Slower download speeds but acceptable upload speeds

Started by Raptcha, November 24, 2023, 12:39:44 PM

Previous topic - Next topic
November 24, 2023, 12:39:44 PM Last Edit: November 24, 2023, 12:43:59 PM by Raptcha
Hello,

I am running the latest version of OPNSense (23.7.9) on a Zimaboard 432 and I just installed and setup Zenarmor on the WAN interface. I have a 1gbps internet connection (~940 mbps down and up) .
However, I am seeing a drop in download speed after setting up Zenarmor. I am getting ~600mbps on download but upload is around 920 mbps. Doing a top -P shows me that only one core is mostly used during downloads but upload uses around 3 cores. What could be wrong here?

My Zenarmor configurations -

  • Deployment mode - Routed Mode (L3 Mode, Reporting + Blocking) with native netmap driver
  • Do not pin engine packet processors to dedicated CPU cores - Unchecked
  • Protected interfaces - Only one (WAN interface)
  • Reporting Database - Local MongoDB

November 24, 2023, 12:56:07 PM #1 Last Edit: November 24, 2023, 01:10:04 PM by almodovaris
AFAIK Zenarmor is not meant to protect the WAN interface.

You could get Gigabit Zenamor if the frequency of your processor is above 2 GHz (preferably 2.4 GHz or better). Since Zenarmor (eastpect) is supposed to go multicore in the near future, the needed CPU frequency will be even lower.

E.g. I have a N100 Intel CPU and I get Gigabit Zenarmor. That is a device with two Ethernet ports and 16 MB RAM for less than 200 Euro.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD

Quote from: almodovaris on November 24, 2023, 12:56:07 PM
AFAIK Zenarmor is not meant to protect the WAN interface.
I am actually setting this up for my home network. So my main requirement is to protect all connected devices from attacks and intrusion. So I assumed I should be protecting the WAN interface since that is where the internet traffic comes in. Should it be the LAN interface instead? (Apologies for the noobish question)

Quote from: almodovaris on November 24, 2023, 12:56:07 PM
You could get Gigabit Zenamor if the frequency of your processor is above 2 GHz (preferably 2.4 GHz or better). Since Zenarmor (eastpect) is supposed to go multicore in the near future, the needed CPU frequency will be even lower.
What do you mean by Gigabit Zenarmor? Is it Gigabit speeds using Zenarmor?
My device has an Intel Celeron N3450 (2.2GHz Boost clock). My confusion is that its just the download speed that is taking the hit. I guess I could just wait for that multi-core update for Zenarmor.

BTW, which is the device that you have? $200 seems like a good price for that kind of performance.

I tried setting the protected interface to just the LAN interface and both my download and upload speeds are now at ~530 mbps  :-X . CPU utilization shows just one core being maxed out and the rest are barely used.


Hi,

Sure, I am running OPNSense on a Zimaboard 432 with Intel Celeron N3450 Quad Core (1.1 GHz Base and 2.2GHz Boost), 4GB LPDDR4 RAM, 32GB eMMC Storage. I'm using local Mongo DB as the reporting backend for Zenarmor

https://shop.zimaboard.com/products/zimaboard-single-board-server?variant=39283928432838

Hi,

The performance of a CPU's single core is crucial in determining the throughput that Zenarmor can handle. To ensure compatibility, please refer to the hardware requirements for information on throughput and user size.

For Zenarmor to handle a throughput of 1Gbps, it is recommended to have a single-thread rating of approximately 1500.
For more details, you can visit the following link: [Hardware Requirements](https://www.zenarmor.com/docs/introduction/hardware-requirements)

However, the current single-thread score of the Celeron CPU is relatively low.

To check the single-thread score of the current Celeron CPU, you can refer to this link: [Celeron CPU Score](https://www.cpubenchmark.net/cpu.php?cpu=Intel+Celeron+N3450+%40+1.10GHz&id=2907)