Two datacentres, each with a pair of 2.5GHz Xeon firewalls running OpenBSD. Benching with iperf yielded the following:
- Between firewall pair, LAN
[ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec[ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec [ 3] 0.0-10.0 sec 1017 MBytes 853 Mbits/sec
- Firewall to firewall between DCs, outside VPN, no PF
[ 3] 0.0-10.0 sec 1.02 GBytes 873 Mbits/sec[ 3] 0.0-10.0 sec 992 MBytes 832 Mbits/sec [ 3] 0.0-10.0 sec 986 MBytes 827 Mbits/sec
- Firewall to remote internal host, outside VPN, through PF NAT (rdr)
[ 3] 0.0-10.0 sec 260 MBytes 218 Mbits/sec[ 3] 0.0-10.0 sec 202 MBytes 170 Mbits/sec [ 3] 0.0-12.3 sec 333 MBytes 228 Mbits/sec
- Internal host to internal host, over IPsec VPN (ESP), through PF
[ 3] 0.0-10.1 sec 43.9 MBytes 36.4 Mbits/sec[ 3] 0.0-10.1 sec 26.2 MBytes 21.8 Mbits/sec [ 3] 0.0-11.3 sec 28.0 MBytes 20.8 Mbits/sec
- Internal host to internal host, over OpenVPN, through PF
[ 3] 0.0-10.0 sec 161 MBytes 134 Mbits/sec[ 3] 0.0-10.0 sec 144 MBytes 121 Mbits/sec [ 3] 0.0-10.0 sec 145 MBytes 121 Mbits/sec
Care was taken to use optimal ciphers, appropriate MTU / MSS and the TCP stack was tuned throughout.
- IPsec really hurts without hardware acceleration
- There's a surprisingly large hit for just NAT
- Neither VPN technologies can benefit from the multiple cores available to them
- OpenVPN's speed is appealing, but it lacks the smooth route to high availability of CARP + pfsync + sasync of IPsec on OpenBSD
last updated: