Netgate SG-1000 microFirewall

Author Topic: trying to decide on hardware, IPSEC and OpenVPN server/client  (Read 968 times)

0 Members and 1 Guest are viewing this topic.

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
trying to decide on hardware, IPSEC and OpenVPN server/client
« on: December 21, 2017, 08:57:12 am »
I am trying to figure out which hardware I need, next. My current site is running off of old hardware and my VPN speeds (via IPSEC tunnel and OpenVPN client on windows 10) never exceed 10 Mbps. It turns out the CPU in my pfsense box isn't VPN friendly.

Before I go and buy a pre-built box from the pfsense store (looking at SG-3100) I want to make sure I don't find myself in the same situation.

The main thing I'm looking for are better speeds over IPSEC VPN and OpenVPN server/client. I'd have a 3100 on both sides of the tunnel, but I'd start by buying 1 to test OpenVPN server/client. If the speeds are improved, then I'd by a second one to solve the IPSEC tunnel issue.

Can someone confirm VPN speeds with this hardware?

Thanks.

Offline NollipfSense

  • Full Member
  • ***
  • Posts: 133
  • Karma: +7/-2
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #1 on: December 22, 2017, 10:17:17 pm »
You might have to be the Guinea Pig as not everyone with such box doing exactly what you desire to do.

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #2 on: December 23, 2017, 11:00:14 am »
You might have to be the Guinea Pig as not everyone with such box doing exactly what you desire to do.

I have a very hard time believing there aren't any 3100 owners that are not using OpenVPN and/or IPSEC. Even if that were true, I don't know why anyone would buy the hardware when someone from the netgate team could easily test this.

I'm not against building my own setup, I just don't want to do it with older computer parts that won't give me the CPU support needed for OpenVPN/IPSEC. Also, I'm referring to the traditional PC with large power supplies, I would build something or buy something pre-built as long as it doesn't throttle me to 10 Mbps when the connection is 100 Mbps or better on both sites. I'm not expecting 100 Mbps over the VPN, but maxing out at 10 Mbps is not acceptable.


Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #3 on: December 23, 2017, 11:26:44 am »
I just remembered that I have a small PC I built, years ago, that isn't being used, it has a Intel Core i5-3350P Ivy Bridge Quad-Core 3.1GHz CPU and two NICs. I'll have to install pfsense on here and test out OpenVPN/IPSEC speeds.

Here is a link to the specs of the CPU- https://ark.intel.com/products/69114/Intel-Core-i5-3350P-Processor-6M-Cache-up-to-3_30-GHz

Intel 64- Yes
Instruction Set- 64-bit
Intel AES New Instructions- Yes

johnkeates

  • Guest
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #4 on: December 23, 2017, 07:26:21 pm »
It will work just fine.

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #5 on: December 23, 2017, 07:50:23 pm »
It will work just fine.


The 3100 will work just fine or the CPU I plan on testing with will work fine?

Edit- or both will work just fine?
« Last Edit: December 23, 2017, 07:58:36 pm by tdhuck »

johnkeates

  • Guest
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #6 on: December 24, 2017, 07:25:17 am »
It will work just fine.


The 3100 will work just fine or the CPU I plan on testing with will work fine?

Edit- or both will work just fine?

Both indeed. Also, if you want a better aim so you know what you'll need, we have to know your raw uplink/downlink speeds and preferred VPN speeds. De 3100 and any i5 will, however, have no problems pushing 90Mbit-ish AES VPN at least, but an i5 will probably get close to 1000Mbit if you don't set to much crypto.

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #7 on: December 24, 2017, 08:34:21 am »
It will work just fine.


The 3100 will work just fine or the CPU I plan on testing with will work fine?

Edit- or both will work just fine?

Both indeed. Also, if you want a better aim so you know what you'll need, we have to know your raw uplink/downlink speeds and preferred VPN speeds. De 3100 and any i5 will, however, have no problems pushing 90Mbit-ish AES VPN at least, but an i5 will probably get close to 1000Mbit if you don't set to much crypto.

The location of the main pfsense box is ~100 Mbps down and ~30 Mbps up and the location where I'll be using OpenVPN is 100 Mbps down/up and I'll be running OpenVPN client on a windows 10 laptop.

The IPSEC tunnel will use the main pfsense box (speeds above) and the other end of the IPSEC tunnel is ~50 Mpbs down and ~15 Mbps up.

I know that a good CPU is needed for improved VPN performance, but I also thought AES-NI was needed. Is that true? If not, which is more important for better VPN performance?

Anything is better than 10 Mbps over a VPN tunnel and OpenVPN client, which is where I am at, today.

I'll be testing the spare PC with the CPU specs I posted above, hopefully today.

johnkeates

  • Guest
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #8 on: December 24, 2017, 09:03:14 am »
You need AES-NI and good CPU clock speeds. Two threads at the same time is good, but more than that won't actually improve performance in a noticeable manner.

OpenVPN is still single-threaded so only clock speeds help that, as well as AES-NI and other offloading functions. (but only AES-NI at this time it seems)

I think you should try the i5, if that gets you the speed you need, the only thing you'll have to think about is power consumption. If it turns out the i5 box doesn't actually use that much (40 watts or less) you can just leave it as-is depending on your power cost. If it's more, it'll get interesting to look at the 3100 in terms of optimisation of cost.

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #9 on: December 24, 2017, 05:44:55 pm »
You need AES-NI and good CPU clock speeds. Two threads at the same time is good, but more than that won't actually improve performance in a noticeable manner.

OpenVPN is still single-threaded so only clock speeds help that, as well as AES-NI and other offloading functions. (but only AES-NI at this time it seems)

I think you should try the i5, if that gets you the speed you need, the only thing you'll have to think about is power consumption. If it turns out the i5 box doesn't actually use that much (40 watts or less) you can just leave it as-is depending on your power cost. If it's more, it'll get interesting to look at the 3100 in terms of optimisation of cost.

I have the new box setup, but I am currently on site and won't have a chance to test OpenVPN in my normal network/setup for a couple more days. I enabled AES-NI

CPU Type   Intel(R) Core(TM) i5-3350P CPU @ 3.10GHz
Current: 3100 MHz, Max: 3101 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto   AES-CBC,AES-XTS,AES-GCM,AES-ICM

Under the misc. options, I set it to, 'AES-NI CPU-based acceleration' and saved the setting.

I do plan on using this for IPSEC and OpenVPN, not one or the other, hopefully the change I made above is adequate for both.

EDIT- I was able to do some initial testing with OpenVPN on my phone. When using my phone and OpenVPN, I am not concerned with speed, I mainly use the Synology DS Camera App to view a camera at home. Before testing AES-NI enabled on this box, and using it for years on my old box w/o AES-NI, I was able to connect to OpenVPN and view the camera, everything worked great.

I enabled AES-NI (see above) on the new box and I can connect to the camera app just fine, but the video is either 10 seconds behind *audio is basically live, no delay* or the video freezes once I enter in the frame. I'll start walking, on camera, but I see a frozen image on my phone (disconnected from home wifi, connected to OpenVPN over cell network).

I immediately disable AES-NI, basically putting it back to the default option, and the camera image freezing issue goes away.

This is only one of my tests, I still want to test speeds when I am on a remote network (not cellular) using my laptop.


EDIT 2- Now I'm not convinced AES-NI being active is related to the issue, I took a second look at my phone and apparently I am getting poor reception, which wasn't the case, several months ago. I have re-enabled AES-NI and I'll have to wait until I am on another network to test from my laptop and from cellular, assuming I have a better cellular connection.


« Last Edit: December 25, 2017, 11:48:52 am by tdhuck »

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #10 on: December 26, 2017, 06:27:26 pm »
Tested at one of the locations (via IPSEC) and it appears the tunnel is still capped at 10 Mbps down with the new CPU.


johnkeates

  • Guest
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #11 on: December 26, 2017, 06:29:20 pm »
Tested at one of the locations (via IPSEC) and it appears the tunnel is still capped at 10 Mbps down with the new CPU.

Keep in mind that this depends on both sides of the connection. So a weak client will still limit you.

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #12 on: December 26, 2017, 06:38:10 pm »
Tested at one of the locations (via IPSEC) and it appears the tunnel is still capped at 10 Mbps down with the new CPU.

Keep in mind that this depends on both sides of the connection. So a weak client will still limit you.

I'm not convinced. What you say is absolutely true, but there has to be another issue, somewhere. I just disconnected the IPSEC tunnel and opened up my NAS to the internet and started to transfer a 3GB ISO file, I am still being capped at 10 Mbps w/o going through a VPN and having to worry about encryption throughput. Something seems like it isn't functioning at 100%

johnkeates

  • Guest
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #13 on: December 26, 2017, 06:39:29 pm »
In that case, do have a different problem indeed. Make sure pfSense's interfaces are setup correctly (automatic mode etc) and check if any Link status LED's match the link speeds. If those are good, you probable have to look outside of pfSense to find the problem. Have you tried iperf yet? And packet capture to figure out if maybe a lot of trash is happening on the network?

This speed is not related to the CPU or anything like that, even a pentium 3 pulls much more bits than that.

Offline tdhuck

  • Sr. Member
  • ****
  • Posts: 384
  • Karma: +1/-0
    • View Profile
Re: trying to decide on hardware, IPSEC and OpenVPN server/client
« Reply #14 on: December 26, 2017, 06:53:21 pm »
In that case, do have a different problem indeed. Make sure pfSense's interfaces are setup correctly (automatic mode etc) and check if any Link status LED's match the link speeds. If those are good, you probable have to look outside of pfSense to find the problem. Have you tried iperf yet? And packet capture to figure out if maybe a lot of trash is happening on the network?

This speed is not related to the CPU or anything like that, even a pentium 3 pulls much more bits than that.

Right, I'm convinced there is another issue since I am seeing these same issues with my other pfsense box, this rules out the interfaces, I would think, I doubt I'd have issues with interfaces on two different pfsense boxes.

My ISP equipment is a cable modem that is in bridge mode, I don't have issues getting full speeds when I am at the main network and running a speed test. Latency/ping/speeds all look normal. I stream 4k media all the time and have never seen buffering/pixelation/etc. I'm not saying that nothing needs to be checked, I am simply pointing out that there aren't any obvious issues to make me think something is wrong with the circuit.

I do think the problem is at the main connection since I experience the same 10 Mbps when I am at several different locations, two of those locations have connections of 100 Mbps or better.

I will say this, in all my tests, I am downloading files from my NAS, I guess I will start there and see if there is anything obvious. I do have two switches between my NAS box and the pfsense box, but all links should be gigabit (they were last time I checked).

EDIT- I am not physically on site at the main location (where the new pfsense install was done, yesterday), but I used SSH over the IPSEC tunnel to check the port status, everything is connected at 1000 Mbps Full Duplex. I'll see if I can run iperf from both pfsense boxes and see what that shows...

« Last Edit: December 26, 2017, 07:00:51 pm by tdhuck »