Jeffrey Belt

Another Computer Geek

OpnSense: Tuning for 1G Throughput

The following settings increased throughput consistently to 845-862 Mbps on a Protectli FW1, with an average of 855.  Unfortunately, this is short of my goal of 900+ Mpbs my ISP connection is suppose to be able to achieve; but for now, is good enough.

Interfaces -> Settings:

System => Settings => Tunables:

NOTE: IN several of the settings below, the interface is designated as “em.”  However, your system may have igb, ix or something else.  Just replace the em with your system’s interface type.  Once done, reboot the firewall to ensure all settings take effect.


    Tunable Name                                  Description                                                                               Value    


    ahci_load                Advanced Host Controller Interface (AHCI)      yes     


    cc_htcp_load             H-TCP Congestion Control for a more            yes 

                             aggressive increase in speed on 

                             higher latency, high bandwidth networks 

                             with some packet loss.          


    dev.em.#.eee_disabled    Disable Energy Efficiency - set for each       1

                             em port in your system     


    dev.em.#.fc              Disable Flow Control                           0


    dev.em.#.iflib.tx_abdicate     Enable TX abdicate                       1

    hostcache.expire         ?                                              1

    hw.em.eee_setting        Disable or enable Energy Efficient             1 

                             Ethernet. Default 1 (disabled). 

    hw.em.msix               Enable or disable MSI-X style interrupts.      1


    hw.em.enable_aim         Increase Network efficiency                    1  


    hw.em.enable_msix        Fast interrupt handling. Normally set          1

                             by default. Use these settings to insure 

                             it is on. Allows NIC to process packets as 

                             fast as they are received


    hw.em.fc_setting         Disable Flow Control (new)                     0

    hw.em.num_queues         Use one queue instead of multiple queues,      1

                             to reduce the strain on the system.

    hw.em.rx_process_limit   Remove limit of the maximum number of          -1

                             packets to manage at once (Intel only)

    hw.em.rxd                Increase packet descriptors                    4096

                             (set as 1024,2048, or 4096) ONLY! Allows

                             a larger number of packets to be processed.


    hw.em.smart_pwr_down     Enable or disable smart power down features    0 

                             on newer adapters. Default 0 (disabled).


    hw.em.txd                Increase packet descriptors (set as 1024,      4096

                             2048, or 4096) ONLY! Allows a larger number

                             of packets to be processed.


    hw.igb.num_queues        Set number of queues to number of cores        1

                             divided by number of ports, 1 lets FreeBSD 


    hw.pci.enable_msix       Disable msix = 0, enable = 1                   1

    if_em_load               Intel(R) PRO/1000 Gigabit Ethernet adapter     yes

                             driver, preload.

    kern.ipc.maxsockbuf      Maximum socket buffer size                16777216 


    kern.ipc.nmbclusters     Increase the amount of network memory       131072 



    machdep.hyperthreading_allowed    Disable Hyper-Threading                 0


    net.inet.ip.fw.dyn_buckets        Increase dynamic buckets          5000000

                                      maximum number of states to 5M 


    net.inet.ip.fw.dyn_max    Increase hash table maximum number of     5000000

                              states to 5M     

    net.inet.ip.maxfragpackets     Do not accept Fragmented packets           0


    net.inet.ip.maxfragsperpacket  Do not accept Fragmented packets           0     ?                                        htcp 


    net.inet.tcp.hostcache.cachelimit   Ostcache cachelimit is the number.    0 

                             of ip addresses in the hostcache list. Setting 

                             the value to zero(0) stops any ip address

                             connection information from being cached and 

                             negates the need for "net.inet.tcp.hostcache.expire"

    net.inet.tcp.hostcache.expire   ?                                         1

    net.inet.tcp.recvbuf_auto       ?                                         1

    net.inet.tcp.recvbuf_inc        ?                                    524288


    net.inet.tcp.recvbuf_max        ?                                  16777216

    net.inet.tcp.sendbuf_auto       ?                                         1 


    net.inet.tcp.sendbuf_inc        ?                                     16384 


    net.inet.tcp.sendbuf_max        ?                                         1

    net.inet.tcp.soreceive_stream   Enable the optimized version of           1

                                    soreceive() for stream (TCP) sockets. 

                                    soreceive_stream() only does one sockbuf

                                    unlock/lock per receive independent of the

                                    length of data to be moved into the uio

                                    compared to soreceive() which 

                                    unlocks/locks per *mbuf*. 

                                    soreceive_stream() can significantly

                                    reduced CPU usage and lock contention

                                    when receiving fast TCP streams.              An indirect result of increasing the   2048

                                    interface queue is the buffer acts 

                                    like a large TCP initial congestion

                                    window (init_cwnd) by allowing a network

                                    stack to burst packets at the start of a



Additional Information:

This is not related to performance, but relates to hardening the Web Interface and SSH protocols.

Disable TLS 1.0 and TLS 1.1

SSL Labs caps your rating at a B if you allow TLS 1.0 or 1.1, to get an A+ rating on SSL Labs, limit to the following ciphers from Default to the following:

System => Administration => Web GUI -> SSL Ciphers

TLS 1.3

TLS 1.2

Check the box for HTTP Strict Transport Security or you'll be limited to an A rating.

To pass SSH-Audit from set the following accordingly:

System => Administration (Secure Shell)

=> Key exchange algorithms

=> Ciphers


=> Host key algorithms

Home        Services        Contact       How To’s        GitHub

Copyright - Jeffrey Belt - All Rights Reserved