Netgate Store

Author Topic: Xeon X3440 VPN + Throughput  (Read 387 times)

0 Members and 1 Guest are viewing this topic.

Offline Soarin

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +7/-0
    • View Profile
Xeon X3440 VPN + Throughput
« on: February 04, 2018, 07:44:14 am »
Hello! I was wondering, how much VPN traffic do you guys think I could push through with a Xeon X3440?

How much with AES-128 and no encryption at all?

Also, how is the throughput difference betwene IPSec and OpenVPN?


I couldn't find much on pfSense and the X3440 specifically with VPNs, my current VM pfSense with the X5560 (same performance) only pushes around 20~ Mbps even with encryption 100% off, I was hoping to push more than that.

Thank you!
I hardly understand pfSense but it was love at first sight.

johnkeates

  • Guest
Re: Xeon X3440 VPN + Throughput
« Reply #1 on: February 04, 2018, 01:54:41 pm »
AES-128 is encryption. The X3xxx has no AES-NI, so you will have pretty bad performance. Sub-50Mbit. You can get it up by using multiple connection and load-balancing them to use more cores, but even then you'll be burning a lot of power for something you can do with a china box for 250 or less.

Offline Soarin

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +7/-0
    • View Profile
Re: Xeon X3440 VPN + Throughput
« Reply #2 on: February 04, 2018, 02:16:07 pm »
$250 is out of my $60 budget, how about no encryption? I feel like there's something with OpenVPN because even if 0 encryption it still had horrible performance. Also I run Snort with 60-100 mbps of traffic going through it so I'm not sure how those $250 routers do.

I hardly understand pfSense but it was love at first sight.

johnkeates

  • Guest
Re: Xeon X3440 VPN + Throughput
« Reply #3 on: February 04, 2018, 02:42:36 pm »
Are you sure you are turning off all the crypto?

Encryption Algorithm needs to be set to None and Auth digest algorithm as well. Both of them are slow on CPUs without acceleration for hashing etc.

Offline Soarin

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +7/-0
    • View Profile
Re: Xeon X3440 VPN + Throughput
« Reply #4 on: February 05, 2018, 09:24:52 am »


All encryption off including auth digest, it doesn't use a whole lot of the CPU but I lose 80~ Mbps of throughput. This is an X5560 under ESXi, I don't know if ESXi has any effect on it.
I hardly understand pfSense but it was love at first sight.

johnkeates

  • Guest
Re: Xeon X3440 VPN + Throughput
« Reply #5 on: February 05, 2018, 09:25:46 am »
Oh yes, ESXi will trash it. That's the problem.

Offline Soarin

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +7/-0
    • View Profile
Re: Xeon X3440 VPN + Throughput
« Reply #6 on: February 05, 2018, 01:31:23 pm »
I was hoping that'd be the answer, hopefully I'll get more on the hardware based. I thought it was weird having low CPU usage but only 30~ Mbps throughput. Is there any way to accelerate AES without an AES CPU?

I've seen AES accelerator cards around Ebay but I don't think they'd be useful, but I'm just curious.
I hardly understand pfSense but it was love at first sight.

johnkeates

  • Guest
Re: Xeon X3440 VPN + Throughput
« Reply #7 on: February 05, 2018, 03:46:00 pm »
Yes, QuickAssist in the future (but by then the CPU won't be supported by pfSense anymore) and right now there are things like HiFn accelerator cards, they do AES.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 12507
  • Karma: +506/-15
    • View Profile
Re: Xeon X3440 VPN + Throughput
« Reply #8 on: February 06, 2018, 10:55:41 am »
You should see waaay more than 20Mbps with an X3440. An old school Atom could push ~50Mbps OpenVPN with low encryption settings.

OpenVPN will always be slower than IPSec because of the kernel mode / user mode switches required.

Steve