Hello,
AC ^ 2, 6.44.3 stable
Seeing an interesting performance glitch / optimization opportunity.
-
Basic home router setup: provider’s local LAN on ether1 DHCP, PPPoE on top of that to connect to Internet, NAT, home machines
-
A GRE tunnel to a Linux VPS “somewhere out there” + IPSec policy and peer + mark based routing (based on dest address, using firewall address lists) to route traffic to some web sites through the GRE
-
Fasttrack off because of mark based routing
-
SpeedTest with a fairly close server: ~ 360 - 380 Mbit (the provider’s connection is 1 Gbit, over 1 Gbit cable)
If I just turn off the IPSec policy:
- SpeedTest 400 - 420 Mbit
Just the IPSec policy. I’m quite sure that none of of Speedtest traffic goes through IPSec (and looked at “Established SA” traffic stats to be sure).
So the mere presence of an IPSec policy slows down incoming traffic by about 10%.
The GRE tunnel interface makes no difference. The firewall “mangle” to set routing mark make no difference. The routes using the mark make no difference.
I assume there is some piece of code somewhere that goes “as part of packet processing, do we have any install SA’s at all? No → skip; Yes → check if there is a match, encrypt / decrypt”.
Maybe this piece of code could use a bit of optimization?
It could be - in theory - affecting other scenarios, and better performance is always good (from business point of view, too), no?