Router real throughput under various circumstances

I have red the Turris Omnia (TO) WAN->LAN capability is close to 1 Gb/s.
But what throughput is if other features and protocols are used?

  • IPv4 NAT
  • IPv6
  • OpenVPN tunnel terminated in the TO
  • IP Netfilter (controlled by iptables) with hundreds of rules and detailed logging
  • SSL data transfer to internal Apache server e.g.

I would be surprised if it is much less than 1Gb/s for non crypto traffic cases given non-crazy hardware design, however OpenVPN/SSL depends on the acceleration support and most likely is much less. I would be interested in real figures as well (disclaimer: already preordered one though :>).

We are preparing an update with more detailed measuring. :wink:

In your update you mention “up to 975Mbps & up to 450’000pps” so it won’t be able to handle full duplex 1Gbps routing (i’d be happy with 2x ≥750Mbps)?
(Besides, that figure seems a bit low compared to, for example MikroTik’s RB3011UiAs which running on a similar soc supposedly achieves up to 1.4million pps and up to 3.9Gbps)

Don’t forget the Mikrotik as 2 dedicated QCA8337-AL3C-R switch chips :wink:

I think people should post some real-world scenarios they want the device to fill and those can be benchmarked.

That’s probably unrealistic and requires x86 or Tile hardware

  • 1 x 100Mbit OpenVPN connection as default gateway
  • 2 x 25Mbit IPSec gateways
  • 1 x 50Mbit standard gateway for guests
  • Deep packet inspection (suricata)
  • Caching proxy
  • Piratebox using attached HD
  • Near wirespeed switching for internal network (NAS, desktops/laptops)

But if you tone it down, maybe they can benchmark it

  • 1 x 50Mbit OpenVPN connection as default gateway
  • 1 x 50Mbit standard gateway for guests
  • Deep packet inspection (snort)
  • Caching proxy
  • 500Mbps switching for internal network (NAS, desktops/laptops)

etc.

basically, together with a 24-port switch & a few WLAN APs, this would replace my apple airport extreme when switching to a 1Gbps FTTH installation, acting as a basic gateway with firewall. so wan-to-lan & lan-to-wan throughput should be ≥1.5Gbps, since i don’t fancy buying a new router for at least the next 5 years. Usage scenarios would be what i consider mostly ordinary traffic (http/ftp, rsync, zfs send/receive, netflix, bittorrent). If it can do that while doing other tasks all the better, but it’s really optional…

Shouldn’t make a difference for wan-to-lan & lan-to-wan throughput though…

just realized that the linksys wrt1900acs has the same soc (with less ram) & achieves 1.5Gbps simultaneous wan<>lan routing so i guess omnia should manage the same… yay

I would very much like to see the throughput performance of the router with ipv4 and NAT as well as full firewall turned on, and another test of the throughput when running through and OpenVPN with proper levels of encryption, not the minimum possible levels.

I have gigabit internet fiber to the home and do a router based OpenVPN server to a friend who is about 1,000 miles (1,610 km) away who also has gigabit internet. I do realize encrypted VPN throughput is much lower than standard traffic bandwidth, but I am hoping this router is able to achieve at least 300-400 mbps of throughput over an encrypted VPN when using 256-bit AES and 2048-bit RSA keys. A test with 128-bit AES would also be nice to see the difference between them for security vs throughput of encrypted traffic.

As pointed out in
https://discourse.labs.nic.cz/t/what-speeds-could-we-achieve-using-the-router-as-openvpn-client/157/10
there are currently some limitations with OpenVPN and hardware supported encryption.
As seen on http://linksys.lithium.com/t5/Wireless-Routers/WRT1900AC-OpenVPN/td-p/945521/page/2 in the logs Linksys seems to use BF-CBC for data encryption and the page above says about 100 mbps for OpenVPN. So i doubt you will reach the 300-400 Mbps with OpenVPN as long as OpenVPN does not support hardware assisted encryption.

another limitation is of course by design… packets have to be copied from kernel to userspace and vice-a-versa + it’s still single-threaded, so it can only utilize one of the two cores…
so one might really consider to use ipsec if speed is a must

1 Like