Performance

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

The security router software is compiled for 32/64 bit Intel-compatible (i386/amd64) computers and servers. The benchmarks below are performed using two low-end computers running Linux with iperf[1] or OpenBSD with tcpbench[2] (with standard configuration and without extra command-line options), in order for you to know what you should expect at least.

We have benchmarked a few of the servers mentioned in our list of supported hardware.

APU2 Axiomtek NA-110 Lanner FW-7573B Portwell CAR-4010
CPU AMD GX-412TC 1 GHz AMD G-T24L 1 GHz Intel Atom C2518 1.7 GHz Intel Xeon E31275 3.4 GHz
Plain-text bits 940 Mbps 954 Mbps 2500 Mbps 3421 Mbps
Plain-text packets 110 kpps 135 kpps 300 kpps 493 kpps
NAT bits 910 Mbps 922 Mbps 1700 Mbps 2734 Mbps
NAT packets 74 kpps  82 kpps 200 kpps 310 kpps
VPN (AES) 91 Mbps  95 Mbps 300 Mbps 510 Mbps
Name Plain-text bits Plain-text packets VPN (AES)
PC Engines ALIX 2D3[3] 90 Mbps 40 Mbps
Intel D2500CC[4][5] 50 Mbps
VMware ESX 5.1 on HP DL120 G7 500 kpps 500 Mbps

Tweaks

The default values offers a good security/performance tradeoff. However, for very powerful and busy systems, some sysctl[6] tweaking might be necessary. Exactly which settings and values has to be determined on a case-by-case basis, usually by inspecting the kernel memory (using for example systat) and queue lengths. If you are experienced enough to do this yourself, you can make such changes static by using skeleton files such as /cfg/skel/rc.local and add commands such as

# just an example
sysctl net.inet.ip.ifq.maxlen=512