Messages

Thanks for your reply.
I was merely giving some assumptions upon which to base a rough estimate of users, i.e. flat network and what each typical user was doing at any one time.  This should simplify how to make sense of the fw/hw numbers, e.g. 3 million concurrent connections.

Why then do fw/hw companies spec out multiple concurrent connections if it doesn't represent anything realistic as far as what a firewall can handle for users?

I never intend to provide a fw for that many users, just wanting to have a way to look at the published numbers and be relatively certain it will work in the network of interest.

(duplicate)

Thanks for your reply.  I'm assuming your for Deciso.  I've been looking at their appliances.  Specifically, the DEC675. That says it can do 3 million concurrent connections.  How many users would that translate into?  And how many apps would that mean?  I know there is no perfect number or average user, but roughly?

It seems unlikely it can handle a million users or even 100,000 at 30 connections per user.

I'm interested in what it could do with a flat network and say each user has 1 video running and 10 open tabs for 1 browser.

Does running iperf3 with the -P option qualify as 'multiple concurrent connections'?  And if so, how is that translated or used with OPNsense?

Are you saying "multiple concurrent connections" for OPNsense or for iperf?

If it's iperf, here it is for a -P of 4 and 8 and just showing the last section:
C:\Users\Owner\Desktop\iperf-3.1.3-win64\iperf-3.1.3-win64>iperf3 -c nyfiosspeed4.west.verizon.net -P 4
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  sender
[  4]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  receiver
[  6]   0.00-10.00  sec   101 MBytes  84.4 Mbits/sec                  sender
[  6]   0.00-10.00  sec   101 MBytes  84.4 Mbits/sec                  receiver
[  8]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  sender
[  8]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  receiver
[ 10]   0.00-10.00  sec   100 MBytes  84.2 Mbits/sec                  sender
[ 10]   0.00-10.00  sec   100 MBytes  84.2 Mbits/sec                  receiver
[SUM]   0.00-10.00  sec   402 MBytes   337 Mbits/sec                  sender
[SUM]   0.00-10.00  sec   402 MBytes   337 Mbits/sec                  receiver

C:\Users\Owner\Desktop\iperf-3.1.3-win64\iperf-3.1.3-win64>iperf3 -c nyfiosspeed4.west.verizon.net -P 8
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  52.1 MBytes  43.7 Mbits/sec                  sender
[  4]   0.00-10.00  sec  52.1 MBytes  43.7 Mbits/sec                  receiver
[  6]   0.00-10.00  sec  56.1 MBytes  47.1 Mbits/sec                  sender
[  6]   0.00-10.00  sec  56.1 MBytes  47.1 Mbits/sec                  receiver
[  8]   0.00-10.00  sec  47.1 MBytes  39.5 Mbits/sec                  sender
[  8]   0.00-10.00  sec  47.1 MBytes  39.5 Mbits/sec                  receiver
[ 10]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 10]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[ 12]   0.00-10.00  sec  24.2 MBytes  20.3 Mbits/sec                  sender
[ 12]   0.00-10.00  sec  24.2 MBytes  20.3 Mbits/sec                  receiver
[ 14]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 14]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[ 16]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 16]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[ 18]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 18]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[SUM]   0.00-10.00  sec   404 MBytes   339 Mbits/sec                  sender
[SUM]   0.00-10.00  sec   404 MBytes   339 Mbits/sec                  receiver

If my internet is 300/300 Mbps, shouldn't the iperf results be around 300Mbps?  And the fact that the results are the same with and without the fw is why you are saying the uplink is the limiting factor?

I've measured the speed thru several browser apps and it is not any less than if the fw's services were all off.  Both d/l and u/l speeds are > 300Mbps either with or without OPNsense.  iperf3 speed is the same between a machine without the fw and a machine with the fw.

pmhausen: I'm not sure what you meant by:
"If network throughput measured with iperf3 can max out your uplink bandwidth, the number of internal users is really not that important. In most cases you will be limited by your uplink."

here are some numbers in case that helps:

w/ the fw:
C:\Users\Owner\Desktop>iperf3 -c nyfiosspeed4.west.verizon.net
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[  4] local 192.168.1.101 port 54150 connected to 206.124.86.196 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  15.5 MBytes   130 Mbits/sec
[  4]   1.00-2.01   sec  17.2 MBytes   145 Mbits/sec
[  4]   2.01-3.00   sec  17.4 MBytes   146 Mbits/sec
[  4]   3.00-4.00   sec  17.5 MBytes   147 Mbits/sec
[  4]   4.00-5.00   sec  17.2 MBytes   145 Mbits/sec
[  4]   5.00-6.00   sec  17.4 MBytes   146 Mbits/sec
[  4]   6.00-7.00   sec  17.0 MBytes   143 Mbits/sec
[  4]   7.00-8.01   sec  17.5 MBytes   146 Mbits/sec
[  4]   8.01-9.01   sec  17.2 MBytes   145 Mbits/sec
[  4]   9.01-10.00  sec  17.2 MBytes   145 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   171 MBytes   144 Mbits/sec                  sender
[  4]   0.00-10.00  sec   171 MBytes   144 Mbits/sec                  receiver

w/o the fw:
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[  4] local 10.3.3.153 port 37583 connected to 206.124.86.196 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  15.4 MBytes   129 Mbits/sec
[  4]   1.00-2.00   sec  17.2 MBytes   144 Mbits/sec
[  4]   2.00-3.01   sec  17.2 MBytes   144 Mbits/sec
[  4]   3.01-4.00   sec  15.9 MBytes   134 Mbits/sec
[  4]   4.00-5.00   sec  17.1 MBytes   144 Mbits/sec
[  4]   5.00-6.00   sec  17.2 MBytes   145 Mbits/sec
[  4]   6.00-7.00   sec  17.0 MBytes   143 Mbits/sec
[  4]   7.00-8.00   sec  17.2 MBytes   145 Mbits/sec
[  4]   8.00-9.00   sec  17.4 MBytes   146 Mbits/sec
[  4]   9.00-10.01  sec  17.2 MBytes   144 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.01  sec   169 MBytes   142 Mbits/sec                  sender
[  4]   0.00-10.01  sec   169 MBytes   142 Mbits/sec                  receiver

(had trouble finding public iperf servers that would do a test)

Thanks for your reply.
Presently the hw+OPNSense is only connected to 1 device.  I have no way of knowing if it can handle 5 users or 10 or 25 or more or only 1.  I do see that the d/l and u/l speeds are the same in comparison to when there wasn't a fw to go thru and I do have all the services enabled that I believe to be sufficient.  It certainly doesn't seem right to just install the fw at a client and hope it performs to their satisfaction.  And I can't keep tweaking the services until all are happy (majority of clients are not ok with some period of adjustment).  I'd like to know beforehand, at least roughly.  Do you mean to say that is how it is typically done?  Install it and then adjust for acceptable performance?  The performance may be terrible right away and no amount of adjustment would prove to be worthwhile.  Perhaps JMeter?

Is there some of way doing this?  I'm thinking that prior to putting my Protectli VP2410 (with m.2 128GB storage and 8GB ram) there might be a way to see if it can handle a certain number of users.  Maybe ramp up the numbers of users and with varying traffic simulated to be see what sort of environment it can handle.  I know this would be a rough approximation, but right now I don't have any idea.

Thanks for those.  I wasn't able to do those changes since a new error line (same content) was continually appearing on the console output.  I could not use SSH either (maybe I should have tried the com connection on the Protectli for ssh access?).

I did a factory reset.

The Zenarmor plugin was already installed after the factory reset without me downloading and installing it.  I went thru the wizard and the interface LAN(igbo) was already on the right-side as a selected interface for protection.  It seems the settings from my previous wizard run were also not erased with a factory reset.  After this wizard run   Zenarmor appears to be working.

I am coming up to speed with OpnSense and I just have a Protectli box with 1 machine connected to the LAN.  After going thru the Zenarmor wizard (chose all defaults with a free edition at the end), now no internet (the machine is still connected to 192.1681.1) on the machine and cannot connect to the browser page of OpnSense.  There are no other pkgs or plugins installed.  I am getting this continually on the console:
(some numbers) [4022] net_transmit    igb0 drop mbuf that needs checksum offload

Ran rm -f /usr/local/sensei/etc/.configdone as root and nothing changed.

Zenarmor looks to be the right package going forward for me.