Hello community
I have a DEC750, a 2-year old model with 2.5G ports.
On the WAN side, I have a 10G XGS-PON module, 10G internet plan from my provider. The WAN interface requires a non-default VLAN tag.
For testing, I plugged my PC directly into a 10GBe transceiver in the DEC750 using default VLAN 1.
Doing internet speedtests, the highest speed I can achieve is 5.2Gbps (iperf3 with parallel streams, speedtest net, cnlab). Is this to be expected? I don't want to spend too much time trying to increase this if it's already maxing out the firewall throughput of the DEC750. What I haven't tried is disabling the firewall on the DEC750, but this falls into the "spending too much time" category since I'd never use it in that configuration.
Using the router provided by my ISP, I can reach just over 8Gbps in speed tests.
I don't own one but the published port-to-port throughput for DEC750v1 and v2 (as tested with TCP, full-duplex, unknown # of streams) is 8.5Gbps, so for a pure firewall application without IDS/IDP I don't see why you couldn't get similar results.
Aside from that, I have doubts about the SFP+ modules and VLAN setup you mentioned. A lot of variables there.
1) Is it reasonable to compare your XGS-PON module to the ISP modem and expect similar results? Have you been able to separately test and verify the module on another router box and confirm that it could hit 8Gbps with your ISP? (I'm not saying it doesn't- just that we can't assume.)
2) Do both of the transceivers negotiate properly?
3) Do you need any specific NIC and VLAN offload settings or tunables (e.g. RSS) that are recommended for the DEC750? Maybe your WAN connection is also impacted by some overhead due to VLAN tagging.
4) AFAIK, there's no "default" VLAN in OPNsense. Did you explicitly create one with VLAN ID 1? Not that it matters really, but could be some VLAN filtering overhead issue as well (?)
--
Update: Just in case...
https://docs.opnsense.org/hardware/defaults.html
Looking trough the default config, I don't see any interface offload settings or tunables that aren't already default in OPNsense, except for maybe the ones related to Meltdown & Spectre mitigation. However there have been threads here recommending to at least enable RSS.
https://forum.opnsense.org/index.php?topic=24409.0
https://docs.opnsense.org/troubleshooting/performance.html#receive-side-scaling
--
UPDATE 2:
Interesting recent thread here: https://forum.opnsense.org/index.php?topic=49030.0
Presumably both of your SFP+ modules are using the same speed and not mixing (you'll need to check) but I wonder if maybe you are hitting a thermal limit with XGS-PON on the DEC750.
Thanks for the reply
It seems I've gone a bit down the rabbit hole and decided to try something else, to remove the XGS-PON SFP+ adapter from the equation.
I've connected my old ONT (XGS-PON, 10Gbe) to the ISP fiber and connected my PC directly to the ONT.
set up VLAN 10 on my PC, got a provider non-routable IP, provisioned the new ONT, restarted it, got a public IP.
speed test: 8Gbps
https://www.speedtest.net/result/18844302123
disconnected PC from ONT, removed VLAN 10 from PC, plugged my DEC750 into the ONT using a 10Gbe adapter, plugged my PC into another 10GBe adapter. Repeated the same test (this time through the DEC750 and the ONT)
speed test: 4.3Gbps
https://www.speedtest.net/result/18844315297
These tests were 5min apart, there wasn't much chance for hitting thermal limits on the SFP+ modules, they were only both connected for about 2 minutes.
Answer to your questions:
1) I now removed the module completely.
2) I am assuming so, it's definitely going over 5Gbps sometimes, but just barely. That's with protocol overheads too, I'm only looking at data throughput.
3) VLAN 10 on WAN interface could play a role, but impossible to test without. I don't have any other 10G routers that I could use for internal testing. I've followed all the multi-gig guides, including all tunables. Hardware offloading is all disabled, but enabling made no performance improvements, only corrupted UDP packets.
4) I don't have a VLAN id 1, I just meant that ISP needed VLAN tag 10, and on the LAN interface I didn't set up any VLAN.
The last thing to test will be turning off the firewall on the DEC750 and using it as a router. I'm holding back a bit on that because I'm worried of locking myself out, hate the thought of restoring a config through the console. But this will be a last-resort test.
I will look through your links later today, thank you.
Quote from: OPNenthu on February 14, 2026, 01:49:27 AMI don't own one but the published port-to-port throughput for DEC750v1 and v2 (as tested with TCP, full-duplex, unknown # of streams) is 8.5Gbps, so for a pure firewall application without IDS/IDP I don't see why you couldn't get similar results.
Aside from that, I have doubts about the SFP+ modules and VLAN setup you mentioned. A lot of variables there.
1) Is it reasonable to compare your XGS-PON module to the ISP modem and expect similar results? Have you been able to separately test and verify the module on another router box and confirm that it could hit 8Gbps with your ISP? (I'm not saying it doesn't- just that we can't assume.)
2) Do both of the transceivers negotiate properly?
3) Do you need any specific NIC and VLAN offload settings or tunables (e.g. RSS) that are recommended for the DEC750? Maybe your WAN connection is also impacted by some overhead due to VLAN tagging.
4) AFAIK, there's no "default" VLAN in OPNsense. Did you explicitly create one with VLAN ID 1? Not that it matters really, but could be some VLAN filtering overhead issue as well (?)
--
Update: Just in case...
https://docs.opnsense.org/hardware/defaults.html
Looking trough the default config, I don't see any interface offload settings or tunables that aren't already default in OPNsense, except for maybe the ones related to Meltdown & Spectre mitigation. However there have been threads here recommending to at least enable RSS.
https://forum.opnsense.org/index.php?topic=24409.0
https://docs.opnsense.org/troubleshooting/performance.html#receive-side-scaling
--
UPDATE 2:
Interesting recent thread here: https://forum.opnsense.org/index.php?topic=49030.0
Presumably both of your SFP+ modules are using the same speed and not mixing (you'll need to check) but I wonder if maybe you are hitting a thermal limit with XGS-PON on the DEC750.
I should have mentioned that you can confirm #2 with 'ifconfig' (the line starting with 'media:' on the interface).
Also from the GUI if you go to Interfaces->Overview->[WAN/LAN]->Details and look for the same (Media) as well as Line Rate.
Sorry I don't have more helpful hints. Hopefully someone with one of these devices has some more thoughts, or you might also e-mail Deciso support. Will be good for us to know the outcome for future upgrade decisions.
Quote from: OPNenthu on February 14, 2026, 12:14:32 PMAlso from the GUI if you go to Interfaces->Overview->[WAN/LAN]->Details and look for the same (Media) as well as Line Rate.
Sorry I don't have more helpful hints. Hopefully someone with one of these devices has some more thoughts, or you might also e-mail Deciso support. Will be good for us to know the outcome for future upgrade decisions.
regarding #2 Thanks for the tip, I didn't know so much information was available in the GUI.
Media+Link Rate looks correct, 10GBase-SFI <full-duplex rxpause txpause>. And Media (Raw) Ethernet autoselect (10GBase-SFI <full-duplex rxpause txpause>).
Line Rate: 10.00 Gbit/s
This applies to both ax0 and the VLAN 10 interface which has ax0 as the parent.
Unfortunately I can't really test iperf3 from the firewall itself because it's maxing out the CPU. It hits 5.3Gbps, but with CPU at 100%. Testing with iperf3 -s on the DEC750, I can reach 6.3Gbps from the LAN, but again, it's maxing out the DEC750 CPU so it doesn't mean much.
I will probably contact Deciso to ask is this performance is to be expected, or if I should keep looking for possible optimizations or misconfiguration.
I've come across this blog post, which also confirms that the DEC750 wouldn't be capable of reaching 10Gbps in my use case
https://blog.shade.sh/index.php/archive/2116
I've turned on hyperthreading in BIOS and applied these settings which allow all 8 cores to process interrupts as described in the post. This got my internet iperf3 performance up to 6.2Gbps, speedtest.net to 5Gbps, which is a small improvement, but I guess this is as fast as it will get.
Although we don't know what SFP+ adapters they used or their test setup, it's an interesting data point.
I don't have my DEC740 in use right now but my max was around 5 to 6 Gbit/s up/down. Down usually a bit lower than up.
That was on a 10 Gbit/s fiber WAN connection, with DHCP, not PPPoE and no IDS/IPS.
Good feedback here.
From three samples, only one claims to hit 7.5Gbps. Two top out around 6Gbps, and at least one of those is confirmed to hit 100% CPU saturation.
I guess we can see the limit of the V1500B here and the published throughput numbers should be read optimistically rather than conservatively.
Jealous of your 10g connections.
Quote from: Greg_E on February 18, 2026, 05:02:49 PMJealous of your 10g connections.
You only have to move to Switzerland, in an area where Init7 is providing fiber. Then you could even get 25 Gbit/s for the same price and you'll get a fixed /48 IPv6 prefix and a not-fixed-but-never-changing IPv4.
25 Gbit/s was too over the top for me :).
Not to be too far off topic, I can't even get gigabit fiber to my house, and cable is not reliable because they haven't upgraded their plant in 20 years.
And then the question of a static IP... Generally no or lots of money.
@ou1 - have you come across these?
https://medium.com/@truvis.thornton/opnsense-firewall-configuration-performance-tuning-for-multi-gigabit-internet-and-better-speeds-in-cfc80c49c544
https://calomel.org/freebsd_network_tuning.html
One of the standout tunables is "kern.ipc.maxsockbuf". On my system (2.5GbE interfaces, 1Gbps ISP) the default 4MB size seems to be OK (the mbuf denied/delayed counters are at zero) but maybe yours needs more if you can spare the memory?
root@firewall:~ # netstat -m
...
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for mbufs delayed (mbufs/clusters/mbuf+clusters)
Quote from: OPNenthu on February 21, 2026, 12:53:26 PM@ou1 - have you come across these?
https://medium.com/@truvis.thornton/opnsense-firewall-configuration-performance-tuning-for-multi-gigabit-internet-and-better-speeds-in-cfc80c49c544
https://calomel.org/freebsd_network_tuning.html
One of the standout tunables is "kern.ipc.maxsockbuf". On my system (2.5GbE interfaces, 1Gbps ISP) the default 4MB size seems to be OK (the mbuf denied/delayed counters are at zero) but maybe yours needs more if you can spare the memory?
Thanks for the links.
I haven't see that specific guide, but I see that I already have almost all of those settings. My kern.ipc.maxsockbuf was already at 16MB and my deny/delay counts are also at 0/0/0. I've tried setting some more of the options from this guide but it didn't seem to make any difference. I'm maxing out at around 6.2Gbps. If I enable Netflow, it drops to under 5.
I think given I have VLAN tagging on both LAN and WAN interfaces, 15W fan-less box, the performance is already really good.
Quote from: Greg_E on February 20, 2026, 08:10:07 PMNot to be too far off topic, I can't even get gigabit fiber to my house, and cable is not reliable because they haven't upgraded their plant in 20 years.
And then the question of a static IP... Generally no or lots of money.
I need to remember not to take fiber for granted. I'm not even with the best fiber provider in Switzerland, like @patient0, but it's cheap, fast, very reliable, and lets you bring your own hardware (as long as it's on their list of approved hardware). I don't have static IPv4 but I'm using godns (https://github.com/TimothyYe/godns) to update a DNS record from one of my domains, which is good enough for me.
Quote from: ou1 on February 16, 2026, 09:55:46 AMI've come across this blog post, which also confirms that the DEC750 wouldn't be capable of reaching 10Gbps in my use case
https://blog.shade.sh/index.php/archive/2116
I've turned on hyperthreading in BIOS and applied these settings which allow all 8 cores to process interrupts as described in the post. This got my internet iperf3 performance up to 6.2Gbps, speedtest.net to 5Gbps, which is a small improvement, but I guess this is as fast as it will get.
Hey there ;) Glad that my Posts are still somehow useful. I did a lot of tests on my Init7 10G line and never got over the maximum posted on my blog.
But im open for other missing optimisation vaules, i maybe had overseen. My personal opinion is, that you need at least the DEC850 to reach true 10G
Honestly I think you cant actually get 10G ~ wirerate.
When you check the specs, vendor tested. You can see 4 important things:
QuoteFirewall Throughput - 10Gbps = BackPlane
Firewall Packets Per Second - 830Kpps = Backplane
Firewall Port to Port Throughput - 8.5Gbps = Throughput per single 10G NIC
Firewall Port to Port Packets Per Second - 719Kpps = Throughput per single 10G NIC
https://shop.opnsense.com/dec700-series-opnsense-desktop-security-appliance/
These basically specify what is the by vendor "guaranteed performance". Realistically speaking the MAX you should get is 8.5G, but that will heavily depend on your implementations.
If you have for example shaper enabled, try to disable it if it will not help to increase the raw output.
Regards,
S.
I had a look at the brochure. In the fine print it appears to me to say that packets per second are measured with 500 byte packets but this number is multiplied by 1500 [byte packets] to get throughput. Ergo, it cannot be achieved. Did I misread?
QuoteAll measurements are based upon TCP traffic unless stated otherwise. Total Firewall Throughput is calculated based on system utilisation and port-to-port performance test in full duplex. Maximum PPS is measured using 100 byte packets. IPS performance is measured using ET Open and standard 1500 byte package size. SSL VPN is measured using AES256GCM16+SHA512. Concurrent sessions are based upon memory available, where one state consumes 1KB of memory and 1GB of memory is reserved for system tasks. Latency is measured as an average over 60 seconds.
PPS is measured with 100B size, this is to measure the performance and include small sized packets. Basically to see how much MAX pps you can route/switch before you see a performance degradation.
Throughput does not have mentioned what packet size or tool was used for measurement. But I would guess they used default L3 MTU size (1500B).
Regards,
S.
Quote from: Seimus on February 26, 2026, 10:36:54 AMHonestly I think you cant actually get 10G ~ wirerate.
I think so too based on personal experience with Dedicated Hosting/Server Rental setups in the past :
- Standard speed 1 x 10 Gbps = 6,5 Gbps effectively.
- Standard speed 2 x 10 Gbps in LACP with Layer 3+4 Hashing = 13 Gbps effectively.
Only one special customer who did a lot of optimizing on their own reached about 8 to 8,5 Gbps on a single 10 Gbps connection.
And he used OpenBSD instead of Debian/Ubuntu/CentOS/Gentoo which other customers were using most of the time !!
NIC brands varied from Intel to Mellanox to whatever a lot of various HPE 1x10 Gbps and 2x10 Gbps models were using at the time...
All of them only had SFP+ ports by the way!
So this sounds logical IMHO :
QuoteFirewall Throughput - 10Gbps = BackPlane
Firewall Port to Port Throughput - 8.5Gbps = Throughput per single 10G NIC
Realistically speaking the MAX you should get is 8.5G, but that will heavily depend on your implementations.
:)
Quote from: Seimus on February 26, 2026, 11:50:35 AMPPS is measured with 100B size, this is to measure the performance and include small sized packets. Basically to see how much MAX pps you can route/switch before you see a performance degradation.
Throughput does not have mentioned what packet size or tool was used for measurement. But I would guess they used default L3 MTU size (1500B).
Regards,
S.
I see it says different things in different brochures from different periods. This came from a DEC 700 Series brochure:
QuoteMaximum PPS is measured using 100 byte sized packages. All throughput numbers are based upon maximum packets per second multiplied by standard 1514byte frame size minus additional overhead where applicable
the clear implication being that they took the 100 byte rate and multiplied it by ~1500. I mentioned 500 bytes because that rather than 100 is in the DEC 600 Series brochure.
This is generally consistent with what is being reported here.
Yea not arguing, as the time went they improved and adjusted their testing methodology.
But as it stays now, per the provided benches, its not possible to get 10G wirerate for this model.
Regards,
S.