10Gbit network work only 1Gbit

Mon, 11 Nov 2019 06:07:02 -0800 

Hello @misc,
We have an interesting problem, we run a lot of OpenBSD router/firewalls in many places. 


We have a larger network than our client, 300-400 local wired or 
wireless endpoint, 20+ VLAN, 20+ switches.

Network structure:

 * Main switch - 2x Cisco Nexus 3k switch in HA mode (vPC dedicated
   2x40Gbit Peer link, keepalive link)
 * access switch - 10+ Cisco 3750X + C3KX-SM-10G 10Gbit module.
   some 3750x stacked (2 or 3 switch)
 * Main and access switches have redundant 10Gbit fiber link (LACP)
 * when is possible jumbo frame is enabled (mtu 9000)

Firewall/router:

 * 2x Dell 2950 - 2x Xeon X5460 (8 core), 8Gb Memory, 2x10Gbit SFP+
   network card
 * redundant design - CARP, pfsync, ifstated, etc .... master-backup
   configuration
 * HP NC550SFP network card, oce driver (mtu 9000)
 * dual SFP+ port have LACP link to Nexus switches (2x10Gbit access
   link) - use openbsd trunk interface
 * all vlan used openbsd pseudo-device over trunk interface (VLANs not
   have have IP address, only up)
 * all network subnets defined in CARP interfaces, only managment VLAN
   have address on VLAN interface.
 * some vether virtual interface for VPN, DNS, etc ...
 * some tun and tap interface for VPN
 * enc interface for ipsec
 * one bridge interface for openVPN (during termination)
 * OpenBSD 6.3 64bit

PF:

 * global block rule (block all)
 * ruleset-optimization none
 * optimization aggressive
 * reassemble no
 * block-policy drop
 * scrub enabled
 * antispoof enabled
 * regulating traffic between subnets with pf pass in/out rules
 * pf.conf currently 1500+ lines
 * the number of connections during the day in PF 10 000+

Problem:


We see that network traffic is limited to 1Gbit on firewall. Not in one 
link, not IP-to-IP, to the whole firewall!


example:

 * i make test traffic form VLAN 2 to VLAN 12 witch iperf.
   test PC-s have 1Gbit ethernet cards.
   Speed is okay, ~800Mbit/sec
 * i make anoter traffic from VLAN 2 to VLan20 with iperf, from another
   PC-s
   (they also have 1gbit ethernet cards)
   speed is not good! ~60-80Mbit/sec
 * if i stopped first speed test (2->12), second test speed is okay!
   (2->20)
 * but i make test from completely different VLANs, 2->12 and 20->30,
   the result is so.

This is firewall (openbsd) limitation, but we don't understand why?

I know openbsd VLAN interface has a speed problem, this is it?

I know it's so difficult to make a mistake from some information, what 
should we look at?


--
Üdvözlettel,
Szél Gábor

WanTax Kft.
------------
tel.: +36 20 3838 171
fax: +36 82 357 585
email: gabor.s...@wantax.hu
web: http://wantax.hu
web: http://halozatom.hu























					Reply via email to