IPSec Performance of pfSense Firewall Appliance
IPSec performance is one of decision factors in choosing a firewall appliance. The 1.5 Ghz Pentium-M Mars pfSense appliance showed the best 3DES throughput of 51 Mbps. It is expected that the Core2Duo Jupiter would outperform the Mars. For AES and AES256 encryptions, the VIA C7 systems with its Padlock ACE hardware encryption engine: the Phoenix UNO, the Mercury and the Mercury Brik, shined at 46, 57 and 67 Mbps, respectively.
Testing Methodology
The Hacom pfSense appliances were running pfSense version 1.2.1 loaded on a 1GB compactflash. Following are the relevant specifications of the tested systems.
| Specifications | Phoenix UNO | Mercury Brik | Mercury | UNO Intel N270 | Mars |
|---|---|---|---|---|---|
| CPU | 500 Mhz VIA C7 | 1.5 Ghz VIA C7 | 1 Ghz VIA C7 | 1.6 Ghz Intel Atom N270 | 1.5Ghz Pentium-M |
| Memory | 1GB DDR2 RAM | 1GB DDR2 RAM | 1GB DDR2 RAM | 1GB DDR2 RAM | 1GB DDR RAM |
| Ethernet | 3 x 10/100 Realtek RTL8100B | 3 x 10/100 Realtek RTL8100B | 3 x Intel Gigabit | 3 x Realtek RTL8111C Gigabit | 4 x Intel Gigabit |
| pfSense version | 1.2.3 | 1.2.3 | 1.2.3 | 1.2.3 | 1.2.3 |
To test the ipsec performance, the pfsense device established ipsec tunnels through its WAN port to a Debian Gnu/Linux Lenny server. The server was an Intel quad Q6600 with 3GB memory. It ran the iperf server, which was used to measured the throughput. A Gigabit OpenBrick-E VIA C7 was connected to the LAN port of the pfSense device, running the iperf client.
Results
The raw throughput under iperf without the ipsec tunnel was 87Mbps (megabits per second) for the UNO and Brik, and more than 300Mbps for the Gigabit Ethernet Mercury and Mars. It is believed the raw throughput could be higher than 300Mbps if a different Gigabit Ethernet systems was used as the iperf client, like the Lex Neo VIA C7 or Lex Neo Celeron-M, instead of the OpenBrick-E VIA C7. The following table showed other results.
| IPSec Throughput | Phoenix UNO 500 Mhz VIA C7 |
Mercury Brik 1.5 Ghz VIA C7 |
Mercury 1 Ghz VIA C7 |
UNO Intel N270 1.6Ghz Intel Atom |
Mars 1.5Ghz Pentium-M |
|---|---|---|---|---|---|
| Raw (No encryption) | 88.5 Mbps1 | 87.4 Mbps1 | 250.0 Mbps2 | 300.0 Mbps2 | 340.0 Mbps2 |
| 3DES | 8.3 Mbps | 21.3 Mbps | 14.8 Mbps | 18 Mbps | 51 Mbps3 |
| Blowfish | 15.6 Mbps | 35.3 Mbps | 25.5 Mbps | 27 Mbps | 57 Mbps |
| AES | 44 Mbps | 67 Mbps | 56 Mbps | 23 Mbps | 60 Mbps |
| AES256 | 45 Mbps | 67 Mbps | 56 Mbps | 23 Mbps | 58 Mbps |
Notes:
1 Limited by the 10/100 Ethernet in the testing systems
2 Giabit Ethernet in the testing systems
3 Revised on 4/24/10. The old number of 41Mbps belongs to the 600Mhz Celeron-M system.
The best throughput of the 3DES tunnel was obetained with the 1.5Ghz Pentium Mars at 51Mbps. The Blowfish encrypted tunnel showed throughput ranging from 15Mbps to 57Mbps, depending solely on the CPU performnce. Since Padlock support only the AES algorithm, the throughput of the Via C7 was shining almost 67.
Conclusions
The IPSec performance was studied to aid in the selection of the appropriate firewall appliance. For the VIA C7 with its built-in hardware encryption/decryption engine, the AES and AES256 tunnel througput performed exceptionally, much better than the higher performance Dothan Pentium-M.
Depending on the Internet speed, most small and medium business has a broadband Internet feed of less than 10Mbps, it seemed that the Phoenix UNO is more than adequate for their applications. For enterprises with Internet throughput of up to 100Mbps, either the Gigabit Ethernet Mercury or Mars would suffice.