As I’ve written elsewhere, we are starting to focus on performance in pfSense® 2.2 and beyond. The first project was to implement AES-GCM with AES-NI acceleration (on CPUs that support it) for IPSec. This project was accomplished in partnership between the FreeBSD Foundation, ESF, and Netgate, and has been stable in pfSense 2.2 snapshots for several weeks.

If your CPU is able to process AES-NI instructions, I encourage you to try it out.

The next investigation, as the title to this post implies, is to improve the speed of pf. The first thing was to measure the existent performance. So we (as Netgate) enlisted the help of George Neville-Neil, who wrote a tool called “Conductor”.

One of the first things we noticed was that the Jenkins hash in FreeBSD 10 seems to take a lot of time. XXHASH is demonstrably faster than Jenkins, and gives a measurable performance gain to pf.

While the patch won’t be available to FreeBSD 10.1 (it’s too late in the process for that), we can make it available in pfSense 2.2, and same will be in the next set of snapshots. Performance will likely be most measurable above 1Gbps.

Two things:

  • I emphasize that this is an early result.
  • Please test and let us know.