Performance data is always a key criteria for selection of network solutions. But performance data is easily misconstrued, making vendor comparisons challenging, if not impossible. While Netgate is not in a position to vet other vendors' claims, we try to be 100% transparent with our performance test results. Packet traffic conditions, hardware vintage, software release, and test methodology can independently affect test results let alone en masse. So, we invite readers to remember the following when viewing TNSR® software test data:

  • Not all packets are created equal
  • Not all CPUs are created equal
  • The packet processing “tax” on the CPU varies dramatically by application
  • Flow type (unidirectional vs. bidirectional) yields different results
  • The level of encryption and availability of hardware assist matters
  • Software-based packet processing technology is evolving rapidly
  • Performance evolves with product software releases

Last, it should be understood that these numbers were generated in a controlled test laboratory and, therefore, cannot be guaranteed for "in the wild" environments.


Out test results are packaged and shared as follows:

  • Non-encrypted traffic performance for TNSR running on commercial off-the-shelf (COTS) hardware (see below)
  • Encrypted traffic performance for TNSR running on commercial off-the-shelf (COTS) hardware (see below)
  • Performance data for Netgate appliances running TNSR is located here


Non-Encrypted Traffic Test Setup

Using a Dell R730 server, performance tests were run on three different platform configurations:

    • Bare Metal Integration (BMI)
    • KVM
    • VMware

Exact test specifications are shown here:

Software Release TNSR 20.02.2-2
Platforms - Bare Metal Integration (BMI)
- VMware
Hardware Dell R730 Server
- (2) 8-Core Intel E5-2620v4 2.1 Ghz
- 512 Gb DDR4 - 2133Mhz
- (2) Mellanox  Connect X-5 EN NIC Cards







Non-Encrypted Traffic Test Results

Throughput results for L3 Forwarding, Firewall (forwarding with 10k ACLs), and Forwarding with 1:1 NAT are shown for each platform below:


PLATFORM: Bare Metal 
Worker Cores: 12 3   

L3 Forwarding  162.57 Gbps
13.92 Mpps
137.82 Gbps
47.26 Mpps
Firewall  162.02 Gbps
13.87 Mpps
59.73 Gbps
20.48 Mpps
NAT  147.66 Gbps
12.64 Mpps
25.67 Gbps
8.80 Mpp
Worker Cores: 12 3  
L3 Forwarding  167.24 Gbps
14.32 Mpps
119.66 Gbps
41.04 Mpps
Firewall 165.39 Gbps
14.16 Mpps
64.69 Gbps
18.76 Mpps
NAT  144.44 Gbps
12.37 Mpps
23.34 Gbps
8.01 Mpps
Worker Cores: 10 3  
L3 Forwarding  168.55 Gbps
14.30 Mpps
113.28 Gbps
38.85 Mpps
Firewall  164.95 Gbps
14.12 Mpps
47.53 Gbps
16.30 Mpps
NAT  132.50 Gbps
11.34 Mpps
23.40 Gbps
8.03 Mpps

1 iPerf3 measures the maximum throughput using 1460 byte payloads and TCP framing.
2 IMIX (Internet Mix) simulates typical Internet traffic with sets of 7 (40) byte packets, (4) 576 byte packets, 1 (1500) byte packets, plus Ethernet framing overhead. When measuring equipment performance using an IMIX of packets the performance is assumed to resemble what can be seen in "real-world" conditions.
3 a Worker is a CPU core assigned to packet processing operations



Encrypted Traffic (IPsec) Test Setup

Using a Dell R730 server, IPsec VPN tests were performed using a single CPU core with five different types of traffic - using both AES-GCM-128 with CPU-integrated AES-NI, as well as AES-GCM-128 with Quick Assist Technology (QAT).

Exact test specifications are shown here:

Software Release TNSR 19.02
Platform Bare Metal Integration (BMI)
Hardware Dell R730 Server
- Single Socket
- Intel Xeon Gold 6130 CPU @ 2.10Ghz with integrated AES-NI1
  (fam: 06, model: 55, stepping: 04)
- (1) Mellanox ConnectX-5 NIC Card
- (1) Netgate CPIC-8955 Cryptographic Accelerator Card with QuickAssist Technology (QAT)2








Encrypted Traffic (IPsec) Test Results - AES-NITNSR IPsec Throughput AES-NIAES-NI instruction set extensions are used to optimize encryption and decryption algorithms.


Encrypted Traffic (IPsec) Test Results - QAT

TNSR IPsec Throughput QATIntel® QuickAssist Technology (Intel® QAT) accelerates and compresses cryptographic workloads by offloading the data to hardware capable of optimizing those functions.







Stay up to date

There’s always something new with open-source, secure networking and TNSR software. Keep up with us by visiting our blog, social communities and newsletter.


Get a view into how open source is disrupting secure networking and changing the technology landscape.

Netgate Blog

Netgate Newsletter

Discover the latest announcements, product information, and industry news with our monthly newsletter.


Netgate Newsletter

Social Communities

Twitter Circle Logo LinkedIn circle logo Reddit Circle Logo Facebook circle logo instagram circle logo