On 02/15/2018 09:14 AM, Michael Munger wrote:
TL; DR. On 1Gbps downloads, our pfSense firewalls are performing poorly with speed tests of ~400Mbps. It's either pfSense configs (not likely) or the hardware (more likely). I do not want to buy a commercial box. For our corporate network, we use HP DL360s, so zero problem there.I need something that is the size of a router, but can do 1Gbps with pfSense. Who's got working configs / hardware combos that do 1Gbps easily?
My home pfSense system is a 16GB ram, 4 core Intel E3-1220 with a quad port i350-t4 card. I moved over to it yesterday from the VM I had been using. Performance difference is striking. Best effort out of the VM was about 44Mb/s for download on a 1Gb line. Raw port was about 660 Mb/s. "New" (old from Ebay) unit is about 800 Mb/s +/- some.
As you get to higher bit rates, you need a) sufficient processor power, b) sufficiently powerful NIC hardware to offload the CPU for things the CPU doesn't do as well as the NIC. I expect to keep this combo going until we get multi Gigabit service in our area.
Background. I've been using Alix boards (APU1D4 as of late). The problem is: these boards seem to top out at 400Mbps download. I have several clients who have gigabit fiber connections, and they have been complaining to the ISP that their service is slow. When they connect to the modem directly, they get 1G download. When they go through the pfSense firewall we put together using these Alix boards from PC engines, it drops to ~400Mbps. There are several competing "router boards" (Microtik and the like), but I have zero experience with them, I don't know if they will run pfSense or if they will do the speed. The Alix + pfSense combo has been GREAT for many years. If I change to something else, I don't want to go through growing pains since I figure this is a solved problem, and someone on this list knows / has a recommendation.
This unit is a cheap version of the small 1U boxen I used at my previous $dayjob for compute cluster/file system clients. They were testing boxes, not too powerful for the high end of compute/networking (40Gb Infiniband), but able to drive load. Lower spec boxes can't generally hack high data rates for any number of reasons.
-- Joe Landman t: @hpcjoe g: https://github.com/joelandman _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
