Is there some of way doing this? I'm thinking that prior to putting my Protectli VP2410 (with m.2 128GB storage and 8GB ram) there might be a way to see if it can handle a certain number of users. Maybe ramp up the numbers of users and with varying traffic simulated to be see what sort of environment it can handle. I know this would be a rough approximation, but right now I don't have any idea.
Rough estimates might come from the current amount of traffic that a typical user generates. Measure the base load (CPU/RAM/Network) with the firewall idle, and measure again with varying numbers of typical users to see how it ramps up, then extrapolate to the limit of your resources.
Problems are of course:
- There is no such entity as a typical user
- Your firewall may not be the bottleneck
- Usage patterns may be erratic
If you are in a home setting then the best strategy would be to start with a basic NAT firewall and add features (IDS/IPS particularly) until the pain gets too much, then take it back a notch. If you are in a corporate environment, get your bean counters to shell out for Loadrunner (other load simulators are available)
Bart...
Thanks for your reply.
Presently the hw+OPNSense is only connected to 1 device. I have no way of knowing if it can handle 5 users or 10 or 25 or more or only 1. I do see that the d/l and u/l speeds are the same in comparison to when there wasn't a fw to go thru and I do have all the services enabled that I believe to be sufficient. It certainly doesn't seem right to just install the fw at a client and hope it performs to their satisfaction. And I can't keep tweaking the services until all are happy (majority of clients are not ok with some period of adjustment). I'd like to know beforehand, at least roughly. Do you mean to say that is how it is typically done? Install it and then adjust for acceptable performance? The performance may be terrible right away and no amount of adjustment would prove to be worthwhile. Perhaps JMeter?
You can simulate a large number of concurrent HTTP(S) sessions with tools like Gatling or Apache JMeter.
Both will need a serious investment of time to familiarize yourself with their workings.
https://gatling.io
https://jmeter.apache.org
OTOH in most configurations OPNsense does not do that much at the application level. If network throughput measured with iperf3 can max out your uplink bandwidth, the number of internal users is really not that important. In most cases you will be limited by your uplink.
Only if you intend to run Suricata or Zenarmor, you might want to measure throughput with the tools mentioned.
HTH,
Patrick
If you have clients then you owe it to them to provide a credible route to live IMHO
You could build a test system and measure the resource use as I outlined. Recruit testers (e.g. students) to help create real traffic. See if some customers want to do user acceptance testing for an initially reduced fee.
These are very common approaches and align with formal frameworks such as ITIL https://en.wikipedia.org/wiki/ITIL and TOGAF https://www.opengroup.org/togaf
They are dull as dishwater and likely much more than you need, but worth keeping in mind even at smaller scale.
Bart...
Or simply buy hardware matching your specs. :-)
All Deciso appliances have throughput and concurrent session numbers specified.
I've measured the speed thru several browser apps and it is not any less than if the fw's services were all off. Both d/l and u/l speeds are > 300Mbps either with or without OPNsense. iperf3 speed is the same between a machine without the fw and a machine with the fw.
pmhausen: I'm not sure what you meant by:
"If network throughput measured with iperf3 can max out your uplink bandwidth, the number of internal users is really not that important. In most cases you will be limited by your uplink."
here are some numbers in case that helps:
w/ the fw:
C:\Users\Owner\Desktop>iperf3 -c nyfiosspeed4.west.verizon.net
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[ 4] local 192.168.1.101 port 54150 connected to 206.124.86.196 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 15.5 MBytes 130 Mbits/sec
[ 4] 1.00-2.01 sec 17.2 MBytes 145 Mbits/sec
[ 4] 2.01-3.00 sec 17.4 MBytes 146 Mbits/sec
[ 4] 3.00-4.00 sec 17.5 MBytes 147 Mbits/sec
[ 4] 4.00-5.00 sec 17.2 MBytes 145 Mbits/sec
[ 4] 5.00-6.00 sec 17.4 MBytes 146 Mbits/sec
[ 4] 6.00-7.00 sec 17.0 MBytes 143 Mbits/sec
[ 4] 7.00-8.01 sec 17.5 MBytes 146 Mbits/sec
[ 4] 8.01-9.01 sec 17.2 MBytes 145 Mbits/sec
[ 4] 9.01-10.00 sec 17.2 MBytes 145 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 171 MBytes 144 Mbits/sec sender
[ 4] 0.00-10.00 sec 171 MBytes 144 Mbits/sec receiver
w/o the fw:
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[ 4] local 10.3.3.153 port 37583 connected to 206.124.86.196 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 15.4 MBytes 129 Mbits/sec
[ 4] 1.00-2.00 sec 17.2 MBytes 144 Mbits/sec
[ 4] 2.00-3.01 sec 17.2 MBytes 144 Mbits/sec
[ 4] 3.01-4.00 sec 15.9 MBytes 134 Mbits/sec
[ 4] 4.00-5.00 sec 17.1 MBytes 144 Mbits/sec
[ 4] 5.00-6.00 sec 17.2 MBytes 145 Mbits/sec
[ 4] 6.00-7.00 sec 17.0 MBytes 143 Mbits/sec
[ 4] 7.00-8.00 sec 17.2 MBytes 145 Mbits/sec
[ 4] 8.00-9.00 sec 17.4 MBytes 146 Mbits/sec
[ 4] 9.00-10.01 sec 17.2 MBytes 144 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 169 MBytes 142 Mbits/sec sender
[ 4] 0.00-10.01 sec 169 MBytes 142 Mbits/sec receiver
(had trouble finding public iperf servers that would do a test)
You are seeing what Patrick predicted; speed is limited by your WAN, not by the firewall resources
If my internet is 300/300 Mbps, shouldn't the iperf results be around 300Mbps? And the fact that the results are the same with and without the fw is why you are saying the uplink is the limiting factor?
Yes, that's right.
Try to use multiple concurrent connections.
Are you saying "multiple concurrent connections" for OPNsense or for iperf?
If it's iperf, here it is for a -P of 4 and 8 and just showing the last section:
C:\Users\Owner\Desktop\iperf-3.1.3-win64\iperf-3.1.3-win64>iperf3 -c nyfiosspeed4.west.verizon.net -P 4
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 100 MBytes 84.3 Mbits/sec sender
[ 4] 0.00-10.00 sec 100 MBytes 84.3 Mbits/sec receiver
[ 6] 0.00-10.00 sec 101 MBytes 84.4 Mbits/sec sender
[ 6] 0.00-10.00 sec 101 MBytes 84.4 Mbits/sec receiver
[ 8] 0.00-10.00 sec 100 MBytes 84.3 Mbits/sec sender
[ 8] 0.00-10.00 sec 100 MBytes 84.3 Mbits/sec receiver
[ 10] 0.00-10.00 sec 100 MBytes 84.2 Mbits/sec sender
[ 10] 0.00-10.00 sec 100 MBytes 84.2 Mbits/sec receiver
[SUM] 0.00-10.00 sec 402 MBytes 337 Mbits/sec sender
[SUM] 0.00-10.00 sec 402 MBytes 337 Mbits/sec receiver
C:\Users\Owner\Desktop\iperf-3.1.3-win64\iperf-3.1.3-win64>iperf3 -c nyfiosspeed4.west.verizon.net -P 8
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 52.1 MBytes 43.7 Mbits/sec sender
[ 4] 0.00-10.00 sec 52.1 MBytes 43.7 Mbits/sec receiver
[ 6] 0.00-10.00 sec 56.1 MBytes 47.1 Mbits/sec sender
[ 6] 0.00-10.00 sec 56.1 MBytes 47.1 Mbits/sec receiver
[ 8] 0.00-10.00 sec 47.1 MBytes 39.5 Mbits/sec sender
[ 8] 0.00-10.00 sec 47.1 MBytes 39.5 Mbits/sec receiver
[ 10] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec sender
[ 10] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec receiver
[ 12] 0.00-10.00 sec 24.2 MBytes 20.3 Mbits/sec sender
[ 12] 0.00-10.00 sec 24.2 MBytes 20.3 Mbits/sec receiver
[ 14] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec sender
[ 14] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec receiver
[ 16] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec sender
[ 16] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec receiver
[ 18] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec sender
[ 18] 0.00-10.00 sec 56.0 MBytes 47.0 Mbits/sec receiver
[SUM] 0.00-10.00 sec 404 MBytes 339 Mbits/sec sender
[SUM] 0.00-10.00 sec 404 MBytes 339 Mbits/sec receiver
For iperf.
Does running iperf3 with the -P option qualify as 'multiple concurrent connections'? And if so, how is that translated or used with OPNsense?
If you run only a single connection with iperf you cannot use the full bandwidth of your uplink. As you have proven yourself, as soon as you use multiple connections you get ~ 300 Mbit/s. You can expect a similar throughput through your OPNsense but probably not for a single isolated stream.
I thought you were concerned about multiple users, not a single connection?
You can run iperf from an internal system to some system on the Internet and try a hundred or so to simulate your concurrent users. OPNsense will probably easily deal with that unless your hardware is severely limited.
Thanks for your reply. I'm assuming your for Deciso. I've been looking at their appliances. Specifically, the DEC675. That says it can do 3 million concurrent connections. How many users would that translate into? And how many apps would that mean? I know there is no perfect number or average user, but roughly?
It seems unlikely it can handle a million users or even 100,000 at 30 connections per user.
I'm interested in what it could do with a flat network and say each user has 1 video running and 10 open tabs for 1 browser.
(duplicate)
An open tab that is idle commonly has got zero open connections. The content for a web page is downloaded, rendered, displayed, and the connection closed. Originally browsers used a maximum of four concurrent connections. This might have changed, I don't know. Dynamic web apps with a rich Javascript frontend might behave differently.
You cannot have a hundred thousand users in a flat network. Even with IPv6 and a plethora of addresses a broadcast domain larger than a couple of thousand will bring your network to a meltdown.
How many users are you planning for, anyway? What is the network topology? How many of them are working at the same time?
Maybe you should contact Deciso if you plan an installation this big that it gives you serious performance concerns.
And no, apart from one or two regulars nobody here works for Deciso, including myself. This is a community forum, not the Deciso support channel. If you need authoritative information from them, call or send an email.
Thanks for your reply.
I was merely giving some assumptions upon which to base a rough estimate of users, i.e. flat network and what each typical user was doing at any one time. This should simplify how to make sense of the fw/hw numbers, e.g. 3 million concurrent connections.
Why then do fw/hw companies spec out multiple concurrent connections if it doesn't represent anything realistic as far as what a firewall can handle for users?
I never intend to provide a fw for that many users, just wanting to have a way to look at the published numbers and be relatively certain it will work in the network of interest.
A firewall is also used to protect up to hundreds or thousands of physical or virtual servers each of which might serve tens or hundreds of thousands of clients at a time.