VPN throughput VIA C7 1200 Mhz. Upgrade to 1500 MHz worth?
-
Yes, its the IDE port… :o My fault.
top -sh process raised up until 20% and openvpn to 60% max. Nothing else was visible with more than 0,x %.
Nevertheless,I´m honestly thinking about to switch to a newer Intel or AMD CPU. In case using an Intel CPU which is using AES-NI i have read to unload the module.
http://forum.pfsense.org/index.php/topic,69079.msg378029.html?PHPSESSID=ee935d285a7f4859dd5a6cb36d5b42ce#msg378029
In the next months I will got a new 100 Mbit connection and then mmy actual hardware will not meet the expectations.
-
So did the speed go up to 44meg?
since your via kit already has AES support you may want to hold off on better hardware, you may hit 100meg bb speeds with it or close.
Finding the right kit I found a challenge only since most low end intel cpus and even the latest ones do not support AES, some of the newer haswell intel core i3 range have it but not the sandy or ivys, seems a mixed bag. Core i5/7+ have it even the old ones.
All AMD cpus always have it they don't cripple their cpus with features.
The new baytrail or atom 2 desktops and cpus are coming out in the next month or 2 however I checked some of them and while they are meant to have AES support a quick check on intel cpu database and cpu world database revealed no AES support on most of them only the business edition/server baytrail systems seemed to have AES, maybe worth waiting till they are out and fully reviewed.
-
[2.1-RELEASE][admin@pfsense.localdomain]/root(28): /usr/bin/openssl engine -t -c
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
(padlock) VIA PadLock (no-RNG, ACE)
[AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.1-RELEASE][admin@pfsense.localdomain]/root(29):Deactivating padlock or cryptodev in OpenVPn config is raising up my speed to constant 42 Mbit with my 1.2 GHz VIA C7 CPU. Thats really enough. Activating padlock or cryptodev, so I have read it here in the forum, is routing the traffic through one of these engines as well. But for me it was useless… omg :(
As you said I was looking yesterday for a Intel Core i3-4130T with AES-NI. But now I have found the root cause for the massive speed drop. If I´m changing my ISP by middle of next year ans getting the 100Mps connection I will consider to buy new equipment.
I have ordered 2 days ago a miniITX Celeron 1037U Mainboard but I will send it back.
-
Well that is great news to hear your hitting your fuller speeds :)
Its easy to get the upgrade itch but just like many folk around here I have seen they get very high end or mid range pcs worth $300-400, some even get xeon servers worth that much with AES just to get the fuller speeds, but since speaking to the the guys on this forum they know there stuff much better then me btw and even they said even a 2ghz cpu is enough and should hit 100meg+ VPN speeds.
I think you should at least give it a test when you get your 100meg connection, your 1.2ghz kit with its encryption support is currently the sweet spot.
I have a 1.5ghz quadcore AMD A4-5000 cpu which has full AES support and max 15watts, my full broadband speed is hitting 5% cpu usage while its only 10meg, I assume I too should hit 100meg…. AES should hopefully counter the cpu overhead and if hopefully by then pfsense + openvpn from a release or 2 down the road should use multi core support, so in theory 200meg and beyond perhaps with very little cpu usage !
-
Hello Fevan
I switched to the the new miniITX Board. GA-C1037UN from Gigabyte with a Dual Core Celeron and I´m very surprised about the speed and CPU usage.
Full Load with 46-47 Mbit/sec with BC-CBC 128bit and only 23% CPU usage max. and the board doesn´t need more than 18 Watt. Although this board has no AES support it´s performing very well. I was waiting 2 days until opening the box :) I was considering to send the package back.
OpenSSL speed output with a Celeron 1037 and 4 GB-DDR3 RAM on 4 GB Compact flash Card using a nano 1 GB BSD pfsense image
OpenSSL 0.9.8y 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 1241.57k 2552.09k 3472.24k 3818.55k 3931.13k mdc2 5346.57k 5945.15k 6129.67k 6172.98k 6183.11k md4 19196.19k 67705.08k 192389.60k 356384.95k 474610.29k md5 15945.12k 53220.77k 138644.88k 231744.27k 288054.50k hmac(md5) 14870.23k 50112.77k 133322.27k 227841.23k 287173.17k sha1 13830.15k 40594.85k 88396.69k 125721.51k 143524.52k rmd160 12413.46k 34547.47k 71410.74k 97639.00k 109350.36k rc4 202493.90k 260635.34k 281057.26k 286650.32k 288200.93k des cbc 39580.38k 40175.55k 40285.53k 40345.08k 40373.25k des ede3 14582.03k 14654.89k 14671.10k 14683.93k 14687.32k idea cbc 0.00 0.00 0.00 0.00 0.00 seed cbc 0.00 0.00 0.00 0.00 0.00 rc2 cbc 25060.83k 25652.16k 25898.75k 25977.97k 26010.01k rc5-32/12 cbc 149821.90k 159312.46k 161424.27k 162496.46k 162752.66k blowfish cbc 63492.72k 65346.24k 65712.62k 65893.69k 65964.04k cast cbc 57077.81k 58958.91k 59433.33k 59549.42k 59604.14k aes-128 cbc 58083.47k 61622.53k 62368.54k 62753.44k 62801.41k aes-192 cbc 50243.05k 53332.33k 53843.72k 54121.31k 54174.94k aes-256 cbc 44877.39k 46854.56k 47324.47k 47553.83k 47591.69k camellia-128 cbc 48180.17k 50060.06k 50540.53k 50593.58k 50673.91k camellia-192 cbc 37211.27k 38231.78k 38512.42k 38565.91k 38611.84k camellia-256 cbc 37196.30k 38267.35k 38498.71k 38589.80k 38630.21k sha256 10559.61k 25759.62k 47170.62k 59592.90k 64581.36k sha512 3977.06k 15926.76k 24211.83k 33853.36k 38368.47k aes-128 ige 60019.16k 63932.09k 64938.94k 65320.54k 65388.44k aes-192 ige 52073.85k 54983.36k 55743.33k 56059.38k 56100.04k aes-256 ige 46046.86k 48259.69k 48851.10k 49093.04k 49114.49k sign verify sign/s verify/s rsa 512 bits 0.000583s 0.000057s 1716.1 17557.2 rsa 1024 bits 0.002683s 0.000130s 372.8 7704.4 rsa 2048 bits 0.013994s 0.000385s 71.5 2599.3 rsa 4096 bits 0.085500s 0.001272s 11.7 786.2 sign verify sign/s verify/s dsa 512 bits 0.000449s 0.000506s 2227.8 1976.0 dsa 1024 bits 0.001139s 0.001352s 877.8 739.9 dsa 2048 bits 0.003478s 0.004212s 287.5 237.4 [2.1-RELEASE][root@pfsense.localdomain]/root(3): -
Hello Fevan
I switched to the the new miniITX Board. GA-C1037UN from Gigabyte with a Dual Core Celeron and I´m very surprised about the speed and CPU usage.
Full Load with 46-47 Mbit/sec (my ISP connection is 50 Mbit)with BC-CBC 128bit and only 23% CPU usage max. and the board doesn´t need more than 18 Watt. Although this board has no AES support it´s performing very well. I was waiting 2 days until opening the box :) I was considering to send the package back.
OpenSSL speed output with a Celeron 1037 and 4 GB-DDR3 RAM on 4 GB Compact flash Card using a nano 1 GB BSD pfsense image
OpenSSL 0.9.8y 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 1241.57k 2552.09k 3472.24k 3818.55k 3931.13k mdc2 5346.57k 5945.15k 6129.67k 6172.98k 6183.11k md4 19196.19k 67705.08k 192389.60k 356384.95k 474610.29k md5 15945.12k 53220.77k 138644.88k 231744.27k 288054.50k hmac(md5) 14870.23k 50112.77k 133322.27k 227841.23k 287173.17k sha1 13830.15k 40594.85k 88396.69k 125721.51k 143524.52k rmd160 12413.46k 34547.47k 71410.74k 97639.00k 109350.36k rc4 202493.90k 260635.34k 281057.26k 286650.32k 288200.93k des cbc 39580.38k 40175.55k 40285.53k 40345.08k 40373.25k des ede3 14582.03k 14654.89k 14671.10k 14683.93k 14687.32k idea cbc 0.00 0.00 0.00 0.00 0.00 seed cbc 0.00 0.00 0.00 0.00 0.00 rc2 cbc 25060.83k 25652.16k 25898.75k 25977.97k 26010.01k rc5-32/12 cbc 149821.90k 159312.46k 161424.27k 162496.46k 162752.66k blowfish cbc 63492.72k 65346.24k 65712.62k 65893.69k 65964.04k cast cbc 57077.81k 58958.91k 59433.33k 59549.42k 59604.14k aes-128 cbc 58083.47k 61622.53k 62368.54k 62753.44k 62801.41k aes-192 cbc 50243.05k 53332.33k 53843.72k 54121.31k 54174.94k aes-256 cbc 44877.39k 46854.56k 47324.47k 47553.83k 47591.69k camellia-128 cbc 48180.17k 50060.06k 50540.53k 50593.58k 50673.91k camellia-192 cbc 37211.27k 38231.78k 38512.42k 38565.91k 38611.84k camellia-256 cbc 37196.30k 38267.35k 38498.71k 38589.80k 38630.21k sha256 10559.61k 25759.62k 47170.62k 59592.90k 64581.36k sha512 3977.06k 15926.76k 24211.83k 33853.36k 38368.47k aes-128 ige 60019.16k 63932.09k 64938.94k 65320.54k 65388.44k aes-192 ige 52073.85k 54983.36k 55743.33k 56059.38k 56100.04k aes-256 ige 46046.86k 48259.69k 48851.10k 49093.04k 49114.49k sign verify sign/s verify/s rsa 512 bits 0.000583s 0.000057s 1716.1 17557.2 rsa 1024 bits 0.002683s 0.000130s 372.8 7704.4 rsa 2048 bits 0.013994s 0.000385s 71.5 2599.3 rsa 4096 bits 0.085500s 0.001272s 11.7 786.2 sign verify sign/s verify/s dsa 512 bits 0.000449s 0.000506s 2227.8 1976.0 dsa 1024 bits 0.001139s 0.001352s 877.8 739.9 dsa 2048 bits 0.003478s 0.004212s 287.5 237.4 [2.1-RELEASE][root@pfsense.localdomain]/root(3): -
Very impressive and at least your set for 100meg and greater speeds now :)
-
Hardware AES decryption is nice to have but modern CPUs are so fast that it's probably not necessary. As we've seen here it may even be slower than using software if it's not implemented properly/completely.
Steve
-
You know you're wrong here, … right? :)
The AES-NI support in 8.3 (pfSense 2.1) doesn't support a mode that can be effectively pipelined.
This is changing. I fully expect AES-NI in pfSense 2.2 to blow the doors off any software-only implementation you can find on x86/amd64 hardware.
We're talking 750-850Mbps throughput in IPSEC tunnel mode, maybe more. AES-NI is, in theory, good for 2Gbps per core.
(And inexpensive multi-core hardware that supports AES-NI is coming.)And Intel's QuickAssist engine will run at 50Gbps (throughput) if you have the right hardware installed. No, I did not stutter. 8)
-
@gonzopancho:
You know you're wrong here, … right? :)
Me?
I think (I hope) I was pretty much in agreement with what you said. Perhaps I was unclear.With most home internet connections still <100Mbps it's unnecessary to have AES hardware support since many current entry level CPUs can sustain that encrypted throughput in software.
How's that? ;)
Of course if you're discussing a much larger pipe then sure the advantages become much more apparent.
Steve
-
Hello Fevan
I switched to the the new miniITX Board. GA-C1037UN from Gigabyte with a Dual Core Celeron and I´m very surprised about the speed and CPU usage.
Full Load with 46-47 Mbit/sec (my ISP connection is 50 Mbit)with BC-CBC 128bit and only 23% CPU usage max. and the board doesn´t need more than 18 Watt. Although this board has no AES support it´s performing very well. I was waiting 2 days until opening the box :) I was considering to send the package back.
OpenSSL speed output with a Celeron 1037 and 4 GB-DDR3 RAM on 4 GB Compact flash Card using a nano 1 GB BSD pfsense image
OpenSSL 0.9.8y 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 1241.57k 2552.09k 3472.24k 3818.55k 3931.13k mdc2 5346.57k 5945.15k 6129.67k 6172.98k 6183.11k md4 19196.19k 67705.08k 192389.60k 356384.95k 474610.29k md5 15945.12k 53220.77k 138644.88k 231744.27k 288054.50k hmac(md5) 14870.23k 50112.77k 133322.27k 227841.23k 287173.17k sha1 13830.15k 40594.85k 88396.69k 125721.51k 143524.52k rmd160 12413.46k 34547.47k 71410.74k 97639.00k 109350.36k rc4 202493.90k 260635.34k 281057.26k 286650.32k 288200.93k des cbc 39580.38k 40175.55k 40285.53k 40345.08k 40373.25k des ede3 14582.03k 14654.89k 14671.10k 14683.93k 14687.32k idea cbc 0.00 0.00 0.00 0.00 0.00 seed cbc 0.00 0.00 0.00 0.00 0.00 rc2 cbc 25060.83k 25652.16k 25898.75k 25977.97k 26010.01k rc5-32/12 cbc 149821.90k 159312.46k 161424.27k 162496.46k 162752.66k blowfish cbc 63492.72k 65346.24k 65712.62k 65893.69k 65964.04k cast cbc 57077.81k 58958.91k 59433.33k 59549.42k 59604.14k aes-128 cbc 58083.47k 61622.53k 62368.54k 62753.44k 62801.41k aes-192 cbc 50243.05k 53332.33k 53843.72k 54121.31k 54174.94k aes-256 cbc 44877.39k 46854.56k 47324.47k 47553.83k 47591.69k camellia-128 cbc 48180.17k 50060.06k 50540.53k 50593.58k 50673.91k camellia-192 cbc 37211.27k 38231.78k 38512.42k 38565.91k 38611.84k camellia-256 cbc 37196.30k 38267.35k 38498.71k 38589.80k 38630.21k sha256 10559.61k 25759.62k 47170.62k 59592.90k 64581.36k sha512 3977.06k 15926.76k 24211.83k 33853.36k 38368.47k aes-128 ige 60019.16k 63932.09k 64938.94k 65320.54k 65388.44k aes-192 ige 52073.85k 54983.36k 55743.33k 56059.38k 56100.04k aes-256 ige 46046.86k 48259.69k 48851.10k 49093.04k 49114.49k sign verify sign/s verify/s rsa 512 bits 0.000583s 0.000057s 1716.1 17557.2 rsa 1024 bits 0.002683s 0.000130s 372.8 7704.4 rsa 2048 bits 0.013994s 0.000385s 71.5 2599.3 rsa 4096 bits 0.085500s 0.001272s 11.7 786.2 sign verify sign/s verify/s dsa 512 bits 0.000449s 0.000506s 2227.8 1976.0 dsa 1024 bits 0.001139s 0.001352s 877.8 739.9 dsa 2048 bits 0.003478s 0.004212s 287.5 237.4 [2.1-RELEASE][root@pfsense.localdomain]/root(3):This is very good to hear. I am actually looking at purchasing the same motherboard and was wondering about pf sense compatibility and VPN performance. I currently have a 100Mbps connection so it looks as this will work well.
-
GA-C1037UN-EU is capable of 900mbps firewalling.
http://www.superwrt.eu/cel-mai-bun-router-gigabit/ (sorry for romanian - use chrome translate)
our bigget ISP in Romania is offering 500mbps at 11 euro and 1000 mbps for 14 euro (49 lei and 59 lei)
I'm very curious also on it's vpn capabilities - will try to ask the owner
–---------------
LE: he doesn't have the capabilities to test openvpn for now -
GA-C1037UN-EU is capable of 900mbps firewalling.
http://www.superwrt.eu/cel-mai-bun-router-gigabit/ (sorry for romanian - use chrome translate)
our bigget ISP in Romania is offering 500mbps at 11 euro and 1000 mbps for 14 euro (49 lei and 59 lei)
I'm very curious also on it's vpn capabilities - will try to ask the owner
–---------------
LE: he doesn't have the capabilities to test openvpn for nowHello, sorry for not updating the post series regarding this DIY gigabit ethernet router,
the sistem seems to be extremely stable but i did not do any heavy traffic through it..00:00.0 Host bridge: Intel Corporation 3rd Gen Core processor DRAM Controller (rev 09) 00:02.0 VGA compatible controller: Intel Corporation 3rd Gen Core processor Graphics Controller (rev 09) 00:16.0 Communication controller: Intel Corporation 7 Series/C210 Series Chipset Family MEI Controller #1 (rev 04) 00:1a.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #2 (rev 04) 00:1b.0 Audio device: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller (rev 04) 00:1c.0 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 1 (rev c4) 00:1c.1 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 2 (rev c4) 00:1c.2 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev c4) 00:1c.3 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 4 (rev c4) 00:1d.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #1 (rev 04) 00:1f.0 ISA bridge: Intel Corporation 7 Series Chipset Family LPC Controller (rev 04) 00:1f.2 SATA controller: Intel Corporation 7 Series Chipset Family 6-port SATA Controller [AHCI mode] (rev 04) 00:1f.3 SMBus: Intel Corporation 7 Series/C210 Series Chipset Family SMBus Controller (rev 04) 01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06) 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06) 03:00.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev 41)Did not include a CPU graph because its stable at 2-3 %.
