Tomas tested the manager throughput (CPU usage) on three platforms and four devices. The platforms were pfSense, AsusWRT, and ClearOS. The four device/platform combinations were as follows:
- AMD G-T40E @ 1 GHz running pfSense using PF
- Broadcom BCM4718A1 @ 480 MHz running AsusWRT
- Broadcom BCM4709A0 @ 1 GHz running AsusWRT
- Intel i5-3570K @ 3.4 GHz running ClearOS
- AMD G-T40E @ 1 GHz running pfSense using IPFW
Tested was the maximum amount of requests per minute just before the CPU usage reached 100% while also maintaining a reasonable volume of erroneous responses. A request consisted of a DNS query followed by an HTTP GET over SSL. Under DTTS, the DNS query was responsible for opening a hole in the firewall while the HTTP request simulated a hit of that rule.
The results were:
- 4 req/s
- 20 req/s
- 55 req/s
- 200 req/s
- 200 req/s
The Intel (4) was not maxed out on the CPU usage side and would reasonably be able to achieve even higher throughput if it wasn’t for the onset of system limitations on how many concurrent open file descriptors any one process, and the system as a whole, can have.
Theoretically, the higher the number of clients behind a router the more meaningful these numbers become in estimating what kind of a hardware needs to power such router. The open file descriptors issue can only be mitigated by load balancing and it is entirely possible that this will be a bigger problem than CPU usage due to DTTS.
Lastly, DTTS and non-DTTS modes were compared on (4) and it seems that the DTTS overhead is 3-4x.