Hi,
my friends at Landitec – OPNsense Platinum Partner – send me one of their SMB flagships, the scope7 1510!
I quickly reactivated my old lab and started testing the performance, as my last one was based on a really old OPNsense version (based on BSD11) which is know to work faster than everything upwards.
The specs from a standard scope7 1510 are:
Intel(R) Atom(TM) CPU C3558 @ 2.20GHz (4 cores)
8192 MB RAM
30 GB SSD
6 RJ45 Ports (Fiber option available), where 2 are igb and 4 are ix drivers
Both scope are directly connected and on each side sits a Debian running iperf
As usual I ran iperf only on the systems behind and NEVER .. EVER .. iperf on OPNsense itself!!!
It’s a fresh 21.1 64bit install, updated to 21.1.6, no tuning.
Server:
iperf3 -V -p 5000 -f m -s
Client:
iperf3 -p 5000 -f m -V -c 10.0.2.10 -t 180 -P 10 (-R)
Forwarding with floating rule all accept.
Without NAT, HW Offloading disabled (1 and 10 streams):
940Mbit up / 940Mbit down
With NAT, HW Offloading disabled:
940Mbit up / 940Mbit down
CPU at 20% / Load at 0.80 (with NAT 35%, Load at 1.10)
With IPS enabled (96743 rules)
230Mbit up / 290Mbit down
40% CPU / Load at 1.40
Now with VPN (no IPS):
IPsec IKEv2 AES256GCM 620Mbit up/down (60%, 2.0 Load)
IPsec IKEv2 AES256 without GCM 400Mbit up/down (60%, 2.0 Load)
WireGuard 900Mbit up/down (85% CPU, 3.0 Load) Kernel-variant
WireGuard 390Mbit up/down (85% CPU, 3.0 Load) Go-variant
As you can see the device gives you enough power for transfering at high rates and also WireGuard delivers quite impressive rates with the kernel implementation.
Next tests will include ntopng Pro and nprobe Pro to add NGFW features to OPNsense!