My old setup was:
VSDL modem -> pfsense on mini J1900 Celeron (2 GHz) -> CISCO SG300 10MPP switch -> Rukus R310 wifi -> Laptop
Currnet setup
Fiber model -> pfsense on mini J1900 Celeron (2 GHz) -> CISCO SG300 10MPP switch -> Rukus R310 wifi -> Laptop
Today i got my 1GBit fiber installed (big deal for those like me living in rural areas) only to discover that my current network setup is not allowing me to benefit from it.
I was on VSDL copper wire before and was probably in the region of 50-60 MBit/s with my above current setup. Even when removing the wifi bottle and linking with Cat5 UTP wire directly to switch, I’m not getting major improvements.
When I got the fiber installed this morning I was disappointed when I saw only marginal gain running at 80 MBit/s (c. +30 MBit). So I decided to connect the laptop via LAN cable directly to modem. I got a starkling 900MBit/s. So, along my network I have bottlenecks.
THe first one I tested was my little pfsense machine. I installed the speedtext-cli command and was surprised to find that it was giving my around 300 MBit/s. So a lot better than my laptop on its usual wifi connection but still only 33% of what I get directly off the modem.
So my first question is how can it be that my little mini J1900 Celeron (2 GHz) with 4 GB RAM cannot handle this bandwith? Do I need an upgrade for my pfsense machine? I noticed that the peak CPU demand as speedtest-cli was running was in the 60% region, far from a saturated CPU and RAM only occupied for about 30%. If it is my little pfsense machine, how far do I have to go with finding the right little machine that can handle 1 GBit/s.
The next question is if I’m getting 300 MBit/s on the WAN connection of the pfSense machine, how is it that I only see a small percentage of this on my laptop? i.e. a drop from 300 MBit/s to 80 MBit/s? I guess I would have to test the switch to start and then move to the wifi access points …
You must log in or register to comment.
The question is what you do with your pfsense. IDS/IPS are quite CPU hungry and Celerons are not really fast CPU’s.
peak CPU demand as speedtest-cli was running was in the 60% region, far from a saturated CPU and RAM only occupied for about 30%
It doesn’t look like he’s bound by CPU.
And he is currently at 1/3 of the potential speed and 3*60% = 180% CPU load for 1Gbits. So I wouldn’t even bother troubleshooting further when you already know the hardware will be an issue sooner or later.
That assumes that all of the 60% is for pushing packets, which is almost certainly not the case.
True. But since OP is using a benchmark anyways, I don‘t know how close to real world that is. If they are doing lots of filesharing, let‘s say with P2P networks, it could be way worse because of the number of connections. So I agree with you - I was just working with the info I had :)
That Pentum is a budget CPU from just over 10 years ago. It has PCIe 2.0. Maybe the “gigabit” ethernet is connected to the CPU by a single 500Mbit PCIe lane.
PCIe 2.0 is 500 MB/s per lane, it’s not going to limit the speed. That CPU certainly doesn’t have enough power to run something heavy like IDS at 1gbps though.
What can the network cards support?
Yes, e.g. rpi3b+ has gigabit ethernet, but it’s only 300Mbit, because it’s connected via usb2 internally. Something similar can be the culprit here as well.
Check what drop your get connecting the wifi modem directly to the router. There is usually a massive drop from wired to wifi.
Have you checked all the ethernet links are actually connected at 1G and not 100M?
Yes, checked and are all on the 1000M (1G) link
By the way OP, similar but worse is the ability to handle 25Gbits. But someone made a working router for that as well and CPU was also a factor: https://michael.stapelberg.ch/posts/2022-04-23-fiber7-25gbit-upgrade/
Another piece of the puzzle is probably your WiFi router, as you normally won’t get speeds near 1Gbps over WiFi. In order to benefit maximally from it, you need to connect your devices (laptops, stationary PC, TV, etc.) with a cable to get the most of it.
You should also try to disable some pfSense plugins, like OpenVPN, zenArmor, etc. as they will severely limit your bandwidth throughput. But as others said, most likely you will also need to upgrade your hardware box, and you can migrate to OPNsense while at it.
CPU and RAM are not the only limiting factors. Not only that but not everything runs multithreaded. Maybe some piece of the puzzle is not multithreaded and is using all it can from a single core (assuming that cpu is multi- core)
Depending on how much you value your time, you’re almost certainly better off getting a new machine to run pfsense.
Might be pfsense? My little J1900 box running Ubuntu Server gets 920Mbps.
I have been using similar hardware setups in A LOT of installations. This is mostly an issue with the pfSense hardware. There’s a lot of decent options around $200, mostly focus on getting a modern CPU (if it supports AES-NI there’s a good chance it will be fine). A lot of them have 2.5g nics these days too.
Sadly, sg300 line is also getting pretty old. In recent years I’m seeing more and more issues with them, especially in the models with poe. Sg350 is even eos now, with cbs350 being the current.
I’m also now using r610 as the absolute minimum ruckus ap. I was using r510 for a long time, but the r610 has noticable improvements.
Any thoughts on a good little fanless device that I can use as a pfSense machine that has a resonable CPU. I would just swap the SSD from my curent device to the new one and it should all work nicely.
I had to upgrade my pfsense hardware when I got fiber several years ago, which was in a similar situation as yours. The CPU just couldn’t handle the connection table.
J1900 has no hardware switch. Every packet goes through CPU, so even LAN to LAN uses processing power. Add pfsense to the mix and it’s probably choking.
