Unable to get 1 Gb NAT throughput with new Jetway NUC build
-
Well thanks for everyone's help. Its real disappointing to see that this hardware can't push 1 Gb NAT after all and i'll be returning the equipment.
My original intent was to buy something very small, compact and lower power draw but can definitely push 1 Gb NAT. Before I purchased my Jetway I saw the pfSense SG-2220 but that model did not state it would be able to do 1 Gb NAT like other models. Also based upon previous forum posts I found it sounded questionable that it would be able to push 1 Gb NAT based upon people's real world experience.
Does anyone have any recommendations for hardware that would fit that bill?
-
well, Nephi (born of goodly parents?)
As I said, you'll need to eliminate the packet loss.
-
@jwt:
well, Nephi (born of goodly parents?)
As I said, you'll need to eliminate the packet loss.
Yes, I understand which is why I am asking about things from a hardware perspective. You guys know more about that than me. Previously you said.
@jwt:
The 82538Vs don't support RSS or any hw queues.
The i210/i211/i35x (As used on the C2758, RCC-VE and RCC-DFF), do.BlueKobold assumes (above) that "4 COU cores * 2 LAN ports = 8 queues" but your NICs have one.
(The math is really that you want the queue count to match the core count. it doesn't matter how many NICs you have.)I tried out my Jetway build with Sophos UTM and was able to get full 1 Gb NAT performance. So apparently Sophos has better drivers or optimizations to take advantage of the Jetway hardware. However, I like pfSense more from what I have seen so far. That is why I am asking more questions about what pfSense hardware like SG-2220 can handle.
I only have a moderate knowledge of networking experience unlike you guys who are experts. I know the basics of how NAT works and have done plenty of wireshark captures to troubleshoot issues at work. Years ago when I was in college I did tier 2 VPN support for example. So I know enough to get around. But I am completely new to pfSense and especially the ins and outs of network hardware that is anything above regular consumer hardware.
Before all this research I had never known about NIC RSS or AES-NI. But now you guys are helping me out learning and I appreciate that.
So going back to the SG-2220 I noticed today when I looked at the pfSense store product page it now says under the "Best For" section heading "Anyone with High-Speed Gigabit Connections". I am pretty sure it didn't say that a couple weeks ago when I was first researching hardware for a pfSense firewall. I also learned about the Intel Atom Rangeley series which from I have briefly read today is a server series class of Intel Atom processors.
So based upon at least with Sophos on my Jetway I could get full gigabit NAT when testing with speedtest.net and att.com/speedtest, do you think I would I be able to get full gigabit NAT with the SG-2220?
If so, would I be severely performance constrained with the Intel Atom C2338 to add packages later when I want to become more adventurous with pfSense?
Are there other hardware acceleration benefits other than RSS and AES-NI that I would get with the SG-2220?
Thanks in advance!
-
Well thanks for everyone's help.
Happy new year!
Its real disappointing to see that this hardware can't push 1 Gb NAT after all and i'll be returning the equipment.
900/920 MBit/s + overhead + firewall rules + NAT is for me nearly 1 GBit/s, and please don´t forget
it is done with one CPU core only or alone! The N2930 is a 4 core CPU, if you get from your ISP a static public
IP address and don´t need PPPoE, the WAN part will be worked out by all 4 CPU cores and not by only one!
And for sure this will be not the problem from the vendor Jetway or pfSense.Also based upon previous forum posts I found it sounded questionable that it would be able to push 1 Gb
NAT based upon people's real world experience.Are they using PPPoE and will be also using only a single CPU core at the WAN part or did they own
their own static public IP address from their ISP? And what is a real world experience for you?
if I get 900/920 MBit/s with a ~200 € device likes you I would be glad to count on top of this
NAT + overhead + firewall rules and then I am at nearly to above 1 GBit/s. So no problems are
really there as I see it right. If you get 100% of 1 GBit/s throughput, where is the time to perform, NAT,
passing the firewall rules and on top counting the overhead? This is not done in 0.0 seconds by using a
lower end CPU based appliance!!! If you are using an Intel Atom C2000 SoC, Xeon D-15x8 or Xeon E3-1200
based appliance I am on your side and with you, but spending 200 bucks and then starting a thread why not
all is given to you, but offered by pfSense might be another thing only you should think about.You can not buy a small car that is saving fuel and think then why the hell this is not fast as a Porsche Cayenne!
Please have a look at this device here Jetway N2930 it comes with 4 x Intel 211AT LAN ports and is pushing something
around ~950/970 MBit/s, but only pending on the LAN ports and more RAM to high up the mbuf size??? Could this bring
up something more WAN speed?Why not saving money and go with a SG-4860 unit that is capable to deliver this speed?
Together with an pre-tuned ADI Image you would be on the save side as I see it right. -
I know there is some over head and when I say I want to get full 1 gigabit NAT, which by the way I got on the same Jetway with Sophos UTM, I mean getting the full 936/936 directly from the AT&T RG.
if I get 900/920 MBit/s with a ~200 € device likes you I would be glad to count on top of this
NAT + overhead + firewall rules and then I am at nearly to above 1 GBit/sThis is not done in 0.0 seconds by using a
lower end CPU based appliance!!!I never insinuated that I would expect it to take zero time to do NAT processing. However, if my AT&T RG and a Jetway Sophos build can do it, surely it isn't unreasonable to think it isn't possible to do with the same Jetway hardware but with pfSense.
I know it isn't a Porsche, I am not asking to push 1 Gb via VPN.
Also I think you need to calm down some, at the time when I was doing my research it did not seem completely unreasonable for me think the Jetway could do 1 Gb NAT since according to CPU benchmarks the CPU in the Jetway was over 2x more powerful then the Intel Atom CPU in the SG-2220. I saw comments in similar forum posts basically saying "Oh yeah, Intel Celeron and Intel NIC will definitely get you 1 Gb NAT." At the time I didn't know about the hardware accelerated features in the SG-2220.
I just didn't know any better and now I do. So please cut me some slack. I am barely learning about pfSense.
So back to my questions again…
So based upon at least with Sophos on my Jetway I could get full gigabit NAT when testing with speedtest.net and att.com/speedtest, do you think I would I be able to get full gigabit NAT with the SG-2220?
If so, would I be severely performance constrained with the Intel Atom C2338 to add packages later when I want to become more adventurous with pfSense?
Are there other hardware acceleration benefits other than RSS and AES-NI that I would get with the SG-2220?
I am not using PPPoE and I have a dynamic IP from my ISP. But it is basically static since it never changes.
-
You have narrowed down your bottleneck to pfSense. If the difference between 936/936 and 900/920 is a dealbreaker than use Sophos. If your nitpicking over 3% difference you should consider yourself lucky to have such minor problems…
-
@Phishfry:
You have narrowed down your bottleneck to pfSense. If the difference between 936/936 and 900/920 is a dealbreaker than use Sophos. If your nitpicking over 3% difference you should consider yourself lucky to have such minor problems…
No kidding. I'll trade you my 4/1.2 connection for your meager 900/920 any day. :o
But I'd still try to eek every last bit of performance out it myself too….......
-
@Phishfry:
You have narrowed down your bottleneck to pfSense. If the difference between 936/936 and 900/920 is a dealbreaker than use Sophos. If your nitpicking over 3% difference you should consider yourself lucky to have such minor problems…
Yes but that is with me adding no packages on at all. What I am setting up I want to last me for years to come with breathing room to grow for the future.
Just like Jailer said but i'll put in full size text
But I'd still try to eek every last bit of performance out it myself too….......
That is exactly what I am trying to do.
-
I am new but interested.
I am having a hard time deciding whether the OP is running the AT&T modem in bridge mode when he tests the pfSense build? It is easy to tell. If the pfSense build is getting an outside IP address. Otherwise he has double NAT working against him.
I just got TWC 300 megabit connection. I am trying figure out how to maximize my connection speed.
-
I am new but interested.
I am having a hard time deciding whether the OP is running the AT&T modem in bridge mode when he tests the pfSense build? It is easy to tell. If the pfSense build is getting an outside IP address. Otherwise he has double NAT working against him.
I just got TWC 300 megabit connection. I am trying figure out how to maximize my connection speed.
AT&T does not offer the ability to do a bridge mode, only the crappy IP Passthrough.