Casual Firewall / VPN benchmarking

Wednesday, 12. 08. 2009  –  Category: vague

Two datacentres, each with a pair of 2.5GHz Xeon firewalls running OpenBSD. Benching with iperf yielded the following:

  • Between firewall pair, LAN

    [ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
    [ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
    [ 3] 0.0-10.0 sec 1017 MBytes 853 Mbits/sec

  • Firewall to firewall between DCs, outside VPN, no PF

    [ 3] 0.0-10.0 sec 1.02 GBytes 873 Mbits/sec
    [ 3] 0.0-10.0 sec 992 MBytes 832 Mbits/sec
    [ 3] 0.0-10.0 sec 986 MBytes 827 Mbits/sec

  • Firewall to remote internal host, outside VPN, through PF NAT (rdr)

    [ 3] 0.0-10.0 sec 260 MBytes 218 Mbits/sec
    [ 3] 0.0-10.0 sec 202 MBytes 170 Mbits/sec
    [ 3] 0.0-12.3 sec 333 MBytes 228 Mbits/sec

  • Internal host to internal host, over IPsec VPN (ESP), through PF

    [ 3] 0.0-10.1 sec 43.9 MBytes 36.4 Mbits/sec
    [ 3] 0.0-10.1 sec 26.2 MBytes 21.8 Mbits/sec
    [ 3] 0.0-11.3 sec 28.0 MBytes 20.8 Mbits/sec

  • Internal host to internal host, over OpenVPN, through PF

    [  3]  0.0-10.0 sec    161 MBytes    134 Mbits/sec
    [  3]  0.0-10.0 sec    144 MBytes    121 Mbits/sec
    [  3]  0.0-10.0 sec    145 MBytes    121 Mbits/sec

Care was taken to use optimal ciphers, appropriate MTU / MSS and the TCP stack was tuned throughout.

  • IPsec really hurts without hardware acceleration
  • There’s a surprisingly large hit for just NAT
  • Neither VPN technologies can benefit from the multiple cores available to them
  • OpenVPN’s speed is appealing, but it lacks the smooth route to high availability of CARP + pfsync + sasync of IPsec on OpenBSD

Leave a Reply