Hello,
I've already posted on the Netgate forum on the same subject, but I'll try here if the problem is with Proxmox.
I'm currently trying to understand a strange behavior with my pfSense CE 2.6 virtualized on Proxmox VE 7.4-3. I've been tearing my hair out for days now.
My ISP router (Freebox Delta w/ 10G-EPON, Free ISP in France) is wired directly to my Proxmox hypervisor via a passive 10Gbps DAC.
So I have a Linux bridge (vmbr2) connected to the corresponding SFP+ port.
Attached to this bridge are my pfSense WAN and two test VMs. For each of my tests, I download directly from my ISP's router, which is capable of generating data on the fly to test local speeds.
I put my tests in Pastebin: https://pastebin.com/raw/qxAUGynQ
Proxmox handles the 10Gbps link very well, since I can reach them without any problem as soon as I stop going through pfSense. I've also run a number of speedtest, which show the same behavior towards external servers: speeds seem to be "throttled" as soon as I go through my pfSense virtual machine (clean installation with no modifications).
I thought it was a FreeBSD limitation, but a nude FreeBSD installation perfectly exploits the 10Gbps link.
So I'm a bit lost, I'm throwing a bottle into the sea in case someone has the same experience and, more importantly, the solution. I'd like to avoid having to buy a Netgate 6100 when my current equipment should be sufficient.
What I've already tried:
My config :
A brief overview of the network part concerned :
Sorry for my English and thank you for your help !
I've already posted on the Netgate forum on the same subject, but I'll try here if the problem is with Proxmox.
I'm currently trying to understand a strange behavior with my pfSense CE 2.6 virtualized on Proxmox VE 7.4-3. I've been tearing my hair out for days now.
My ISP router (Freebox Delta w/ 10G-EPON, Free ISP in France) is wired directly to my Proxmox hypervisor via a passive 10Gbps DAC.
So I have a Linux bridge (vmbr2) connected to the corresponding SFP+ port.
Attached to this bridge are my pfSense WAN and two test VMs. For each of my tests, I download directly from my ISP's router, which is capable of generating data on the fly to test local speeds.
I put my tests in Pastebin: https://pastebin.com/raw/qxAUGynQ
Proxmox handles the 10Gbps link very well, since I can reach them without any problem as soon as I stop going through pfSense. I've also run a number of speedtest, which show the same behavior towards external servers: speeds seem to be "throttled" as soon as I go through my pfSense virtual machine (clean installation with no modifications).
I thought it was a FreeBSD limitation, but a nude FreeBSD installation perfectly exploits the 10Gbps link.
So I'm a bit lost, I'm throwing a bottle into the sea in case someone has the same experience and, more importantly, the solution. I'd like to avoid having to buy a Netgate 6100 when my current equipment should be sufficient.
What I've already tried:
- Test all possibilities with Hardware Checksum Offloading, TSO and LRO
- Test with or without PCIe passthrough on pfSense, maybe a small difference but really not a big deal
- Reinstall clean pfSense (test with CE 2.6, Plus 23.01 and Plus 23.05 versions)
- Test of E1000, Realtek and VMX drivers
- Test with multiqueue (4 or 8) with 8 vCPU, no difference and I can reach 10Gbps with only 2 vCPU and without multiqueue without any problem.
- Test with OPNsense, throughputs significantly higher, but no major difference.
- Test with i440fx and q35 machine
- Test with Jumbo frames (MTU 9000)
- Test new VM Untangle NG Firewall (Arista) : I'm able to use 10Gbps, including through the router, but... there is a bug if IPv6 gateway is on fe80::/10, no default route created)
- Test new VM pfSense with OS set to "Other" and UEFI, same problematic behavior
My config :
- ISP :
- Freebox Delta 10G-EPON 8Gbps/700Mbps
- Hypervisor :
- Proxmox VE 7.4-3
- AMD Ryzen 7 5700G
- 64 GB RAM
- Motherboard MAG B550M MORTAR WIFI
- 1 To NVMe
- 2 x SFP+ 1/2.5/10Gbps (BCM57810S)
- 1 x RJ45 2.5 Gbps (RTL8125B, not used)
A brief overview of the network part concerned :
Sorry for my English and thank you for your help !