Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hardware for gigabit (or close to) IPSEC VPN between two sites

    Hardware
    5
    10
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WhitePhantom
      last edited by WhitePhantom

      Hi everyone. My client has a symmetric 1Gb connection over fiber and I have a Comcast connection that runs 1.25Gb/200Mb at home. I've setup an IPSEC VPN between the sites with pfSense built on Qotom units from Aliexpress. The purpose of the VPN is for 25 computers at the client office to run nightly backups to a Synology box at my house. At best, I'm getting about 240Mb, which is less than I expected. However, additional reading leads me to believe that this is actually very good for the hardware I'm using.

      I would like to get as close as possible to 1Gb IPSEC throughput for the backups from the client's office to my house. I've read that IPERF3 tests are not really applicable to this scenario and that I need to look at IMIX tests to get a more accurate expectation of performance.

      I thought the Netgate 4100 might do the job until I discovered the differences between IPERF3 and IMIX. If my interpretation of the differences is correct, my application would only yield about 312Mb throughput with the 4100.

      Can anyone recommend the right hardware to accomplish near 1Gb one-way throughput on the IPSEC VPN?

      Thank you!

      NollipfSenseN A 2 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @WhitePhantom
        last edited by

        @whitephantom I would recommend the Netgate 7100 for a 5yr goal small business-wise...

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        W R 2 Replies Last reply Reply Quote 0
        • W
          WhitePhantom @NollipfSense
          last edited by

          @nollipfsense thank you for taking the time to reply and offer the suggestion. That model specifies IPSEC VPN IMIX Traffic of 499 Mbps and IPERF3 Traffic of 1.89 Gbps. I'm not sure whether I'm correct in expecting the lower of the two values for my use case, but I suspect so.

          I'll be happy to buy a Netgate product or to put something together myself, but I'm hoping to be find some confidence beforehand that I'll get near 1Gbps throughput over the IPSEC VPN.

          R 1 Reply Last reply Reply Quote 0
          • R
            rcoleman-netgate Netgate @WhitePhantom
            last edited by

            @whitephantom All of our products have a 30-day return policy so if you get the 6100 and it does not meet your needs you can return it in the first month (an open box return fee does apply).

            Ryan
            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
            Requesting firmware for your Netgate device? https://go.netgate.com
            Switching: Mikrotik, Netgear, Extreme
            Wireless: Aruba, Ubiquiti

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              I would certainly run an iperf test between the sites outside the tunnel to determine what's possible before looking at hardware upgrades.
              A file backup is going to be large packet TCP connection(s) which is similar to iperf.

              1Gbps between sites is going to require low latency and no packet loss. You be limited by something other than the VPN encryption/decryption rates.

              Steve

              1 Reply Last reply Reply Quote 0
              • R
                rcoleman-netgate Netgate @NollipfSense
                last edited by

                @nollipfsense said in Hardware for gigabit (or close to) IPSEC VPN between two sites:

                I would recommend the Netgate 7100 for a 5yr goal small business-wise...

                Worth noting this hardware is no longer available for purchase.

                Did you mean the 6100? or 8200?

                Ryan
                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                Requesting firmware for your Netgate device? https://go.netgate.com
                Switching: Mikrotik, Netgear, Extreme
                Wireless: Aruba, Ubiquiti

                NollipfSenseN 1 Reply Last reply Reply Quote 0
                • W
                  WhitePhantom
                  last edited by

                  @stephenw10, thanks for the suggestion. I setup the Synology box as an IPERF3 server, accessible via NAT, and only got 45Mbps sending data to it across the Internet with an IPERF3 client on a server at the client's office. Then I setup an FTP server, accessible via NAT, at the client's office and hosted an 11GB file. Downloading across the Internet with a single FTP client on my home network, speeds varied between 640Mbps and 940Mbps.

                  If I can get this kind of performance across an IPSEC VPN, I'll be very happy. Perhaps I need the Netgate 8200?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    By default iperf sends data from the client to the server. Are you sure you were testing in the correct direction?
                    What's the latency between the sites outside the tunnel?

                    1 Reply Last reply Reply Quote 0
                    • NollipfSenseN
                      NollipfSense @rcoleman-netgate
                      last edited by

                      @rcoleman-netgate said in Hardware for gigabit (or close to) IPSEC VPN between two sites:

                      Worth noting this hardware is no longer available for purchase.

                      Didn't know that, thanks for sharing.

                      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                      1 Reply Last reply Reply Quote 0
                      • A
                        AdriftAtlas @WhitePhantom
                        last edited by

                        @whitephantom

                        Check that the connections themselves are capable of sustaining the needed bandwidth. Install the iPerf3 package on both pfSense boxes and do a transfer test in both directions, use -R switch to reverse directions.

                        Ensure sure that both sides are AES-NI capable. Without AES-NI encryption performance will be poor. You can test AES performance with openssl.

                        Run this in the pfSense shell on both sides:

                        openssl speed -evp aes-256-cbc

                        And this too:

                        openssl speed -evp aes-256-gcm

                        Post your output here.

                        You should see something like this:

                        Benchmarked CPU: Intel Celeron Processor N5105

                        Doing aes-256-cbc for 3s on 16 size blocks: 109174474 aes-256-cbc's in 2.99s
Doing aes-256-cbc for 3s on 64 size blocks: 36252639 aes-256-cbc's in 2.99s
Doing aes-256-cbc for 3s on 256 size blocks: 9295310 aes-256-cbc's in 2.99s
Doing aes-256-cbc for 3s on 1024 size blocks: 2318898 aes-256-cbc's in 2.99s
Doing aes-256-cbc for 3s on 8192 size blocks: 289695 aes-256-cbc's in 2.99s
Doing aes-256-cbc for 3s on 16384 size blocks: 145956 aes-256-cbc's in 3.00s
OpenSSL 1.1.1n-freebsd  15 Mar 2022
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-cbc     583784.13k   775408.93k   795270.80k   793583.81k   793125.91k   797114.37k

                        Doing aes-256-gcm for 3s on 16 size blocks: 69574566 aes-256-gcm's in 2.99s
Doing aes-256-gcm for 3s on 64 size blocks: 43887920 aes-256-gcm's in 2.98s
Doing aes-256-gcm for 3s on 256 size blocks: 21807074 aes-256-gcm's in 3.00s
Doing aes-256-gcm for 3s on 1024 size blocks: 7073429 aes-256-gcm's in 2.99s
Doing aes-256-gcm for 3s on 8192 size blocks: 952031 aes-256-gcm's in 3.00s
Doing aes-256-gcm for 3s on 16384 size blocks: 475160 aes-256-gcm's in 2.98s
OpenSSL 1.1.1n-freebsd  15 Mar 2022
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-gcm     372033.19k   941177.59k  1860870.31k  2420701.01k  2599679.32k  2608593.57k

                        The aes-256-gcm cipher is probably the best cipher to use for IPSec assuming both sides support it.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.