• IPv4, IPv6 router, firewall   • transparent proxy
• multifunctional NAT • dynamic TCP shapers
• distributed VPN interconnections • build-in DHCP, HTTP servers
• flexible HTTP cache, automatic “on-the-fly” authorization  authorization, authentication and accounting
• server's network opportunites on the non-server Windows versions
firewall, router solution of  Moiseenko A.A.
RusRoute firewall research project is flexible software IPv4 and IPv6 router and firewall, Internet gateway for Windows, it is the ideal solution for making Internet gateway for local area network (LAN) of small company, the users' traffic encountering and restricting, protection against of network attacks with functions of NAT, redirect, dynamic TCP shaper with conditional expressions, VPN server/client, transparent proxy with port numbers saving, LAN to VPN Bridge, DHCP servers, FTP servers, multicast UDP proxies, HTTP caches, HTTP to HTTP proxy converter, captive portal feature, timed action and Splitters for rules, with advanced routing possibilities.

The next functions are not supported: Captive Portal for https connections, multicast routing, https caching, content filtering, IPv6 VPN, VPN multicast.

Test of RusRoute firewall on 10 Gbit/s LAN
I ran data transfer speed tests through the RusRoute firewall on a 10 Gbit/s network, without using the routing function.

First there was a question about the choice of equipment. The choice fell on a 10 gigabit 8-port TP-Link TL-ST2008 switch and two 2-port aggregated network cards Intel X550-T2 10Gb PCIE 3.0 x4. The TP-Link TL-ST2008 switch allows you to connect equipment with a regular Category 6 Ethernet cable, but the maximum cable length is less than 100 meters (approximately up to 60-80 meters, not tested). Intel X550-T2 network cards have passive cooling, and the TP-Link TL-ST2008 switch has active cooling, two noisy fans, which were replaced with low-noise Noctua NF-A4x20 FLX (12V, 3 pin) immediately after the first tests, because... The switch is installed in the living room.
TP-Link TL-ST2008 - 1
TP-Link TL-ST2008 - 2
TP-Link TL-ST2008 - 3
Noctua NF-A4x20 FLX
TP-Link TL-ST2008 - 4
TP-Link TL-ST2008 - 5

As tested - PC with Windows 10 x64, Intel Core I7-7700K, 32 GB RAM, M.2 NVMe 3.0 x4 disk Samsung 970 Evo Plus 1 GB, Asus Z270K motherboard with Intel X550-T2 10 Gbps PCIE network card 3.0 x4, RusRoute firewall 2.8.5 x64 with old signed driver v. 2.01-100. Software - FileZilla ftp client 3.67.0 portable, iperf3.
RusRoute 2.8.5 (test)
Intel X550-T2 10Gb
FileZilla ftp client 3.67.0 portable

As a server - PC with Linux Debian 12 x64 bookworm, Intel Core I7-7700K, 32 GB RAM, M.2 NVMe 4.0 x4 disk Samsung 980 Pro 2 GB in PCIE 3.0 x4 mode, Asus Z270-P motherboard with Intel network card X550-T2 10 Gbps PCIE 3.0 x4, RAM disk 8 GB (FTP server files on it). Software - MaaSoft (Moiseenko A.A.) FTP Server 1.13, iperf3.

In the first tests, an 8 GB file was transferred via FTP in both directions.
recv 10 gps
send 10 gps
recv send 10 gps

In subsequent tests, measurements were made using iperf3 programs, first for single connections, then for 5 parallel ones. For receiving, the speed of parallel connections turned out to be less than a single connection, the test was repeated.
iperf send 10 gps
iperf recv 10 gps
iperf send recv 10 gps
iperf send 10 gps 5 parallel
iperf recv 10 gps 5 parallel
iperf recv 10 gps 5 parallel - 2
iperf send recv recv 10 gps 5 parallel

Additional tests were also performed.
When running Linux Debain 12 x64 bookworm on both PCs, iperf3 achieved 9.4 Gbps round trip speeds for single connections. I did not configure port aggregation mode.
When Windows 10 x64 was used on both PCs, the iperf3 speed of up to 10 Gbit/s for single connections fell far short, and only 9.2 Gbit/s was for several parallel connections in total, and in static aggregation mode the total speed of parallel connections doubled.
When Windows 10 x64 was used on both PCs, the RusRoute firewall was used on one, and the cards were configured in static aggregation mode, the connection speed did not double, because RusRoute firewall works with Ethernet packets directly, including indicating MAC addresses in packets with direct mapping to the IP address of the MAC address; aggregation mode is not provided. Also, in full duplex mode, the total connection speed did not exceed the speed of a single connection, because This is the nature of synchronization of the RusRoute firewall driver (basically one global spinlock), and the RusRoute firewall service (often one main mutex is used).

Conclusions: I tested the RusRoute firewall to the limits of its speed capabilities.
Andrey Moiseenko, 10.05.2024, views: 21


