zomo technology

Casual Firewall / VPN benchmarking

Wednesday, 08. 12. 2009  –  Category: vague

Two datacentres, each with a pair of 2.5GHz Xeon firewalls running OpenBSD. Benching with iperf yielded the following:

• Between firewall pair, LAN
  

  [ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
  [ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
  [ 3] 0.0-10.0 sec 1017 MBytes 853 Mbits/sec

• Firewall to firewall between DCs, outside VPN, no PF

  [ 3] 0.0-10.0 sec 1.02 GBytes 873 Mbits/sec
  [ 3] 0.0-10.0 sec 992 MBytes 832 Mbits/sec
  [ 3] 0.0-10.0 sec 986 MBytes 827 Mbits/sec

• Firewall to remote internal host, outside VPN, through PF NAT (rdr)

  [ 3] 0.0-10.0 sec 260 MBytes 218 Mbits/sec
  [ 3] 0.0-10.0 sec 202 MBytes 170 Mbits/sec
  [ 3] 0.0-12.3 sec 333 MBytes 228 Mbits/sec

• Internal host to internal host, over IPsec VPN (ESP), through PF
  

  [ 3] 0.0-10.1 sec 43.9 MBytes 36.4 Mbits/sec
  [ 3] 0.0-10.1 sec 26.2 MBytes 21.8 Mbits/sec
  [ 3] 0.0-11.3 sec 28.0 MBytes 20.8 Mbits/sec

• Internal host to internal host, over OpenVPN, through PF
  

  [  3]  0.0-10.0 sec    161 MBytes    134 Mbits/sec
  [  3]  0.0-10.0 sec    144 MBytes    121 Mbits/sec
  [  3]  0.0-10.0 sec    145 MBytes    121 Mbits/sec

Care was taken to use optimal ciphers, appropriate MTU / MSS and the TCP stack was tuned throughout.

• IPsec really hurts without hardware acceleration
• There’s a surprisingly large hit for just NAT
• Neither VPN technologies can benefit from the multiple cores available to them
• OpenVPN’s speed is appealing, but it lacks the smooth route to high availability of CARP + pfsync + sasync of IPsec on OpenBSD