Title: SG-1000 OpenVPN performance
Post by: rdr on March 19, 2017, 12:56:44 pm
In my use case, all the traffic goes through my brand new SG-1000. On this SG-1000 an OpenVPN client is configured and all the traffic is routed through OpenVPN. I use firewalling, NAT and dual stack IPv4 / IPv6. Software version : 2.4.0.b.20170318.0910

Network diagram : desktop (iperf client) ==> switch ==> SG-1000 ==>ISP box in bridge mode ==> Internet

Performances (heavy traffic like bittorrent and TCP iperf with default options have about the same perfs) :

Are those perfs the one expected with SG-1000 ? Or am I missing something.

Side notes :

I made other tests :

Any suggestion on the way to improve non-OpenVPN traffic ?
Title: Re: SG-1000 OpenVPN performance
Post by: athompso on March 21, 2017, 02:23:31 pm
From what I recall Jim saying, your OpenVPN numbers are about right until someone finishes the ARM crypto driver for FreeBSD and integrates it into pfSense, at which point encrypted traffic should perform almost as well as unencrypted traffic.

However, your numbers for unencrypted traffic sound about right for a cheap ARM CPU.  (The SG-1000 isn't cheap, but its CPU is - relatively speaking, anyway.)  The SG-1000 is not the speediest thing around, nor is it intended to be.  It's intended to be small, low power, and "cheap enough".

I would also try turning polling on and off, to see what difference that makes.

Ultimately, based on the CPU specs for that ADI board, I doubt you'll see much past 40Mbps aggregate throughput, at least until the next-gen pfSense based on (?) netmap arrives.  And even then, 100Mbps would be about as much as the unit can handle, I think.

The presence of gigabit interfaces isn't indicative that the unit can pass 1Gbps, unfortunately, they're there for compatibility with modern equipment.  You get what you pay for... if you need >100Mbps throughput, at least buy an SG-2240 (IMHO)!

Title: Re: SG-1000 OpenVPN performance
Post by: rdr on March 22, 2017, 03:54:01 am

Thanks for your reply. I am afraid that 10~20Mbps through VPN is indeed the best I can get. That would be nice if I was lucky enough so that someone from netgate / pfSense could confirm that here. Can you please provide a link containing informations regarding the ARM crypto driver and its integration into pfsense ?

But without VPN I think there really is an issue with the maximum 25Mbps I get. Should be more than 100Mbps i think :

I guess you refer to SG-2220. I considered it but it's for home so I try to reduce the cost. And if I'm not mistaken we still don't have precise informations about that Intel Atom C2000 broken CPUs issue.