next »

[eternal student]

I know that Soekris has VPN accelerator cards for PCI and mini-PCI slots, but what about the newer motherboards out there that have PCI-Express and mini-PCI Express? I have been searching Google for the past couple of days and I haven't been able to find any information about VPN accelerator cards for these new slots. Do they even exist or am I just typing in the wrong search string into Google (it wouldn't be the first time)?

[Jason Litka]

The Exar (Hifn) 8200-series is the only one I'm aware of that is PCI-e, though I've not found any cards actually made with it (mini or full size), nor am I aware of whether or not it will work with pfSense.

EDIT:  Or maybe the Exar DX 1710 PCI-e card, that seems to be their pre-built card using the same 8201 chip, but I can't find that either.

[josen]

Hey there,

my experience with VPN accelerators is quite limited (VPN1411 on Alix 2.D3), but maybe you can avoid making the same mistake as I did. This card decreased the cpu load (sys) on my Alix, but did nothing to improve maximum throughput. This comes from the fact, that operations need to go from the system to card and back. It can be seen from increasing interrupt load.

Maybe my setup was too simple (1 OpenVPN tunnel) and performance benefits can be seen, when using the card with multiple clients, but I would just stick some more oomph into the box :-)

[Honeybadger]

Even if we find a supplier with DX1700s, does PFSense/FreeBSD support the 8201 chip?

[Jason Litka]

Even if we find a supplier with DX1700s, does PFSense/FreeBSD support the 8201 chip?

I doubt it.  It's hard to support hardware you can't find.

[Honeybadger]

I found DX1710s, they are $300 bucks and are not driver compatible with the old 7955s (Soekris cards).

Is there any other VPN processing hardware that freeBSD/PFSense has drivers for, I can't find such info in the FAQs or Google searches.

[dotdash]

The crypto manpage lists supported VPN accelerators- check the SEE ALSO section:
http://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=4&apropos=0&manpath=FreeBSD+8.2-RELEASE

I think that Pfsense should have drivers for all FreeBSD supported cards. I could be wrong though. I've used hifn, glxsb, and ubsec.

[Honeybadger]

It is starting to look like there are no security accelleration cards available for PCI-E or mini PCI-E.
I've gotten some nibbles that some would be willing to produce such a card if there was a demand for it.

How much demand is there?

[ScottNJ]

Hey there,

my experience with VPN accelerators is quite limited (VPN1411 on Alix 2.D3), but maybe you can avoid making the same mistake as I did. This card decreased the cpu load (sys) on my Alix, but did nothing to improve maximum throughput. This comes from the fact, that operations need to go from the system to card and back. It can be seen from increasing interrupt load.

Maybe my setup was too simple (1 OpenVPN tunnel) and performance benefits can be seen, when using the card with multiple clients, but I would just stick some more oomph into the box :-)

OpenVPN uses SSL encryption which the VPN1411 doesn't support.

vpn14x1
"Encryption, 128/192/256 AES, DES, 3-DES and RC4 at 210 to 460 Mbps"

[koukobin]

Yes OpenVPN does SSL encryption but uses AES or 3DES algorithm. So Soerkris 1411 should work with OpenVPN. Correct me if i am wrong.

[Honeybadger]

Yes OpenVPN does SSL encryption but uses AES or 3DES algorithm. So Soerkris 1411 should work with OpenVPN. Correct me if i am wrong.

I have a 5501 with a 1411 and it supports OpenVPN perfectly.

[althornin]

Going back to the original question, why not use something like this:
http://www.amfeltec.com/products/flexible-minipcie-to-minipci-adapter.php
It converts mini pci-e to mini pci, allowing the use of well know soekris vpn 1411 cards, etc.

[jimp]

Going back to the original question, why not use something like this:
http://www.amfeltec.com/products/flexible-minipcie-to-minipci-adapter.php
It converts mini pci-e to mini pci, allowing the use of well know soekris vpn 1411 cards, etc.

On faster systems, you'd easily saturate the bus on those and probably get poorer performance with the card in than without the card.

Hopefully once we get FreeBSD 9 builds going we'll get AESNI included and see how that helps :-)