We have looked at the Soekris net4501 embedded PC platform and some of the basic m0n0wall features, but how does the combination of the two perform?
Below are two sets of performance data provided by Manuel Kasper showing the throughput of the firewall under NAT and packet filtering, and throughput of an IPSec VPN.
[XP notebook] ----- LAN [device to be tested] WAN ----- [FreeBSD PC]
- In IPsec throughput tests, the ESP tunnel was established between m0n0wall and the FreeBSD PC (which was running racoon and FAST_IPSEC).
- FreeBSD PC hardware: P4 2.8 GHz (CPU usage was below 50% at all times during the tests).
- m0n0wall configuration: factory defaults (except for "block private networks on WAN" disabled, an inbound NAT mapping + rule in the WAN->LAN no-IPsec test and of course the IPsec tunnel).
- The highest of three iperf TCP readings was used (10 seconds each).
- All network connections 100 Mb/s Ethernet.
- iperf throughput between XP notebook and FreeBSD PC with no m0n0wall in between: 94 Mb/s in both directions.
- All test results given in Mbits / second (LAN->WAN / WAN->LAN).
|Manufacturer||Platform||NAT Test, Mb/s||IPsec Test, Mb/s (3DES-MD5)|
|LAN -> WAN||WAN -> LAN||LAN -> WAN||WAN -> LAN|
In the real world, the net4501 would perform more than adequately for most users' needs as an Internet firewall, since not many of us are lucky enough to have Internet connections that exceed 15Mb/s. However, the IPSec performance is more likely to be an issue, especially if multiple tunnels were configured.
As you can see, the CPU speed does have an impact on throughput performance of 2.07 / 2.02 Mb/s. However using the more efficient Blowfish encryption algorithm improves this to 3.99 / 3.89 Mb/s.
Although in this article I have focused on the Soekris net4501, the data shown above for all the embedded platforms is fairly indicative of what you might expect from standard PC hardware. The net4501 is approximately Pentium 100 MHz in performance; the net4801 and WRAP.1C-2 are Pentium 266 & 233 MHz respectively.
If you needed increased performance, using more recent standard PC hardware such as a Pentium III CPU with 128MB of RAM and good quality network cards such as 3Com or Intel is likely to yield 'wire speed' transfers approaching 90 to 95 Mb/s. This would be appropriate for using m0n0wall as an inter-departmental router/firewall on a large LAN
The full test results are available at http://m0n0.ch/wall/list/?action=show_msg&actionargs=62&actionargs=57.