Hi! I am trying to relate OpenBSD firewall's performance in accepting new connections per second to that of commercial products (for example FortiGate 800C literature says 190k, Sonicwall 6600 90k). I would like you to comment how would be correct way doing it and also what are so to say common results for other users.
My test firewall is OpenBSD amd64 v. 5.3 on Dell PowerEdge 320 (12 cores, 24G ram, 4x1G Intel quad port network adapter). And it has very basic pf configuration, essentially letting some tcp connections thru like so pass in quick on $if_ext to 10.184.41.179 tag TO_HTTP pass out quick on $if_int tagged TO_HTTP and pf states limit set to 1M. It does not nat or synproxy. My network setup contains two decent linux computers on one side doing http requests with weighttp and on the other side are two linux computers answering http requests with nginx. Using the same subnet i estimated that in my setup one weighttp could generate about 23k connections per second (one http request has 9-10 ip packets and every request uses separate tcp connection) # /root/bin/weighttp -n 40000000 -c 100 -t 4 http://10.184.41.179/ And one nginx could answer about 30k request per second. First round was OpenBSD acting as a router with packet filter switched off. I am not sure, but it seems i hit ceiling at around 50 k new connections per second since (and around 290 kpps incoming packets) # netstat -I em0 -w 1 starts to show some errors there. Second round was with packet filter switched on and maximum seems to be around 25k new connections per second (is my understanding correct that inserts (in this case divided by two)) is good mesure for that?) # pfctl -Fi; sleep 10; pfctl -si | grep -A 4 "State Table" pf: statistics cleared State Table Total Rate current entries 466621 searches 4239544 423954.4/s inserts 497542 49754.2/s removals 502588 50258.8/s During these tests i noticed systat says interrupts where at around 18k (equally over 8k at em0 and em1) but otherwise firewall was responsive i.e. command line was usable, load was low etc. I would be thankful if you comment on this test setup and kindly share similar results if you have done that kind of test yourselves. But most importantly, i would like to know what indicators i should better be looking at and what tunables are relavant i could change to get more new connections per second. Best regards, Imre
