The pfSense Store

Author Topic: Appliance Recommendation for PIA - Strong Encryption - SG-2440 or SG-4860  (Read 402 times)

0 Members and 1 Guest are viewing this topic.

Offline dcc

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
I have read many posts, but I wanted to some recommendations from those of you with experience, based on my criteria and on current pfSense hardware offerings and the current release of pfSense. I would like to support pfSense so for the sake of this post let's keep the recommendations limited to what I can buy from them.

This is a remote office(home) location. Security is the primary concern. We will be using Private internet Access(PIA) using it’s strongest encryption methods. This will be done on pfSense via OpenVPN. Currently the connection to that location is 45/45 fiber, but that could increase in the future. We would like to plan for a 100/100 connection at least. We want hardware that will be able to take advantage of all of the bandwidth at full "strong" encryption. We will be using their "Maximum Protection” of:

Data encryption: AES-256
Data authentication: SHA256
Handshake: RSA-4096
(This is the maximum that I am aware of, if I am mistaken, please let me know)

I have been told that AES-NI and Intel’s QuickAssist Technology will greatly help performance in regards to the encryption.

Simultaneous connected devices will be 10 or less at all times.

Video streaming of the home variety…netflix/youtube/ect.

As far as IDS, I would like to be able to “Play” with setting up snort or something like that.

I have been looking at the SG-2440 or the SG-4860. I don’t want to spend the money if I don’t need to but I also don't want to buy something that will not give the performance needed.

Any feedback is very much appreciated!
« Last Edit: November 26, 2016, 05:41:09 pm by dcc »

Online BlueKobold

  • Hero Member
  • *****
  • Posts: 1905
  • Karma: +145/-90
  • pfSense rocks!
    • View Profile
Re: Appliance Recommendation for PIA - Strong Encryption - SG-2440 or SG-4860
« Reply #1 on: November 26, 2016, 10:36:15 pm »
Quote
This will be done on pfSense via OpenVPN.
Ok but then the AES-NI and Intel QuickAAssist will not really Speed up this VPN.

Quote
I have been told that AES-NI and Intel’s QuickAssist Technology will greatly help performance in regards to the encryption.
- Intel QuickAssist is actual not enabled or existent in pfSense!
- AES-NI is speeding up VPNs but IPsec based.

Together with the SG-4860 you will be able to get from a 1 GBit/s internet connection nearly
~500 MBit/s encrypted throughput!

Quote
Simultaneous connected devices will be 10 or less at all times.
Then you should perhaps go with an intel Xeon E3-12xxv3 (Quad Core CPU @3.0GHz)
based system and sorted with Intel NICs, this might be then the right choice for you.

Also a Supermicro C2758 will do that job or the equivalent to this board the SG-8860
is able to handle many connections without narrow down the VPN tunnel speed.

Quote
As far as IDS, I would like to be able to “Play” with setting up snort or something like that.
Each installed packet will perhaps narrow down the whole throughput please don´t forget
this.

Quote
I have been looking at the SG-2440 or the SG-4860. I don’t want to spend the money if I don’t need to but I also don't want to buy something that will not give the performance needed.
Then the SG-4860 and if Intel QuickAssist will be later in the "game" you will be benefit from
that then as a customer that is not using the Consumer Edition!!!! If you are able to get some
static IP addresses it would be making more sense to go with the IPsec in my eyes but this must
be chosen by your self. You could perhaps also think about that you will be able to place a small
VPN Server in the DMZ that the pfSense appliance must not handle that all and then you will be
also getting more power or you are saving more horse power for installing more packets like
pfBlockerNG, Squid & SquidGuard or Snort.
Greetings from Germany
Frank

Offline dcc

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Appliance Recommendation for PIA - Strong Encryption - SG-2440 or SG-4860
« Reply #2 on: November 27, 2016, 07:17:38 pm »
Thank you for your reply Frank, though I am not clear on a few of the things you mentioned..

Quote
Ok but then the AES-NI and Intel QuickAssist will not really Speed up this VPN.
- Intel QuickAssist is actual not enabled or existent in pfSense!
- AES-NI is speeding up VPNs but IPsec based

Ok, so my understanding on the Intel QuickAssist is that it is not currently implemented in pfSense. Is that correct? And, are you telling me that once it is implemented, it would be a great help to throughput based on the setup I am planning to use? I'm sure this is the million dollar question, but do you know when it is planned to be implemented?

Also, are you saying that given the setup I mentioned, AES-NI will not be of any help to me?

Quote
Together with the SG-4860 you will be able to get from a 1 GBit/s internet connection nearly
~500 MBit/s encrypted throughput!

Are you saying that throughput could be accomplished only with AES-NI & Intel QuickAssist or are you saying that with the SG-4860 I could get those numbers even without those technologies?

Thank you for your feedback and for your other suggestions, but in regards to some of your other suggestions, the type of VPN I am using(PIA) with the previously stated security levels, those are things that are givens and will not change. So, with that in mind, I am trying to find the best pfSense appliance given my current throughput/performance needs.

Online BlueKobold

  • Hero Member
  • *****
  • Posts: 1905
  • Karma: +145/-90
  • pfSense rocks!
    • View Profile
Re: Appliance Recommendation for PIA - Strong Encryption - SG-2440 or SG-4860
« Reply #3 on: November 27, 2016, 08:54:45 pm »
Quote
Ok, so my understanding on the Intel QuickAssist is that it is not currently implemented in pfSense. Is that correct?
Yes this is the fact as I am right informed.

Quote
And, are you telling me that once it is implemented, it would be a great help to throughput based on the setup I am planning to use?
No, what I was trying to tell you that it will be perhaps having no, absolutely, no effect
to OpenVPN.

Quote
I'm sure this is the million dollar question, but do you know when it is planned to be implemented?
This even the developer team is knowing and not us, it can be that in that last second
they throw it away or that we will see it in the version 2.4 or 3.0, only they know it really.

Quote
Also, are you saying that given the setup I mentioned, AES-NI will not be of any help to me?
For you or not, but not for OpenVPN as I see it right.

Quote
Are you saying that throughput could be accomplished only with AES-NI & Intel QuickAssist
NO, I was only telling you that there is someone who has a SG-4860, 1 GBit/s Internet connection
and he was able to archive 500 MBit/s throughput with AES-NI over IPsec VPN!

Quote
or are you saying that with the SG-4860 I could get those numbers even without those technologies?
Once more again, no! I was saying that the SG-4860 unit is able to archive ~500 MBit/s
of throughput together with AES-NI and IPsec VPN, nothing more and nothing less.


Quote
Thank you for your feedback and for your other suggestions, but in regards to some of your other suggestions, the type of VPN I am using(PIA) with the previously stated security levels, those are things that are givens and will not change. So, with that in mind, I am trying to find the best pfSense appliance given my current throughput/performance needs.
Then better go with an Intel Xeon E3-12xxv3 @3.0GHz (Quad Core CPU) and you will
be sorted right! Nothing you can´t do or realize and more power saving then the Intel
Core i3,5,7 CPUs. So you may not be pressed in the future to buy new hardware.
Take a 2 or 4 Port Intel PT Server NIC that is using the em driver in pfSense and
all will befine for a long time! You might be also able to install Snort, Squid & SquidGuard,
pfBlockerNG and tinyDNS or what ever and all will be running fast for you.
- 2 GB RAM = pure firewall & VPN
- 4 GB RAM = firewall, VPN, Snort, pfBlockerNG
 - 8 GB RAM = firewall, VPN, Snort, pfBlockerNG, Squid and mbuf size to 1mio


Greetings from Germany
Frank

Offline JeGr

  • Hero Member
  • *****
  • Posts: 2467
  • Karma: +152/-5
    • View Profile
    • shop me a gift?
Re: Appliance Recommendation for PIA - Strong Encryption - SG-2440 or SG-4860
« Reply #4 on: November 30, 2016, 07:51:01 am »
> No, what I was trying to tell you that it will be perhaps having no, absolutely, no effect to OpenVPN.

AFAIK this is not right. AES-NI HAS an effect on OpenVPN as OpenVPN utilizes OpenSSL and the latter one picks up AES-NI support automatically. There are quite a few threads and topics about that.
Also with the release of OpenVPN 2.4 (not pfSense) and its integration into pfSense, AES-GCM (AEAD) will be supported by OpenVPN, too, which should really profit from having AES-NI enabled hardware. As pfSense and FreeBSD are quite actively working in integrating QuickAssist into the OS (at least that I was told), that should have some future potential, too.

Greets
Please don't send generic support requests via PM. Create a new topic and ask away so we all can participate.
Also consider a pfSense Gold subscription to help support the project!
If you're interested in paid support, I'm available via PM for German-speaking help.

Offline razzfazz

  • Sr. Member
  • ****
  • Posts: 397
  • Karma: +16/-2
    • View Profile
As pfSense and FreeBSD are quite actively working in integrating QuickAssist into the OS (at least that I was told), that should have some future potential, too.

I wouldn't count on it; QAT support has been "coming soon" for, what, a year and a half now? Also, if and when it does finally come, it sounds like only the newer (coleto creek) variants may actually be supported, which would exclude the one in Rangeley / C2000.

Online BlueKobold

  • Hero Member
  • *****
  • Posts: 1905
  • Karma: +145/-90
  • pfSense rocks!
    • View Profile
Quote
which would exclude the one in Rangeley / C2000.
That would be making no sense for me, based on the availability of QAT inside of the most
pfSense appliances from the pfSense shop it self!
Greetings from Germany
Frank