Thomas-Krenn OPNsense Firewall Performance

The free firewall solution OPNsense can be used for a lot of different devices and server. To find the suitable hardware for your purpose, the systems are subject to comprehensive performance tests. This article shows tabular results of Thomas-Krenn Low Energy Server (LES) devices and further fanless devices. The chart is permanently expanded with more systems after testing. An overview for performance data of Rack server can also be found in Thomas-Krenn-Wiki.

Testing results

The following chart shows available results so far:

Setup of performance tests

The following table shows further components of firewall tests. The firewall, which should be tested, is always marked as firewall 2. To test the maximum performance, a server based on a Supermicro H12SSL-NT Mainboard was selected as performant remote station (Firewall Site 1):

Benchmark tools

The performance tests were made with iperf.

• iperf was started with the following command on the server page: iperf -p 5000 -f m -s
• The client page connected with the following command to the iperf server: iperf -p 5000 -f m -c <IP-de-Servers> -t 180 -P 10
• The load on the firewalls was measured on the firewalls: "vmstat -w 180 -c 2"

Upload test

To simulate an upload test, client mode was started on Client Site 2. On Client Site 1, iperf was started with the parameter -s in server mode.

Download test

The directions were reversed for a download test and Client Site 1 was started as client via parameter -c as client and Client Site 2 with -s in server mode.

Test runs

In general, the values in the charts are to be regarded as average values from up to 10 runs. In some tests, when the network socket was busy, the results were not generated in several runs because they were always identical.

Settings

The following settings were made on the OPNsense firewalls. In general, no special optimization steps were carried out. OPNsense was used with default settings. As the settings for individual VPN technologies are also demanding, measured values can certainly be regarded as an absolute minimum.

• Firewall Test
  • Spamhaus DROP and EDROP lists on LAN and WAN Interface activated
  • EDROP list now integrated in DROP and no longer available, only DROP list used in tests of FWA-1112VC-4CA1S and RI1102-SMXDFH.
• OpenVPN Test (legacy server/Client method)
  • Server Mode: Peer to Peer (SSL/TLS)
  • Protocol: UDP4
  • Device Mode: tun
  • TLS Authentication: Enabled - Authentication & encryption
  • TLS Shared Key: 2048bit OpenVPN static key
  • DH Parameters Length: 4096 bit
  • Encryption Algorithm: AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
  • Auth Digest Algorithm: SHA512 (512-bit)
  • Certificate Depth: Do Not Check
  • Compression: Enabled - LZO algorithm (--compress lzo)
• OpenVPN Test (Instances method)
  • TLS static key crypt
  • 2048 bit Static Key
  • cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500
  • Data Channel: cipher 'AES-256-GCM', peer-id: 0
  • Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

• IPsec VPN Test (legacy Tunnel Settings method)
  • Phase 1
    • Authentication method: Mutual PSK
    • Pre-Shared Key: yes
    • Encryption algorithm: 256 bit AES-GCM with 128 bit ICV
    • Hash algorithm: SHA256
    • DH key group: 14 (heißt 2048 bits)
  • Phase 2
    • Protocol: ESP
    • Encryption algorithms: aes256gcm16
    • Hash algorithms: SHA256
    • PFS key group: 14 (2048 bits)

• WireGuard VPN test
  • Shared secret (PSK)

• WireGuard VPN test (Instances)
  • Public Keys
  • Pre-shared key additionally

Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.