Throughput Getting Crushed

Started by fakebizprez, May 01, 2025, 10:57:20 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
May 30, 2025, 06:57:46 PM #15
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
May 31, 2025, 02:05:56 PM #16
Quote from: Seimus on May 30, 2025, 06:57:46 PMhttps://docs.opnsense.org/troubleshooting/performance.html#receive-side-scaling
Wow. Interesting..........

So there's three options: RSS, Unpin CPU, & push logs to remote database, correct?
Founder & President of linehaul.ai - a logistics and technology services provider.
June 01, 2025, 11:17:51 AM #17
Correct,

I use RSS + CPU unpin for like 2y without problem and having ~ 1.7G is much better than 1G as I need high throughput for interVLAN communication rather than LAN to WAN.

Moving elastic or other DB type depending what you use to a remote one can lift the performance too cause it will not eat into the FWs resources.

And one last tip, depending on your deployment of ZA, always deploy it on the Parent interface not per interface. Each single interface spans additional eastpect process. Meaning I use a LAGG on which I have dozen of VLANs, I do not run ZA on those VLANs I run it on the LAGG. Thus I have only single eastpect process.

Iperf test --- InterVLAN only = 1668Mbit/s
4 different host, cross InterVLAN combined at the same time. This is post RSS + unpin CPU in ZA

Code Select
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.04  sec  5.57 GBytes   797 Mbits/sec  691            sender
[  5]   0.00-60.00  sec  5.56 GBytes   797 Mbits/sec                  receiver

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.00  sec  6.09 GBytes   871 Mbits/sec  989             sender
[  5]   0.00-60.00  sec  6.08 GBytes   871 Mbits/sec                  receiver

Regards,
S.

Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
June 02, 2025, 04:05:24 AM #18
OK, that's great information, man, I'm going to have to copy/paste this in my workspace. My company is scattered throughout the globe, and there's zero humans on my LAN, aside from me, so I was considering just putting it on WG0 (wireguard) because I'm hosting a fairly substantial VPN server. They're the ones that need the protection of a NGFW the most.
Founder & President of linehaul.ai - a logistics and technology services provider.
June 02, 2025, 10:07:50 AM #19
Quote from: fakebizprez on June 02, 2025, 04:05:24 AMso I was considering just putting it on WG0 (wireguard)
You can do that, ZA works on WG tunnels as well if you created it as an Interface and assigned it.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages 1 2
User actions