Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Tacoma

Pages: [1]
The good news:
Just ran an iperf test on my IPsec gateway VPN which has gigabit fiber WAN side fiber connections.
My hardware on both ends is a Supermicro motherboard with 8 core ATOM CPU's and 8 GB of memory.
Here are the results from one iperf test:

Client connecting to x.x.x.1, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11.76 us (kalman adjust)
UDP buffer size: 56.0 KByte (default)
[  3] local x.x.x.5 port 18443 connected with x.x.x.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1.16 GBytes   999 Mbits/sec
[  3] Sent 849358 datagrams

Which is 99.9% of the theoretical bandwidth.

The bad news for release 2.4.2, this was run on release 2.3.4

I have run these gateway VPN's for years on Version 2.x with good results.
But now with upgrading 2.4.x things went to crap.
Recently after upgrading to 2.4.x I began to get Kernel crashes on one side.
I read up on this in the pfsense forum, and found recommendations for some buffer settings on ports, there were some discussions about FreeBSD issues so I tried the latest DEV version, I played with MTU settings, I started with fresh installs of 2.4.2 on both sides, all to no avail.   When I benchmarked 2.4.x I was getting less than 1/3 of the throughput or worse from those on V 2.3.4

I did benchmark testing using the following:

iperf pfsense to pfsense
iperf run in command line windows
ftp transfers
SMB file copy and pasting

I have a working configuration that I make one change to (moving from fixed IP to dyndns), and it stops working.
This is either a bug, or admittedly I might be doing something wrong.

Currently testing with:

2.2.5-DEVELOPMENT (amd64)
built on Sat Jul 25 19:57:37 CDT 2015
FreeBSD 10.1-RELEASE-p15

Note, I originally tested with 2.2.4 with the same results, then applied the gitsync update to move from 2.2.4 to 2.2.5

This pfsense router sits behind another WAN router with tcp ports open that allows the VNP to function.  I have a working configuration that has My Identifier configured as the IP address with the public IP address of the WAN router (see config images below).

The configuration used is a working ipsec IKE V2 with P2 ESP.
The second image shows a configuration one with a single change to the working configuration, setting My Identifier to Dynamic DNS, which does not work.   Some of the confidential configuration settings have been changed to generic values, but you will get the idea looking at the images.

The first configuration works.

This second configuration using Dynamic DNS does NOT work.

IPsec / IPSec performance using 1 gigabit /second WAN
« on: June 16, 2015, 01:54:56 pm »
I am interested in IPSec performance using 1 gigabit/sec WAN connections.
My initial testing is run on the bench using spare computers.
Ultimately I was hoping to use the 4 core SG-4860 devices in our applications, but only if I am certain I can get the full 1 gigabit throughput through the IPSec tunnel.

In my testing there are 4 computers used.
2 of the computers have dedicated pfsense installations with IPSec tunnels connecting them on the wan side.
The IPSec tunnel is setup for AES 256 phase 1, and 2.

The 2 other computers are used in a file transfer test from LAN side to LAN side across the tunnel.
When the two computers are setup on the same subnet as a benchmark baseline, the file transfer rates are at the full 1 gigabit / second speed.
However, when using the IPSec tunnel to transfer the files, the transfer rate drops to around 80-100 mbit / sec
These test devices are all dedicated to this test.

Attached are activity performance screen shots.  The two pfsense computers are mostly idle expect for the interrupt task and they show free memory still available.  On the pfsense computer #1 utilization runs around 50-65% on the interrupt routine and on pfsense computer #2 shows around 30% utilization on the interrupt routine.  Since utilization is well less than 100%, I am wondering why the throughput isn't better?
Are there any settings or recommendations that might increase the speed?
Can anyone show me results from a pair of SG-4860's that show they can handle the full 1 gigabit speed?

See performance attachments for:
pfsense computer 1
pfsense computer 2

Pages: [1]