New to pfsense. Hardware and setup
-
Most VPN providers use OpenVPN. OpenVPN is single threaded so if you are aiming just for that you need a CPU that has good single thread performance.
You can improve that by using several VPN client tunnels but a single connection will only ever use one of them.
Some VPN providers now support WireGuard which will likely give you better throughput.What bandwidth is your WAN?
Steve
-
@stephenw10 I think OP said Fios 1gig in the first post.
-
Ah, so he did! Yeah so 1Gbps OpenVPN requires very fast single thread performance. It's unlikely you will see it.
-
Looks like the 5100 and 6100 are close enough in VPN performance to pick either one. They both use Atom cpus, not sure how that compares xeon e3-1271v3 cpu you're talking about, but the Atom has "integrated AES-NI and QAT (QuickAssist Technology)" (hardware assist) that speeds up the encryption/decryption bits. To me that would be a factor.
-
@stephenw10 said in New to pfsense. Hardware and setup:
Ah, so he did! Yeah so 1Gbps OpenVPN requires very fast single thread performance. It's unlikely you will see it.
That would depend on the other end. If he's sitting in a coffee shop, he likely won't get 1 Gb.
However, it would be nice if OpenVPN supported multithreading.
-
@mer any of the cpu options I may use would at least be a quad core with a base speed of 3.5ghz. the 1271 is base 3.6 turbo 4.0. any of those netgate appliances are 2.2ghz quad cores. They have more instructions it seems. Not sure if I can do an apple to apple comparison. I'd obviously would have more memory and more storage. But as far as putting together my own device for a reasonable price I don't think you can do better than a single core speed of 4.0ghz
-
@frankr2994 Check the intel website for the datasheet on your CPU. If it talks about having at least AES-NI that should be good. Encrypting/Decrypting is a lot of math intensive operations, so the AES-NI offloads that work (kind of like offloading to a GPU). That speeds things up. The memory and storage I don't think really matter, it's CPU and NIC throughput that matters (in my opinion).
Worst case you find out for short money what isn't good enough. -
That older Xeon is a far more powerful CPU, in both senses. It probably still won't pass 1G OpenVPN though, not over a single connection.
-
@mer I knew it had aes-ni since the beginning. Reason why I'd be buying different components vs grabbing some old stuff I have at home. What I touched on earlier is if maybe I should be considering a QAT card as well. Some of the older ones are available for under 150 and are rated at 20 or 25gbps encryption speed which is way overkill. But if the cpu isn't up to the task short of some quad core pumping out 5ghz then that would be my next option.
-
@frankr2994
Cool. I honestly have nothing more than compare to the 5100/6100 and go from there. RAM and storage are irrelevant, NICs become a bit more important. -
@mer ok then. Still trying to figure out what nic I want. Wouldn't mind future proofing it a bit but I'm not going to drop 400 or 500 on one.
-
@frankr2994 Well your upstream is 1G up and down. So if your internal LAN had all 10G, everything gets throttled to 1G on WAN (now does the throttle happen at your WAN or further into ISP network?) I think that quad 1G Intel is relatively inexpensive and remember it wasn't all that long ago that 56K dialup was common.
I personally don't have any recommendations on NICs, but if you are in US, I'd start with amazon, best buy, tiger direct and new egg. I'm sure there are a lot of other choices but these are at top of my head.
-
Currently the QAT driver/hardware won't help you with OpenVPN.
If you already have that machine then I would just try it and see how it performs.
Steve
-
@stephenw10 said in New to pfsense. Hardware and setup:
Currently the QAT driver/hardware won't help you with OpenVPN.
If you already have that machine then I would just try it and see how it performs.
Steve
That's what I was waiting to hear. Thanks
Ok so what I have planned is to get an intel x540-t2 nic. Its a 10gb dual port card. I can't use 10G atleast through my isp but I would assume that this will atleast have enough on the controller end to deal with not being a bottleneck. Thats a pcie 2.0 x8 card. That will go into my pcie 3.0 x16 slot. I will still have a 2.0 x4 slot available If I wanted to add an intel I350T4 card. I may do this as I don't think my planned area for a switch will be near this box but I may have a server or two near that could use the additional ports.
Not accounting for the I350 nic that I may or may not buy in the future the full build is 280 bucks. I did change from the xeon 1271 to a 1246 to get integrated graphics. base is 3.5 and turbos 3.9 so not too much different and now I don't have to use one of my pcie slots with some little quadro card I have lying around.
Going to get this ordered up and get it going. Thanks for the help.
-
@frankr2994 Just a note, I have 2 10Gb ports, one goes untagged through my switch to ATT, the other has 3 VLANs to my switch. Because all of the systems are 1Gb or less the 10Gb handles the traffic with ease. And it freed copper ports on my switch.
-
Ok so I know that nordvpn provides OpenVPN configuration. I honestly didn't know the difference between openvpn and wire guard before. However I just found this https://www.reddit.com/r/PFSENSE/comments/m0989o/nordvpn_wireguard_setup_works/
Apparently I could use wire guard with that provider. Wouldn't that take care of alot of speed issues?
-
WireGuard is certainly faster for a single connection. Significantly faster. There are a lot of variables so I couldn't tell you the exact speed you'll see.
Steve
-
@stephenw10 said in New to pfsense. Hardware and setup:
There are a lot of variables so I couldn't tell you the exact speed you'll see.
Steve
Ya that's a given. I know once I get it together it will be time to test, reconfigure, rinse and repeat.
