The following settings increased throughput consistently to 845-862 Mbps on a Protectli FW1, with an average of 855. Unfortunately, this is short of my goal of 900+ Mpbs my ISP connection is suppose to be able to achieve; but for now, is good enough.
Interfaces -> Settings:
System => Settings => Tunables:
NOTE: IN several of the settings below, the interface is designated as “em.” However, your system may have igb, ix or something else. Just replace the em with your system’s interface type. Once done, reboot the firewall to ensure all settings take effect.
————————————————————————————————————————————————
Tunable Name Description Value
————————————————————————————————————————————————
ahci_load Advanced Host Controller Interface (AHCI) yes
cc_htcp_load H-TCP Congestion Control for a more yes
aggressive increase in speed on
higher latency, high bandwidth networks
with some packet loss.
dev.em.#.eee_disabled Disable Energy Efficiency - set for each 1
em port in your system
dev.em.#.fc Disable Flow Control 0
dev.em.#.iflib.tx_abdicate Enable TX abdicate 1
hostcache.expire ? 1
hw.em.eee_setting Disable or enable Energy Efficient 1
Ethernet. Default 1 (disabled).
hw.em.msix Enable or disable MSI-X style interrupts. 1
hw.em.enable_aim Increase Network efficiency 1
hw.em.enable_msix Fast interrupt handling. Normally set 1
by default. Use these settings to insure
it is on. Allows NIC to process packets as
fast as they are received
hw.em.fc_setting Disable Flow Control (new) 0
hw.em.num_queues Use one queue instead of multiple queues, 1
to reduce the strain on the system.
hw.em.rx_process_limit Remove limit of the maximum number of -1
packets to manage at once (Intel only)
hw.em.rxd Increase packet descriptors 4096
(set as 1024,2048, or 4096) ONLY! Allows
a larger number of packets to be processed.
hw.em.smart_pwr_down Enable or disable smart power down features 0
on newer adapters. Default 0 (disabled).
hw.em.txd Increase packet descriptors (set as 1024, 4096
2048, or 4096) ONLY! Allows a larger number
of packets to be processed.
hw.igb.num_queues Set number of queues to number of cores 1
divided by number of ports, 1 lets FreeBSD
decide
hw.pci.enable_msix Disable msix = 0, enable = 1 1
if_em_load Intel(R) PRO/1000 Gigabit Ethernet adapter yes
driver, preload.
kern.ipc.maxsockbuf Maximum socket buffer size 16777216
kern.ipc.nmbclusters Increase the amount of network memory 131072
buffers
machdep.hyperthreading_allowed Disable Hyper-Threading 0
net.inet.ip.fw.dyn_buckets Increase dynamic buckets 5000000
maximum number of states to 5M
net.inet.ip.fw.dyn_max Increase hash table maximum number of 5000000
states to 5M
net.inet.ip.maxfragpackets Do not accept Fragmented packets 0
net.inet.ip.maxfragsperpacket Do not accept Fragmented packets 0
net.inet.tcp.cc.algorithm ? htcp
net.inet.tcp.hostcache.cachelimit Ostcache cachelimit is the number. 0
of ip addresses in the hostcache list. Setting
the value to zero(0) stops any ip address
connection information from being cached and
negates the need for "net.inet.tcp.hostcache.expire"
net.inet.tcp.hostcache.expire ? 1
net.inet.tcp.recvbuf_auto ? 1
net.inet.tcp.recvbuf_inc ? 524288
net.inet.tcp.recvbuf_max ? 16777216
net.inet.tcp.sendbuf_auto ? 1
net.inet.tcp.sendbuf_inc ? 16384
net.inet.tcp.sendbuf_max ? 1
net.inet.tcp.soreceive_stream Enable the optimized version of 1
soreceive() for stream (TCP) sockets.
soreceive_stream() only does one sockbuf
unlock/lock per receive independent of the
length of data to be moved into the uio
compared to soreceive() which
unlocks/locks per *mbuf*.
soreceive_stream() can significantly
reduced CPU usage and lock contention
when receiving fast TCP streams.
net.link.ifqmaxlen An indirect result of increasing the 2048
interface queue is the buffer acts
like a large TCP initial congestion
window (init_cwnd) by allowing a network
stack to burst packets at the start of a
connection.
————————————————————————————————————————————————
Additional Information:
This is not related to performance, but relates to hardening the Web Interface and SSH protocols.
Disable TLS 1.0 and TLS 1.1
SSL Labs caps your rating at a B if you allow TLS 1.0 or 1.1, to get an A+ rating on SSL Labs, limit to the following ciphers from Default to the following:
System => Administration => Web GUI -> SSL Ciphers
TLS 1.3
TLS 1.2
Check the box for HTTP Strict Transport Security or you'll be limited to an A rating.
To pass SSH-Audit from https://github.com/arthepsy/ssh-audit.git set the following accordingly:
System => Administration (Secure Shell)
=> Key exchange algorithms
=> Ciphers
=>MACs
=> Host key algorithms
Copyright - Jeffrey Belt - All Rights Reserved