how I came up with those numbers. I actually get exactly the same results using a single computer.
    The odd thing is that the CPU cores never seem to exceed about 60% each, and the memory usage is <15%.



  • post a top screenshot at the time of a speedtest.

    afaik NAT is still single threaded and might be hindering more performance.



  • @rage12345:

    For the most part I'm happy with pfSense, but I'm still struggling with a few things (e.g., I can't figure out how to "bridge" the LAN ports together…ideally, I could get opt1 and opt2 to operate like they are a switch connected to LAN, but that's a minor concern compared to my throughput issues).

    Thanks for reading!

    Bridging the ports on the box is surprisingly easy to get wrong, IMO - it's very easy to create a bridge on already-configured interfaces, which can lead to all manner of amusing things.  (Esp. if you bridge configured LAN and WLAN…)

    On the Netscreen box I've been using, configured interfaces cannot be bridged, and the system explains to you what the issue is if you try to do so.  Both can be tied to the same zone if you want to leave the configurations in place, and the zone can be tied to a common, segregated routing table.  Which, come to think of it, is a TON harder to do on the Netscreen than the more-or-less equivalent bridging configured interfaces is on pf.)

    For what you are trying to do, I would suggest this:

    • assign your lan interface temporarily to an unconfigured interface using the dropdown to pick a different if

    • remove any configuration from the interfaces you want to bridge

    • bridge them together

    • then, in the GUI, assign the lan interface to the bridge

    • reconfigure the LAN as needed

    Now, you have a unified set of interfaces speaking over a single address - assuming that's what you want.

    I'm not sure if this is going to give you wire speed firewalling at 1 gbps, though.  It probably would let you get better performance from each lan facing port, since you'd be divvying up the work across the NICs.

    At the office, I wouldn't bridge the lan to the wifi.  No one needs to be able to send commands from a wireless client to a wired media streamer and I don't know whether you can apply filtering rules for wifi and have them apply to wifi if it's bridged.

    I've been pretty impressed with the performance I'm seeing.  My current setup uses the openVPN client and routes almost all traffic through the tunnel.  I just upgraded to bonded uverse, theoretically about 45 mbs, and I get wire speed on that through the vpn without the CPU breaking a sweat.



  • If I connect any one of my computers directly to my gigabit service, I get roughly 920Mbps each way.

    With a modem only or directly connected?

    As soon as I put the SG-2440 in the middle, those speeds drop to 580/640Mbps.

    Normal as I see it right, related to the NAT, pf service! SPI/NAT are in normal taking 3 - 5 % of the
    throughput, but the pf is a firewall filtering thing, that needs more than the most peoples would be
    expecting. An Alix APU board is bringing 450 MBit/s without PowerD enabled and 750 MBit/s with
    PowerD enabled!

    Are there any tweaks I can install to improve throughput?

    WAN connections will not be really able to serve 1:1 speed that the ISP is
    serving or selling you, please don`t forget this also!

    My WAN is a DHCP connection and my ISP assures me that there is no "double-NAT" issue.

    920 MBit/s + overhead traffic will be nearly 1 GBit/s delivered to you.

    Prior to switching to pfSense, I was using m0n0wall for about 8 years, 5+ of those years on an ALIX board. I "upgraded" because m0n0wall is EOL and my ALIX only have 10/100 hardware.

    Alix boards where able to deliver something around of 80 MBit/s using pfSense.



  • I would really like to know if there is a solution for this.
    Gigabit connections are coming fast to several of my customers and I need hardware that supports true gigabit throughput, actually 2Gbps would be nice, as Comcast has promised this by the end of summer across Colorado. What is the lowest model I can purchase and reasonably expect gigabit performance? SG-2440 says gigabit on the site but seems like that is in question here.

    Thanks!



  • SG-2440 says gigabit on the site but seems like that is in question here.

    It would not be the GBit/s connection alone as I see it right, but more what you expect
    of entire throughput and then the on top coming things such as, VPN, ISD/IPS, Squid &
    SquidGuard, needed VOIP throughput, and other packets.

    So for professional usage with many packets the SG-8860 or C2758 1U platform should
    be more yours, to be on the save side.



  • So the 8860 should be able to keep up? I'm not running anything else on top just basic NAT and Captive Portal.

    Thanks for the input



  • So the 8860 should be able to keep up? I'm not running anything else on top just basic NAT and Captive Portal.

    Could really be that the most peoples would intervening now, and say something like this: "Oh no a SG-xxxx dvice
    would be powerful enough for this" But be sure with the SG-8860 you wont fill up the forum that something is
    not running like expected and smooth or powerful enough! What you do is your thing, and if you think a smaller
    platform will be sufficient enough for your case, go and buy it. This was only my opinion.



  • For configuring all ports on SG 2440 or any pfSense firewall as Switch follow this link http://www.cyberciti.biz/faq/how-to-pfsense-configure-network-interface-as-a-bridge-network-switch/


Log in to reply