LAN vs WAN speed differences

Started by Raptcha, November 24, 2023, 03:58:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 24, 2023, 03:58:56 PM
Hello,

I have a 1gbps (~940mbps) internet connection. I am testing zenarmor on my OPNSense installation and I see a lot of difference in speedtest between running zenarmor on LAN vs WAN. WAN is almost always faster (Almost the full speed). In LAN, I only get about 550mbps.
What are differences of running it on WAN vs LAN interfaces?
November 24, 2023, 04:01:46 PM #1
Are your interfaces compatible with Netmap?
Is your LAN interface a different model than your WAN interface perhaps?
November 24, 2023, 04:54:02 PM #2
They are both Realtek 8111H 1GbE ports. I believe they are compatible with netmap. I have tried both netmap native and netmap emulated. They are mostly the same results.
November 24, 2023, 06:54:39 PM #3
Hi,

Have you installed the os-realtek plugin? Could you please provide the specifications for your CPU and RAM?
November 24, 2023, 06:59:24 PM #4
Thank you for responding. Yes I have already installed the realtek plugin. Without it, the connection keeps dropping for me.

Sure, I am running OPNSense on a Zimaboard 432 with Intel Celeron N3450 Quad Core (1.1 GHz Base and 2.2GHz Boost), 4GB LPDDR4 RAM, 32GB eMMC Storage. I'm using local Mongo DB as the reporting backend for Zenarmor

https://shop.zimaboard.com/products/zimaboard-single-board-server?variant=39283928432838
November 25, 2023, 07:44:24 AM #5
Even though the LAN speeds are almost half my real internet speed, the Zenarmor policies only work on this. Some of the blocks I have added in the policies section works if I'm running Zenarmor on WAN.
November 25, 2023, 10:25:55 AM #6
Hi,

The performance of a CPU's single core is crucial in determining the throughput that Zenarmor can handle. To ensure compatibility, please refer to the hardware requirements for information on throughput and user size.

For Zenarmor to handle a throughput of 1Gbps, it is recommended to have a single-thread rating of approximately 1500.
For more details, you can visit the following link: [Hardware Requirements](https://www.zenarmor.com/docs/introduction/hardware-requirements)

However, the current single-thread score of the Celeron CPU is relatively low.

To check the single-thread score of the current Celeron CPU, you can refer to this link: [Celeron CPU Score](https://www.cpubenchmark.net/cpu.php?cpu=Intel+Celeron+N3450+%40+1.10GHz&id=2907)
November 25, 2023, 11:25:34 AM #7
Hey @sy,

In WAN interface, I get full upload speed and half download speed and none of the policies work. Should I not be running zenarmor on WAN?
November 27, 2023, 03:40:21 PM #8
Hi,

The best practise is to protect the LAN interface on Zenarmor and the WAN interface on Suricata.

November 30, 2023, 12:33:31 AM #9
What does protecting the WAN interface do?
I ask because I thought protecting WAN would be the right way to filter incoming traffic through Zenarmor (To block sites, ads etc) but it turns out I need to be protecting LAN to do that.
November 30, 2023, 09:21:13 AM #10
Hi,

Your incoming traffic will also inspect when routed the destination host on yor network if you protect all inner interface. But you can filter the WAN interface on Suricata or use Zenarmor in bridge mode.
Print
Go Up Pages1
User actions