Throughput test N3150N-D3V

Pippin

Since i`m not in a hurry to put my new board to work i wanted to do a throughput test.
This also gives me time to get to know PFS before putting it on the frontdoor.

The following was used:
PC:
Asus-Z87-A
I5-4670K clock 4x 4.5 GHz
Onboard NIC Realtek 8111GR, 1 x Gigabit LAN Controller

Laptop:
PB Easynote
I5-450M clock 2x 2.4 GHz
Broadcom NetLink (TM) Gigabit Ethernet

PFS:
Gigabyte N3150N-D3V
Onboard NIC Realtek 8111G, 2 x Gigabit LAN Controller
Standard USB (memstick) installation
OpenVPN Server active
OpenVPN export package

TEST 1

Laptop -> PFS -> PC
LAN -> PFS -> WAN

C:\iperf>iperf3 -c 192.168.11.10 -t 30
Connecting to host 192.168.11.10, port 5201
[ 4] local 192.168.40.101 port 61595 connected to 192.168.11.10 port 5201
[ ID] Interval Transfer Bandwidth
#1
[ 4] 0.00-30.00 sec 2.58 GBytes 740 Mbits/sec sender
[ 4] 0.00-30.00 sec 2.58 GBytes 740 Mbits/sec receiver
#2
[ 4] 0.00-30.00 sec 2.61 GBytes 747 Mbits/sec sender
[ 4] 0.00-30.00 sec 2.61 GBytes 747 Mbits/sec receiver
#3
[ 4] 0.00-30.00 sec 2.58 GBytes 740 Mbits/sec sender
[ 4] 0.00-30.00 sec 2.58 GBytes 740 Mbits/sec receiver

#4
C:\iperf>iperf3 -c 192.168.11.10 -t 60
Connecting to host 192.168.11.10, port 5201
[ 4] local 192.168.40.101 port 61610 connected to 192.168.11.10 port 5201
[ 4] 0.00-60.00 sec 5.17 GBytes 740 Mbits/sec sender
[ 4] 0.00-60.00 sec 5.17 GBytes 740 Mbits/sec receiver

–-----------------------------------------------------------------------------
TEST 2

PC -> PFS -> Laptop
WAN -> PFS -> LAN

C:\iperf>iperf3 -c 192.168.40.101 -t 30
Connecting to host 192.168.40.101, port 5201
[ 4] local 192.168.11.10 port 61595 connected to 192.168.40.101 port 5201
[ ID] Interval Transfer Bandwidth
#1
[ 4] 0.00-30.00 sec 3.31 GBytes 946 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.31 GBytes 946 Mbits/sec receiver
#2
[ 4] 0.00-30.00 sec 3.31 GBytes 946 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.31 GBytes 946 Mbits/sec receiver
#3
[ 4] 0.00-30.00 sec 3.31 GBytes 946 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.31 GBytes 946 Mbits/sec receiver

#4
C:\iperf>iperf3 -c 192.168.40.101 -t 60
Connecting to host 192.168.40.101, port 5201
[ 4] local 192.168.11.10 port 61610 connected to 192.168.40.101 port 5201
[ 4] 0.00-60.01 sec 6.60 GBytes 945 Mbits/sec sender
[ 4] 0.00-60.01 sec 6.60 GBytes 945 Mbits/sec receiver

–-----------------------------------------------------------------------------

In TEST 1 i suspected that the Laptop could not keep up.
To find out i swapped the Laptop and PC and did a extra TEST 3.

TEST 3

Laptop -> PFS -> PC
WAN -> PFS -> LAN

C:\iperf>iperf3 -c 192.168.40.102 -t 30
Connecting to host 192.168.40.102, port 5201
[ 4] local 192.168.11.11 port 63146 connected to 192.168.40.102 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 2.66 GBytes 763 Mbits/sec sender
[ 4] 0.00-30.00 sec 2.66 GBytes 763 Mbits/sec receiver

PC -> PFS -> Laptop
LAN -> PFS -> WAN

C:\iperf>iperf3 -c 192.168.11.11 -t 30
Connecting to host 192.168.11.11, port 5201
[ 4] local 192.168.40.102 port 63146 connected to 192.168.11.11 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 3.31 GBytes 948 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.31 GBytes 948 Mbits/sec receiver

–-----------------------------------------------------------------------------

TEST 3 confirms that the Laptop is the limiting factor.
In the Dashboard the CPU never came above 16%.

For home use i`m pretty satisfied with this performance.
If i find time enough i want to test OpenVPN routed client to client throughput also.

divsys

What version (2.2.x or 2.3) of pfSense did you load?
Was it 32 or 64 bit?

Pippin

It`s 2.3/64 bit.

Pippin

Made time to test OpenVPN too.
These tests where done from client to PFS to client.

OVPN-Server:
Remote Access (SSL/TLS+User Auth)
udp
tun
tls static key 2048
Diffie Hellman 2048
Certs 2048
Encryption AES-256-CBC
Auth digest SHA512
prng RSA-SHA512 32
fast-io
tls-version-min 1.2 or-highest
No hardware crypto selected
No compression

OVPN-Client export:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 192.168.11.200 1194 udp
lport 0
verify-x509-name "OVPN-SERVER-CERT" name
auth-user-pass
ns-cert-type server
comp-lzo no
prng RSA-SHA512 32
tls-version-min 1.2 or-highest

Clients connect with:
Control channel: TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA

PFS:
System/ Advanced/ Miscellaneous - Cryptographic Hardware -> None
VPN/ OpenVPN/ Servers/ Edit - Inter-client communication -> Allowed

Command
:iperf3 -c 10.0.10.3 -t 30

With above config:
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 534 MBytes 149 Mbits/sec sender
[ 4] 0.00-30.01 sec 534 MBytes 149 Mbits/sec receiver

Above + System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI:
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 530 MBytes 148 Mbits/sec sender
[ 4] 0.00-30.01 sec 530 MBytes 148 Mbits/sec receiver

Above + OVPN-Server BSD cryptodev engine:
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 523 MBytes 146 Mbits/sec sender
[ 4] 0.00-30.01 sec 523 MBytes 146 Mbits/sec receiver

Above + add to client and server:
sndbuf 524288
rcvbuf 524288
Which gave:
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 538 MBytes 150 Mbits/sec sender
[ 4] 0.00-30.01 sec 538 MBytes 150 Mbits/sec receiver

Above + no encryption
cipher none
auth none
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 967 MBytes 270 Mbits/sec sender
[ 4] 0.00-30.01 sec 967 MBytes 270 Mbits/sec receiver

I think the results for encryption and no encryption speak for themself.

I don`t need big speeds for my home use but if someone has a idea for why enabling/disabling engine makes no difference, i would like to read it.

What is this setting doing? For what does it apply?
System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI
I did not test with that setting off and enabling only BSD crypto in OpenVPN Server, will do that next time.