[pfSense] pf(4) relative performance: opinions?

Sat, 11 Apr 2015 18:24:25 -0700

I know a lot of performance work has gone into both FreeBSD and pfSense, but I haven't tested the limits in a long time, so I'm asking...
I'm running a pair of firewalls, each with dual Xeon L5520 cpus (4c/8t, 2.26GHz, 8M L2), 48GB triple-channel RAM, where all networking occurs on carp(4) interfaces on top of vlan(4) interfaces on top of trunk(4) on top of dual onboard em(4) (Intel 82576). (These are Dell C6100 XS23-TY3 blades, if anyone cares...) 


The question is: would pfSense give me better routing performance than 
OpenBSD on these systems?



Currently these firewalls run OpenBSD, because I needed simultaneous BGP 
and OSPF, which pfSense [still/once-again] can't do.
I no longer need to run an IGP at that location, so switching to pfSense 
is now an option.



OpenBSD's pf(4) engine is still single-threaded, and so are the 
interrupt handlers, so despite CPU and RAM that would normally be 
massive overkill, these systems max out at just over 105k-searches per 
second, which translates to somewhere between 100kpps-200kpps 
bidirectional.  (I found this out the hard way when someone behind that 
router decided to scan the entire internet.)  Beyond that, they start 
dropping packets.  Gracefully, as pf(4) handles queue congestion, but 
dropped nonetheless.



The OpenBSD team claims that their pf(4) implementation is highly 
optimized, much more so than it was when FreeBSD imported it.  On the 
other hand, I'm given to understand that FreeBSD's, or at least 
pfSense's pf(4) implementation is now multi-threaded, which should 
theoretically allow scaling further where OpenBSD simply pegs one core.



If I have to, I'll probably just convert one and try to stress-test it.  
Scanning the entire IPv4 internet should be an adequate stress test :-/.



Comparison data?  *Educated* guesses?  Thoughts?  Although it's 
pointless to ask, please try to keep baseless fanboi-type opinions to 
yourselves.  I'm already a fan of pfSense, and I've explained above why 
I couldn't use it here.


Thanks,

-Adam

--
-Adam Thompson
 athom...@athompso.net

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold






















					Reply via email to