Simulating a variable number of users connected

[itnorm]

Is there some of way doing this?  I'm thinking that prior to putting my Protectli VP2410 (with m.2 128GB storage and 8GB ram) there might be a way to see if it can handle a certain number of users.  Maybe ramp up the numbers of users and with varying traffic simulated to be see what sort of environment it can handle.  I know this would be a rough approximation, but right now I don't have any idea.

[bartjsmit]

Rough estimates might come from the current amount of traffic that a typical user generates. Measure the base load (CPU/RAM/Network) with the firewall idle, and measure again with varying numbers of typical users to see how it ramps up, then extrapolate to the limit of your resources.

Problems are of course:

• There is no such entity as a typical user
• Your firewall may not be the bottleneck
• Usage patterns may be erratic

If you are in a home setting then the best strategy would be to start with a basic NAT firewall and add features (IDS/IPS particularly) until the pain gets too much, then take it back a notch. If you are in a corporate environment, get your bean counters to shell out for Loadrunner (other load simulators are available)

Bart...

[itnorm]

Thanks for your reply.
Presently the hw+OPNSense is only connected to 1 device.  I have no way of knowing if it can handle 5 users or 10 or 25 or more or only 1.  I do see that the d/l and u/l speeds are the same in comparison to when there wasn't a fw to go thru and I do have all the services enabled that I believe to be sufficient.  It certainly doesn't seem right to just install the fw at a client and hope it performs to their satisfaction.  And I can't keep tweaking the services until all are happy (majority of clients are not ok with some period of adjustment).  I'd like to know beforehand, at least roughly.  Do you mean to say that is how it is typically done?  Install it and then adjust for acceptable performance?  The performance may be terrible right away and no amount of adjustment would prove to be worthwhile.  Perhaps JMeter?

[Patrick M. Hausen]

You can simulate a large number of concurrent HTTP(S) sessions with tools like Gatling or Apache JMeter.

Both will need a serious investment of time to familiarize yourself with their workings.

https://gatling.io
https://jmeter.apache.org

OTOH in most configurations OPNsense does not do that much at the application level. If network throughput measured with iperf3 can max out your uplink bandwidth, the number of internal users is really not that important. In most cases you will be limited by your uplink.

Only if you intend to run Suricata or Zenarmor, you might want to measure throughput with the tools mentioned.

HTH,
Patrick

[bartjsmit]

If you have clients then you owe it to them to provide a credible route to live IMHO

You could build a test system and measure the resource use as I outlined. Recruit testers (e.g. students) to help create real traffic. See if some customers want to do user acceptance testing for an initially reduced fee.

These are very common approaches and align with formal frameworks such as ITIL https://en.wikipedia.org/wiki/ITIL and TOGAF https://www.opengroup.org/togaf

They are dull as dishwater and likely much more than you need, but worth keeping in mind even at smaller scale.

Bart...

[Patrick M. Hausen]

Or simply buy hardware matching your specs. :-)

All Deciso appliances have throughput and concurrent session numbers specified.

[itnorm]

I've measured the speed thru several browser apps and it is not any less than if the fw's services were all off.  Both d/l and u/l speeds are > 300Mbps either with or without OPNsense.  iperf3 speed is the same between a machine without the fw and a machine with the fw.

pmhausen: I'm not sure what you meant by:
"If network throughput measured with iperf3 can max out your uplink bandwidth, the number of internal users is really not that important. In most cases you will be limited by your uplink."

here are some numbers in case that helps:

w/ the fw:
C:\Users\Owner\Desktop>iperf3 -c nyfiosspeed4.west.verizon.net
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[  4] local 192.168.1.101 port 54150 connected to 206.124.86.196 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  15.5 MBytes   130 Mbits/sec
[  4]   1.00-2.01   sec  17.2 MBytes   145 Mbits/sec
[  4]   2.01-3.00   sec  17.4 MBytes   146 Mbits/sec
[  4]   3.00-4.00   sec  17.5 MBytes   147 Mbits/sec
[  4]   4.00-5.00   sec  17.2 MBytes   145 Mbits/sec
[  4]   5.00-6.00   sec  17.4 MBytes   146 Mbits/sec
[  4]   6.00-7.00   sec  17.0 MBytes   143 Mbits/sec
[  4]   7.00-8.01   sec  17.5 MBytes   146 Mbits/sec
[  4]   8.01-9.01   sec  17.2 MBytes   145 Mbits/sec
[  4]   9.01-10.00  sec  17.2 MBytes   145 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   171 MBytes   144 Mbits/sec                  sender
[  4]   0.00-10.00  sec   171 MBytes   144 Mbits/sec                  receiver

w/o the fw:
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[  4] local 10.3.3.153 port 37583 connected to 206.124.86.196 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  15.4 MBytes   129 Mbits/sec
[  4]   1.00-2.00   sec  17.2 MBytes   144 Mbits/sec
[  4]   2.00-3.01   sec  17.2 MBytes   144 Mbits/sec
[  4]   3.01-4.00   sec  15.9 MBytes   134 Mbits/sec
[  4]   4.00-5.00   sec  17.1 MBytes   144 Mbits/sec
[  4]   5.00-6.00   sec  17.2 MBytes   145 Mbits/sec
[  4]   6.00-7.00   sec  17.0 MBytes   143 Mbits/sec
[  4]   7.00-8.00   sec  17.2 MBytes   145 Mbits/sec
[  4]   8.00-9.00   sec  17.4 MBytes   146 Mbits/sec
[  4]   9.00-10.01  sec  17.2 MBytes   144 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.01  sec   169 MBytes   142 Mbits/sec                  sender
[  4]   0.00-10.01  sec   169 MBytes   142 Mbits/sec                  receiver

(had trouble finding public iperf servers that would do a test)

[bartjsmit]

You are seeing what Patrick predicted; speed is limited by your WAN, not by the firewall resources

[itnorm]

If my internet is 300/300 Mbps, shouldn't the iperf results be around 300Mbps?  And the fact that the results are the same with and without the fw is why you are saying the uplink is the limiting factor?

[bartjsmit]

Yes, that's right.

[Patrick M. Hausen]

Try to use multiple concurrent connections.

[itnorm]

Are you saying "multiple concurrent connections" for OPNsense or for iperf?

If it's iperf, here it is for a -P of 4 and 8 and just showing the last section:
C:\Users\Owner\Desktop\iperf-3.1.3-win64\iperf-3.1.3-win64>iperf3 -c nyfiosspeed4.west.verizon.net -P 4
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  sender
[  4]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  receiver
[  6]   0.00-10.00  sec   101 MBytes  84.4 Mbits/sec                  sender
[  6]   0.00-10.00  sec   101 MBytes  84.4 Mbits/sec                  receiver
[  8]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  sender
[  8]   0.00-10.00  sec   100 MBytes  84.3 Mbits/sec                  receiver
[ 10]   0.00-10.00  sec   100 MBytes  84.2 Mbits/sec                  sender
[ 10]   0.00-10.00  sec   100 MBytes  84.2 Mbits/sec                  receiver
[SUM]   0.00-10.00  sec   402 MBytes   337 Mbits/sec                  sender
[SUM]   0.00-10.00  sec   402 MBytes   337 Mbits/sec                  receiver

C:\Users\Owner\Desktop\iperf-3.1.3-win64\iperf-3.1.3-win64>iperf3 -c nyfiosspeed4.west.verizon.net -P 8
Connecting to host nyfiosspeed4.west.verizon.net, port 5201
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  52.1 MBytes  43.7 Mbits/sec                  sender
[  4]   0.00-10.00  sec  52.1 MBytes  43.7 Mbits/sec                  receiver
[  6]   0.00-10.00  sec  56.1 MBytes  47.1 Mbits/sec                  sender
[  6]   0.00-10.00  sec  56.1 MBytes  47.1 Mbits/sec                  receiver
[  8]   0.00-10.00  sec  47.1 MBytes  39.5 Mbits/sec                  sender
[  8]   0.00-10.00  sec  47.1 MBytes  39.5 Mbits/sec                  receiver
[ 10]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 10]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[ 12]   0.00-10.00  sec  24.2 MBytes  20.3 Mbits/sec                  sender
[ 12]   0.00-10.00  sec  24.2 MBytes  20.3 Mbits/sec                  receiver
[ 14]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 14]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[ 16]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 16]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[ 18]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  sender
[ 18]   0.00-10.00  sec  56.0 MBytes  47.0 Mbits/sec                  receiver
[SUM]   0.00-10.00  sec   404 MBytes   339 Mbits/sec                  sender
[SUM]   0.00-10.00  sec   404 MBytes   339 Mbits/sec                  receiver

[Patrick M. Hausen]

For iperf.

[itnorm]

Does running iperf3 with the -P option qualify as 'multiple concurrent connections'?  And if so, how is that translated or used with OPNsense?

[Patrick M. Hausen]

If you run only a single connection with iperf you cannot use the full bandwidth of your uplink. As you have proven yourself, as soon as you use multiple connections you get ~ 300 Mbit/s. You can expect a similar throughput through your OPNsense but probably not for a single isolated stream.

I thought you were concerned about multiple users, not a single connection?

You can run iperf from an internal system to some system on the Internet and try a hundred or so to simulate your concurrent users. OPNsense will probably easily deal with that unless your hardware is severely limited.