Re: 10Gbit network work only 1Gbit

Tue, 12 Nov 2019 12:11:48 -0800

alright, old hardver, but network speed is limited only 1 gbit! not more! (not per VLAN, global 1 gbit limit!) This is not hardvare preformance problem, i think this hardvare have enough performace to 2x1Gbit parallel network connection. 
We monitoring CPU, load, etc .... max load is 2-3, but not permanently

We reinstall backup firewall oBSD 6.6, and make some test.

Thx your reply!

--
Üdvözlettel,
Szél Gábor

WanTax Kft.
------------
tel.: +36 20 3838 171
fax: +36 82 357 585
email: [email protected]
web: http://wantax.hu
web: http://halozatom.hu



2019. 11. 12. 20:46 keltezéssel, Diana Eichert írta:

Someone else mentioned your underlying system, Dell 2950, is ancient.
It really is ancient, just because it links up @ 10G doesn't mean you
are going to see anywhere near 10G

On Tue, Nov 12, 2019 at 3:10 AM Szél Gábor <[email protected]> wrote:

Dear Hrvoje, Theo,

Thank you for your answers!

answers to the questions:
-  who is parent interface for carp?  -> vlan  ( carp10 interface parent
vlan10 -> vlan10 interface  parent -> trunk0 )
- why vlan interfaces don't have ip address ? -> it wasn't needed! i
think vlan interface need only tag packages. Carp (over vlan) interface
have IP address.
- vether implies that you have bridge? -> yes whe have only one bridge
for bridget openvpn clients, but  we will eliminate it.


we will do the following:
- refresh our backup firewall to oBSD 6.6
- replace trunk interface with aggr
- remove bridge interface

if there was an update finised, I'll write again!

--
Regars
Szél Gábor

WanTax Kft.
------------
tel.: +36 20 3838 171
fax: +36 82 357 585
email: [email protected]
web: http://wantax.hu
web: http://halozatom.hu


2019. 11. 11. 23:42 keltezéssel, Hrvoje Popovski írta:

On 11.11.2019. 13:42, Szél Gábor wrote:

Hello @misc,


Hi,



We have an interesting problem, we run a lot of OpenBSD router/firewalls
in many places.

We have a larger network than our client, 300-400 local wired or
wireless endpoint, 20+ VLAN, 20+ switches.
Network structure:

   * Main switch - 2x Cisco Nexus 3k switch in HA mode (vPC dedicated
     2x40Gbit Peer link, keepalive link)
   * access switch - 10+ Cisco 3750X + C3KX-SM-10G 10Gbit module.
     some 3750x stacked (2 or 3 switch)
   * Main and access switches have redundant 10Gbit fiber link (LACP)
   * when is possible jumbo frame is enabled (mtu 9000)

Firewall/router:

   * 2x Dell 2950 - 2x Xeon X5460 (8 core), 8Gb Memory, 2x10Gbit SFP+
     network card

hardware is really old, if you can, buy something newer



   * redundant design - CARP, pfsync, ifstated, etc .... master-backup>    
configuration
   * HP NC550SFP network card, oce driver (mtu 9000)

if you can change oce with ix. ixl is not so bad .. .



   * dual SFP+ port have LACP link to Nexus switches (2x10Gbit access
     link) - use openbsd trunk interface
   * all vlan used openbsd pseudo-device over trunk interface (VLANs not
     have have IP address, only up)

update to openbsd 6.6 or snapshot and insted of trunk use aggr. why vlan
interfaces don't have ip address ?



   * all network subnets defined in CARP interfaces, only managment VLAN
     have address on VLAN interface.

who is parent interface for carp ?


   * some vether virtual interface for VPN, DNS, etc ...

vether implies that you have bridge? bridge is slow..


   * some tun and tap interface for VPN
   * enc interface for ipsec

ipsec is performance killer big time ... even for traffic that doesn't
go through ipsec tunnel ..  if you can move ipsec or any vpn stuff to
other boxes that you speed up your firewalls  ...


   * one bridge interface for openVPN (during termination)

vether is in that bridge?


   * OpenBSD 6.3 64bit

please, update boxes regularly.. you have carp and pfsync, you can do
that without any problem ..


PF:

   * global block rule (block all)
   * ruleset-optimization none
   * optimization aggressive
   * reassemble no
   * block-policy drop
   * scrub enabled
   * antispoof enabled
   * regulating traffic between subnets with pf pass in/out rules
   * pf.conf currently 1500+ lines
   * the number of connections during the day in PF 10 000+

Problem:

We see that network traffic is limited to 1Gbit on firewall. Not in one
link, not IP-to-IP, to the whole firewall!


yes ... ipsec, trunk, pf are for whole firewall .. and even if you have
fastest box in the world you will not get performance that you want ..



example:

   * i make test traffic form VLAN 2 to VLAN 12 witch iperf.
     test PC-s have 1Gbit ethernet cards.
     Speed is okay, ~800Mbit/sec
   * i make anoter traffic from VLAN 2 to VLan20 with iperf, from another
     PC-s
     (they also have 1gbit ethernet cards)
     speed is not good! ~60-80Mbit/sec
   * if i stopped first speed test (2->12), second test speed is okay!
     (2->20)
   * but i make test from completely different VLANs, 2->12 and 20->30,
     the result is so.

if you disable pf on vlan intefaces (set skip on vlan2/vlan12) do you
get better performace?
and after that for disable ipsec and try testing again... do you see
differences ?


This is firewall (openbsd) limitation, but we don't understand why?

I know openbsd VLAN interface has a speed problem, this is it?

not in OpenBSD 6.6


I know it's so difficult to make a mistake from some information, what
should we look at?


OpenBSD is great router and firewall that can do so much for you .. but
please you really need to rethink your hardware and setup ..

Reply via email to