Thomas-Krenn OPNsense Rack-Server Firewall Performance

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

The free firewall solution OPNsense can be used on different devices and server. To find the suitable hardware for your purpose, the systems must withstand comprehensive performance tests. This article shows these results of the already tested Thomas-Krenn rack servers in tabular form. The chart is constantly expanded with further systems, when they were tested. An overview of performance data for Thomas-Krenn Low Energy Server (LES) devices and other fanless devices can be also found in Thomas-Krenn-Wiki.

Important hint: These tests were performed under laboratory conditions. Real values in productive environments may deviate. The tested models may have been replaced by new versions in the meantime. The latest hardware selection can be found in the online shop of Thomas-Krenn.

To our OPNsense firewalls in the onlineshop of Thomas-Krenn

Test results

The following chart shows the available results so far:

server RI1102A-F (version 2.0, Supermicro A2SDi-4C-HLN4F with Intel Atom C3558)

(note: tests with OPNsense 23.1.1_2-amd64, 25 Gbit/s Broadcom P225P additional card)

RI1102D-F (version 1, Intel Xeon D-1518)

(note: tests with OPNsense 22.7.9_3, 25 Gbit/s Broadcom P225P additional card)

RI1102-SMXDFH (version 1, Intel Xeon-D D-1718T)

(note: tests with OPNsense 25.1.6_4-amd64)

RI1101-SMXEFH (version 1, Intel Xeon E-2334)

(note: tests with OPNsense OPNsense 25.1.9_2-amd64)

Hardware equipment used for testing RAM 16 GB RAM 16 GB RAM 32 GB RAM 16 GB
settings

(exact test settings are listed below)

performance Last (CPU time in %) performance Last (CPU time in %) performance Last (CPU time in %) performance Last (CPU time in %)
Upload Download Upload Download Upload Download Upload Download Upload Download Upload Download Upload Download Upload Download
Routing
  • NAT deactivated
  • pure routing
 9,33 Gbit/s 9,46 Gbit/s 51 66 11,7 Gbit/s 12 Gbit/s 39,5 45,4 13,7 Gbit/s 14,1 Gbit/s 14 14 23,2 Gbit/s 23,5 Gbit/s 24 23,5
(note: 25 Gbit/s Broadcom P225p utilized)
Firewall
  • NAT active
  • Spamhaus DROP and EDROP lists (since 2025 only DROP list) on WAN and LAN Interface
 7,11 Gbit/s 6,31 Gbit/s 83 66 5,9 Gbit/s 6,2 Gbit/s 50 50 7,5 Gbit/s 8,2 Gbit/s 15 14,8 23,4 Gbit/s 23,5 Gbit/s 29,3 32
(note: measured values fluctuated significantly, as did the load on the firewall) (note: 25 Gbit/s Broadcom P225p utilized, load on the firewall is a little bit higher than at routing)
Firewall and IDS
  • default settings such as firewall test
  • In addition, intrusion detection (IDS) is active on the WAN interface
  • number of rules (missing)
 6,51 Gbit/s 6,02 Gbit/s 92 89 5,2 Gbit/s 4,7 Gbit/s 68 61 6,2 Gbit/s 6,7 Gbit/s 20 21 17,2 Gbit/s 20,8 Gbit/s 44,6 51,7
(note: results rather doubtful, as they fluctuated strongly, between 3,2 and 8 Gbit/s. This also caused the load on the firewall to fluctuate from just under 60% to 100% ) (note: IDS increases load on the firewall significantly, but the throughput remains quite high)
Firewall and IPS
  • default settings such as firewall test
  • In addition, Intrusion Prevention (IPS) active on the WAN interface
  • number of rules (missing)
 918 Mbit/s 631 Mbit/s 52 40 5,4 Gbit/s 3,2 Gbit/s 65 41 5,7 Gbit/s 3,8 Gbit/s 26 16 5,6 Gbit/s 4,7 Gbit/s 23 18,5
(note: tests with 1 Gbit/s onboard NIC performed) (note: In IPS mode, the throughput rate sinks significantly compared to IDS, load on the firewall moderate)
Firewall and Zenarmor
  • default settings such as firewall test
  • In addition, Zenarmor active on the LAN interface
 33,6 Mbit/s 1,76 Gbit/s 12 44 11 Mbit/s 1,2 Gbit/s 6 27 4,3 Gbit/s 7,6 Gbit/s 15 24,5 4,95 Gbit/s 6,5 Gbit/s 16 25
(note: very poor performance in upload, settings: MongoDB data base, routed mode with emulated netmap) (note: very poor performance in upload, settings: MongoDB database, routed mode with emulated netmap) (note: local MongoDB database, routed mode with native netmap driver, default policy set on moderate control) (note: local Elasticsearch 8 database, routed mode with emulated netmap driver, default policy set on moderate control, performance and load comparable with IPS mode)
OpenVPN tunnel
  • default settings such as firewall test
  • In addition, OpenVPN tunnel between both firewalls
 268 Mbit/s 271 Mbit/s 31 34 372 Mbit/s 373 Mbit/s 17 16 1,2 Gbit/s 1,2 Gbit/s 15,3 13,6 1,5 Gbit/s 1,3 Gbit/s 13,7 13,5
IPsec VPN tunnel
  • default settings such as firewall test
  • In addition, IPsec VPN tunnel between both firewalls
 1,23 Gbit/s 1,13 Gbit/s 61 51 1,6 Gbit/s 814 Mbit/s 42 23 1,3 Gbit/s 1,6 Gbit/s 14 19 2,2 Gbit/s 2,6 Gbit/s 16,4 19,7
WireGuard VPN tunnel
  • default settings such as firewall test
  • In addition, a WireGuard VPN tunnel between both firewalls
 - - 749 Mbit/s 816 Mbit/s 43 44 3,8 Gbit/s 3,4 Gbit/s 65,9 56,7 3,9 Gbit/s 3,4 Gbit/s 42,6 38,1
(note: test not possible, tunnel could not be built up stable) (note: quite surprising and quite strong result, load on the firewall quite high) (note: quite strong performance, WireGuard profits from Multithreading, load quite high on the firewall, but compared to Xeon-D 1718T significantly lower with similar performance)

Setup performance tests

The following chart shows further components of firewall tests. The firewall to be tested is always marked as firewall 2. To test the maximum performance, a server based on a Supermicro H12SSL-NT mainboard was selected as the high-performance remote station (Firewall Site 1):

purpose hardware BIOS information software
Firewall Site 1
  • mainboard: Supermicro H12SSL-NT
  • CPU: AMD EPYC 72F3 (8 cores)
  • RAM: 32 GB
  • version: 2.3
  • BIOS settings
    • default
  • always tested with the corresponding current community version of OPNsense
Firewall Site 2
  • changing firewall to be tested
Clients up to 2023
Client Site 1
  • mainboard: Supermicro X11SSH-LN4F
  • CPU: Intel Xeon CPU E3-1230 v6 (3.50GHz, 4 cores)
  • RAM: 4 GB
  • version: 2.7
  • Ubuntu server 22.04.1
Client Site 2
  • mainboard Supermicro X10SLH-F
  • CPU: Intel Xeon CPU E3-1220 v3 (3.10GHz, 4 cores)
  • RAM: 4 GB
  • version: 3.4
Clients since 2024 (Two new identical and significantly more performant last clients were procured)
Client Site 1 and 2
  • mainboard Asus P12R-M/10G-2T
  • CPU: Intel Xeon E-2378 (2,60 GHz, 8 cores, 16 MB)
  • RAM: 32 GB
  • version: 1201
  • Ubuntu server 24.04.2 LTS

Benchmark tools

The performance tests were performed with iperf.

  • The tool iperf was started with the following command on the server site: iperf -p 5000 -f m -s
  • The client site has connected to the iperf server via following command: iperf -p 5000 -f m -c <IP-de-Servers> -t 180 -P 10
  • With the command "vmstat -w 180 -c 2", the load on the firewall was measured

Upload test

To simulate an upload test, iperf was started in client mode on client site 2. On client site 1, iperf was started in server mode with the parameter -s in server mode.

Download test

For a download test, the directions were reversed. Client site 1 was started via parameter -c as client and client site 2 was started with -s in server mode.

Test run

In general, the values in the charts are to be seen as average values up to 10 runs. In some tests (when the network socket was busy) the results were not generated in several runs, as the results were always identical.

Settings

The following settings were made on the OPNsense firewalls. In general, no special optimisation steps were performed. OPNsense was used with default settings. As the settings for the individual VPN technologies are also demanding, the measured values can certainly be regarded as an absolute minimum.

  • Firewall Test
    • Spamhaus DROP and EDROP lists activated on LAN and WAN Interface
    • EDROP list also integrated in DROP and no longer available, for tests of FWA-1112VC-4CA1S and RI1102-SMXDFH only DROP list used
  • OpenVPN Test (legacy Server/Client method)
    • Server Mode: Peer to Peer (SSL/TLS)
    • Protocol: UDP4
    • Device Mode: tun
    • TLS Authentication: Enabled - Authentication & encryption
    • TLS Shared Key: 2048bit OpenVPN static key
    • DH Parameters Length: 4096 bit
    • Encryption Algorithm: AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
    • Auth Digest Algorithm: SHA512 (512-bit)
    • Certificate Depth: Do Not Check
    • Compression: Enabled - LZO algorithm (--compress lzo)
  • OpenVPN Test (Instances method)
    • TLS static key crypt
    • 2048 bit Static Key
    • cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500
    • Data Channel: cipher 'AES-256-GCM', peer-id: 0
    • Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
  • IPsec VPN Test (legacy Tunnel Settings method)
    • Phase 1
      • Authentication method: Mutual PSK
      • Pre-Shared Key: yes
      • Encryption algorithm: 256 bit AES-GCM with 128 bit ICV
      • Hash algorithm: SHA256
      • DH key group: 14 (heißt 2048 bits)
    • Phase 2
      • Protocol: ESP
      • Encryption algorithms: aes256gcm16
      • Hash algorithms: SHA256
      • PFS key group: 14 (2048 bits)
  • WireGuard VPN Test
    • Shared secret (PSK)
  • WireGuard VPN Test (Instances)
    • Public Keys
    • additional Pre-shared key

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

Adjustment of OPNsense keyboard layout in the command line
Show article
Setting of OPNsense HA cluster sync from version 24.7
Show article
Updating Broadcom network card firmware with niccli under OPNsense
Show article