OPNsense Forum
English Forums => Hardware and Performance => Topic started by: bhawk on February 02, 2018, 12:09:35 pm
-
Hello
Have lanner 8759. Testing out aes 256 performance
config at both ends:
Mode: MAin
P1 protocol: aes 256 and sha1
p2 protocol: esp and sha1
I am getting throughput of about 420 Mbps (measured through iperf)
I was wondering if this is good on a xeon e3-1275 processor?
Also it supports aes ni, does that get enabled by default or has to be enabled via bios?
Lastly are there any tunables that i can play around with to increase performance since my cpu utilization hardly gets upto 15%?
-
The info is very vague, nobody could approximate an answer...
How are you testing the throughput?
Describe a little your server/client environment, your link/connection details etc.
-
For example:
PS C:\iperf-3.1.3-win64> .\iperf3.exe -c xxx.xxx.xxx.xxx -p 61747
Connecting to host xxx.xxx.xxx.xxx, port 61747
[ 4] local xxx.xxx.xxx.xxx port 21242 connected to xxx.xxx.xxx.xxx port 61747
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 12.9 MBytes 108 Mbits/sec
[ 4] 1.00-2.00 sec 13.1 MBytes 110 Mbits/sec
[ 4] 2.00-3.00 sec 13.4 MBytes 112 Mbits/sec
[ 4] 3.00-4.00 sec 13.5 MBytes 113 Mbits/sec
[ 4] 4.00-5.00 sec 13.5 MBytes 113 Mbits/sec
[ 4] 5.00-6.00 sec 13.5 MBytes 113 Mbits/sec
[ 4] 6.00-7.00 sec 13.2 MBytes 111 Mbits/sec
[ 4] 7.00-8.00 sec 13.4 MBytes 112 Mbits/sec
[ 4] 8.00-9.00 sec 13.5 MBytes 113 Mbits/sec
[ 4] 9.00-10.00 sec 12.8 MBytes 107 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 133 MBytes 111 Mbits/sec sender
[ 4] 0.00-10.00 sec 133 MBytes 111 Mbits/sec receiver
iperf Done.
PS C:\iperf-3.1.3-win64> .\iperf3.exe -c xxx.xxx.xxx.xxx -p 3398
Connecting to host xxx.xxx.xxx.xxx, port 3398
[ 4] local xxx.xxx.xxx.xxx port 21385 connected to xxx.xxx.xxx.xxx port 3398
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 13.0 MBytes 109 Mbits/sec
[ 4] 1.00-2.00 sec 13.2 MBytes 111 Mbits/sec
[ 4] 2.00-3.00 sec 13.1 MBytes 110 Mbits/sec
[ 4] 3.00-4.00 sec 13.2 MBytes 111 Mbits/sec
[ 4] 4.00-5.00 sec 13.4 MBytes 112 Mbits/sec
[ 4] 5.00-6.00 sec 13.4 MBytes 112 Mbits/sec
[ 4] 6.00-7.00 sec 13.1 MBytes 110 Mbits/sec
[ 4] 7.00-8.00 sec 13.0 MBytes 109 Mbits/sec
[ 4] 8.00-9.00 sec 13.0 MBytes 109 Mbits/sec
[ 4] 9.00-10.00 sec 13.2 MBytes 111 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 132 MBytes 111 Mbits/sec sender
[ 4] 0.00-10.00 sec 132 MBytes 110 Mbits/sec receiver
iperf Done.
Environment:
- two computers, same ISP, different locations, different link types and speeds
The test:
- the first test is without any encrypted tunnels
- the second is with an AES 512 encrypted tunnel
- the lowest link speed of the two matches the AES encryption throughput as well, as it is low enough not to max out the CPU, meaning I could never get a higher throughput because I don't have an internet connection between the two high enough
And this is just a simple test between two machines over the internet. Both tests initiated from the same machine.
But, in order to max out your CPU, try a LAN test, with and without encryption.
If you're using Windows clients as well, you might consider this software (SG TCP Optimizer) to tweak general TCP/IP performance of your clients: https://www.speedguide.net/downloads.php
-
You get best and most secure results with Ike V2, aes128 gcm, sha256 and DH24
-
Most secure is relative :)
Nowadays, there's a recipe for which one to use where:
- for site to site, you will typically deploy IPSec
- for remote, you will typically deploy an SSL VPN (OpenVPN for example)
There's some good reasoning behind this. If you travel a lot, IPSec might be useless as it is blocked most of the times, whereas you can configure OpenVPN over HTTPS (TCP port 443) which is almost never blocked.
Accessibility, in this case, is more important than performance.
-
Apologies for not sharing topology.
Since this is out of curiosity more than anything, i have connected 2 firewalls back to back . Figure is attached.
VPN details shared already. Iperf server is hosted on 192.168.2.2, client from 192.168.3.2. Both PCs running windows 7
-
Then choose the values I posted earlier :)
-
performance at the cost of security not the purpose :)
-
Then you should not use SHA1?! :o
-
your perf it's correct
The downside to OpenVPN is that in its current architecture, it is not scalable. It runs as a monolithic process and cannot run multi-threaded. This means that if you have a beefy processor with 8 cores OpenVPN will use 1 of them.
if you want compare with other model Lanner i'm realized a perf test.
http://www.calexium.com/produits/tests-de-performance.html#T3
-
http://calexium.com/produits/tests-de-performance.html#T3
Link is wrong? please recheck
-
link is ok :)
-
link is ok :)
Not really...
-
Mee too, not really, link is like elektroinside's one
-
https://www.calexium.com/fr/produits/tests-de-performance.html
and now?
-
Yes, works now.