Results 1 to 4 of 4
  1. #1
    Join Date
    Sep 2021

    Question Any tips on 10GbE performance tunning?


    I was wondering if there are any performance tuning options for 10GbE. I have Untalge Home (the version before the new license mode), and I a run a home lab with several servers and VLANs.

    My setup is as follows:

    Mikrotik 16x10GbE (SFP+) L2 switch
    3 ESXi servers (Xeon 2678v3, 256GB RAM, 2x10Gbps)
    1 TrueNAS server (Xeon 2680v1, 96GB RAM, 2x10Gbps)
    1 Primary Worksatation (Ryzen 5800X, 64GB RAM, 1x10Gbps)
    1 Untangle Router (Core i5 8500, 16GB DDR4, 256GB NVMe, 2x10Gbps)
    (Everything with Jumbo Frames at 9000)

    Everything L2 works at line speed (~9.45gpbs) because it doesn't go up to the Untagle Router.

    I have the follow apps running on the Untangle server: Firewall, Ad Blocker, Web Filter, Bandwidth Control, Application Control, Intrusion Prevention, Policy Manager, Directory Connector and Reports.

    If I make a "bypass" rule to allow VLAN10 to VLAN20 to be bypassed, it will be routed by Untangle, and the performance will be line speed: ~9.45Gbps

    If I disable the bypass rule, I have lots of retries and performance drops significantly between 3 to 5gbps. I don't see significant CPU nor RAM usage.

    Are there any knobs to tune to try to get closer to line speed, or get better performance out of the server? It's quite capable, I'd say (6 cores at 3Ghz with 16GB RAM). I'd like to avoid bypass rules, in fact I'm comfortable with the performance I'm getting but it would be nice to tune it further if it's possible.

    Thanks in advance!

  2. #2
    Master Untangler TirsoJRP's Avatar
    Join Date
    Oct 2010


    Why would you filter inter-vlan traffic with apps?

    No doubt you have quite capable hardware but I see no reason to use L7 apps on vlans.

    Bypass and filter rules could help you with performance, but I still recommend another device to handle inter-vlan traffic.

  3. #3
    Join Date
    Sep 2021


    I'd try to avoid adding another device for inter-VLAN traffic, I'm already pretty high on the power bill (the L2/L3 Mikrotik switch could do that, but it drops performance to less than 1gbps, it doesn't have enough CPU, that's why it's only switching).

    The Untangle server has enough CPU to do inter-VLAN traffic at line speed, so I don't mind going that route. It's not a bad idea in fact to make a bypass rule from any non-WAN to any non-WAN. Every server that faces the internet is behind a reverse proxy, but in the event of a compromised server, I thought it wouldn't be "harmful" to have IPS and firewall filtering the inter VLAN communication (I'm just being paranoid here, it's just a home lab...)

    I'm considering dropping the apps with a bypass rule as you said. I thought maybe it was one specific app that affects the performance heavily, but I stopped each by each and the results was always the same... ~4.5Gbps most of the time, even with IPS off. The moment packets are "processed" and not just routed, it takes quite a toll on performance (but I don't see heavy CPU usage, maybe some apps can't be multithreaded?).

    It also affects latency, not in a sensitive way, but it's measurable. With a bypass I see ~0.25ms and without it it jumps between ~0.5ms to 2ms

  4. #4
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    York, NE


    Quote Originally Posted by TirsoJRP View Post
    Why would you filter inter-vlan traffic with apps?
    I wouldn't (I fact, I don't) do my whole network this way, but Untangle vlan filtering is a great way to set up a monitored DMZ for web servers and the like.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2