Hi, As I mentioned I'm trying to deploy pfsense for colocation envinronment.
Today I did some performance tests, using main type of the traffic - HTTP requests - apache benchmark from my laptop to Linux server with only pfsense firewall in between firewall is with 2 Gbit nicks and Celeron-2.4Ghz CPU, 512M RAM I'm testing very basic setup initially - having single rule which allows traffic from test host to any port on my apache web server. What happens with pfsense is: 0 4 0 41432 460856 344 0 0 0 314 0 0 1859 432 3519 1 11 89 0 3 0 36736 461816 393 0 0 0 412 0 1 5636 489 10521 1 27 72 0 4 0 41432 460856 344 0 0 0 315 0 0 4555 432 8495 1 26 73 0 3 0 36964 461760 402 0 0 0 419 0 1 120 500 305 0 2 98 0 4 0 41660 460800 344 0 0 0 313 0 0 121 434 303 1 1 98 0 3 0 36736 461816 398 0 0 0 416 0 0 115 493 294 1 1 98 On my test box: [EMAIL PROTECTED]:/download> /tmp/ab2 -n 100000 http://host/ This is ApacheBench, Version 2.0.41-dev <$Revision: 1.121.2.12 $> apache-2.0 Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/ Benchmarking host (be patient) Completed 10000 requests apr_poll: The timeout specified has expired (70007) Total of 12327 requests completed So as you can see it starts well and when it just dies. If I simply plug the cable to the test box directly bypassing firewall it works just great completing the test. Concurrency Level: 1 Time taken for tests: 107.391084 seconds Complete requests: 100000 Failed requests: 0 Write errors: 0 Non-2xx responses: 100000 Total transferred: 412900000 bytes HTML transferred: 393100000 bytes Requests per second: 931.18 [#/sec] (mean) Time per request: 1.074 [ms] (mean) Time per request: 1.074 [ms] (mean, across all concurrent requests) Transfer rate: 3754.71 [Kbytes/sec] received As you can see it even dies at minimal concurrency level of 1! I started with limiting number of states in the state table to 100000 but tried with 1000000 as well - still no luck. Tables get just some 50.000 of states during the test. Setting lower state timeout does not help. I tried playing with state in firewall and "none" and "synproxy" did not seem to work at all - I could not connect to port 80 after I set these. After more tests I can see 1) setting "agressive" optimization and 10000 states make it work. states however go well above 10000 so this limit seems to be missleading. 2) aggressive and 100000 states also work. 3) going to normal optimization causes the box to stop processing after certain number of connection. 4) going to "conserative" behaves the same way as normal stopping responding. This looks like a serious issue to me - any advice here ? One more strange issue - after I stopped the test and made sure there is no more traffic on the interface I still see CPU loaded some 10-15% by vmstat. top does not allow to identify which process takes it: # vmstat 5 procs memory page disk faults cpu r b w avm fre flt re pi po fr sr ad2 in sy cs us sy id 1 3 0 39508 459700 1461 0 0 0 1438 0 0 1578 2066 3069 11 11 77 0 3 0 39508 459700 2115 0 0 0 2080 0 22 174 3278 463 12 6 82 0 3 0 39272 459756 2126 0 0 0 2095 0 22 179 3288 473 12 6 82 1 3 0 48280 453448 2458 0 0 0 2110 0 22 175 3508 465 14 7 79 0 3 0 39272 459756 2140 0 0 0 2418 0 22 177 3314 468 11 6 82 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
