Build for 1Gbps on PPPoE
-
i'm gonna try using a Intel i350-T4 adaptor for wan and see if there is any difference…i expect it to be.
Really? Is there a so great difference between the Intel i354 onBoard NICs and the Intel i350-T4?
Both seems to be pretty new and also server grade hardware, or am I wrong with this?As per my signature below, I get 717Mbps from the same provider, with Supermicro C2758, and using one of the onboard ports as wan.
Perhaps you get more or a higher throughput pending on that you are not using on top of pfSense
all of the following packets like Snort, Squid and DansGuardian? Only perhaps I mean.I don't get 980 with this hardware.
This is a little bit odd or curious because it is the same ISP and perhaps the same Internet connection with
1 GBit/s of speed. And besides getting 980 MBit/s + count the TCP/IP overhead on top might be a real
1 GBit/s line that is delivered to you.I only get around 980 Mbps with their CPE router provided, instead of pfSense, but I don't want to use that.
But ok this routers are doing the whole work in silicon by using an ASIC or FPGA and normally
there will be also no firewall rules in that game. And running on this router some stuff likes
IDS, HTTP Proxy and AVscan it would never be able to reach the full 1 GBit/s too I would imagine. -
It must be that damn single-core pppoe bug, that limits my speed through pfSense. When at 717Mbps, usage is at about 13% - which corresponds to the load of only one single CPU core (out of 8 cores) on C2758.
No Snort, Squid and DansGuardian, but about 10 vlans behind it, and 3 site-to-site OpenVPNs, +some road warriors. -
It must be that damn single-core pppoe bug, that limits my speed through pfSense. When at 717Mbps, usage is at about 13% - which corresponds to the load of only one single CPU core (out of 8 cores) on C2758.
No Snort, Squid and DansGuardian, but about 10 vlans behind it, and 3 site-to-site OpenVPNs, +some road warriors.Yes it is!
I got the same speed without Snort, dansguardian and squid or pfblokerNG.I was tested also an ASA 5506 and the max i got was 325Mb in the same line.
for some reason…on my onbord controller i got slower speed.Will keep the i350-T4 pciE for wan and the other 4 for lan.
2x for lan --> connected to my distribution switch (microtik CCR1009-8G-1S-PC)
2x for NAS --> connect to NAS laggI may use some ports from the i350-T4 to connect my ESXi Server...maybe...
btw: do we know for sure that 2.3 will solve the PPPoE issue ?
-
It must be that damn single-core pppoe bug,
If they get solved this I would imagine 70 % of all users will be happy.
and 3 site-to-site OpenVPNs, +some road warriors.
As I am informed each OpenVPN tunnel is using one CPU core. So this could also
narrow down the entire throughput a bit more as we could imagine. Or am I wrong with this.btw: do we know for sure that 2.3 will solve the PPPoE issue?
Yep if so it many customers would be sorted right at one touch. I was also lurking on
the new Xeon D-15x8 network accelerated platforms, but they are not fully launched till
today so I have to wait longer. But it is likes it is, their is the NVMe M.2 SSD the problem
to get this SSD type working flawless as reported here in the forum. -
@BlueKobold:
It must be that damn single-core pppoe bug,
If they get solved this I would imagine 70 % of all users will be happy.
Agree…
@BlueKobold:
and 3 site-to-site OpenVPNs, +some road warriors.
As I am informed each OpenVPN tunnel is using one CPU core. So this could also
narrow down the entire throughput a bit more as we could imagine. Or am I wrong with this.Well I don't really see which process goes to which core, but I really hope OpenVPN procresses don't stick all to the same single core as pppoe… The operating system should take care to distribute different processes to different available cores of the CPU.
So far I didn't have problems with this, as traffic inside these tunnels is only limited to inter-site intranet traffic, which is minimal.@BlueKobold:
btw: do we know for sure that 2.3 will solve the PPPoE issue?
Yep if so it many customers would be sorted right at one touch.
As far as I read the bug reports, they are not so optimistic. Where did you see a clear statement that this is going to be fixed in pfSense v2.3???
-
As far as I read the bug reports, they are not so optimistic. Where did you see a clear statement that this is going to be fixed in pfSense v2.3???
There is not clear statement out! @nikkon was asking for what we can be sure on this that it will be
solved out in the version 2.3 and I was answering if they get it to work, many users will be sorted with
one touch. -
@nikkon @robi I have RDS as well. Too bad PPPoE is an issue since one of the reasons for moving to it was to get away from the proprietary wifi routers and their 'magic'/'hardware' NAT without sacrificing speed. I wonder if there are any PPPoE bridges out there - use the ISP box to handle PPPoE and pfsense for routing (maybe through some virtual lan or such)?
@nikkon where in RO did you get supermicro? I don't see a lot of options.
@sudonim interesting comment about em vs igb driver. Initially I went with em but after reading the comments about it being old and igb being newly written and supported, I decided to go for the respective Intel NICs, basically 82575 and 82576 - on paper they look a lot beefier than 82571. Can you expand on why em is better than igb? Thanks!
-
I got my both supermicro mobo's from Elko
First one was an J1900. Both ware planned for pfsense :) -
How big was the CPU difference after the upgrade?
-
Same goes to this thread here..
Would you run iperf test first ?
So that at least you roughly know what your hardware is capable of.Some good ref on how user test his hardware so that he understand what exactly his hardware is capable of:
https://forums.openvpn.net/topic15861.html -
sory for my late asnwer :(
C2758 is much faster than J1900, firs of all is octo-core vs quad, still if you don't use openvpn/ipsec only the difference in pfsense is not much…notable but not so big.In my case, with pppoe cpu matters when i use the full bandwith downloading stuff. -
You could go completely overboard with a Supermicro X10SRM-F and a Xeon E5-1620 v3 ;)
I think this setup could even handle surricata-inline on 2.3 at 1GBe. Will try as soon as the X10SRM with 10GBe is available.
-
You could go completely overboard with a Supermicro X10SRM-F and a Xeon E5-1620 v3 ;)
I think this setup could even handle surricata-inline on 2.3 at 1GBe. Will try as soon as the X10SRM with 10GBe is available.
Suricata will be much more easy to handle!!! it's multithreading application.On the other side Snort is single and doesn't use the advantage of multi core CPU's
no clue if suricata will support PPPoE ? -
Is using em driver better than igb for pppoe connections?
-
have no clue…does the driver matters?
-
See this previous post (has some nice links):
@sudonim:From my research and experiments, you need an older system that uses an "em" driver card not an "igb" card. https://kdemaria.wordpress.com/2015/04/22/how-to-configure-pfsense-2-2-2-for-centurylink-gigabit-seattle-edition/#comment-300
You might have bad luck with PPPoE and gigabit with an igb card because of this issue: https://redmine.pfsense.org/issues/4821
