RCC-VE 2440 or 4860 for Home
-
Hello,
I currently have a Netgate 2D13 based router that has been running strong the last few years. Recently though it has started to show signs of death and my internet speeds are now well beyond it's routing capabilities so I am looking to upgrade.
At first I was looking at the APU based units but one of my primary concerns is being able to eventually route a full 1Gbps WAN connection. So i've been looking at the RCC-VE 2440 and 4860 units. Unfortunately there just doesn't seem to be any real performance metrics published for these boxes yet.
My current pfSense usage is pretty simple. I've got two VLANs set up which separate my wired machines from my wireless. I've also got OpenVPN set up for the occasional times when I want to access my home network remotely as well as some port forwarding.
As I said my primary concern is that the next box will be able to last 3-5 years as my current router has and also scale to a 1Gbps connection in that time so I don't have to rebuy again. Will the RCC-VE 2440 be able to handle this kind of load? or is the 4860 the minimum I'd need to future proof my home network?
Thanks in advance.
-
http://ark.intel.com/compare/77978,77983
The C2558 has twice as many cores (four vs. two) and is clocked at 2.4 GHz, whereas the C2358 is clocked at 1.7 GHz and can turbo up to 2 GHz. The former consumes twice as much power as the latter. The other advantages of the C2558 (additional PCIe lanes and SATA ports, higher maximum RAM) are moot in this particular form factor (i.e. it's in a small case and the RAM is soldered on).
I think a lot of it depends on what you're doing with it. If you're running a ton of Snort/Suricata rules and pfBlockerNG on multiple interfaces, and you're hosting multiple concurrent VPN sessions, you'll probably want the extra horsepower. If you're running other potentially CPU-intensive services (like Squid, mail scanning/forwarding, and/or BIND), you'll probably want the extra hardware threads.
My 2440 barely breaks a sweat; granted, I have a small pipe. The pfSense developers are still working on integrating and optimizing hardware acceleration features like AES-NI and QuickAssist, which should greatly speed up VPN and other features. Hopefully some better benchmarks will come out over the next few weeks. I'm sure there are more than a few pfSense users installling their new Rangeley hardware on gigabit pipes…
-
In normal @MWP821 is right pointing it, but related to the 1 GBit/s WAN line, the most users
want to get out how much as they can do and this is the point you should think about first of
all. If you gets "only" 50 Mbit/s VPN throughput by owning a 1 GBit/s WAN line it can be worse
to life with this speed, but if you will be able to get more informations from other users how
much they will receive it would be better to compare those boxes as it is now able to do.And on top as I see it right , all is growing and/or falling with the usage of many cpu cores.
What does it if you get 8 cpu cores and only one is in heavy usage? Or what does it right if
the AES-NI is really speeding up the IPSec VPN enormously and you are using OpenVPN?
What does it bring to you if Intel QuickAssist is really speeding up snort, suricata or OpenDPI
and you are not using them all?I personally want to wait until summer to get more tech. specs. related user reports and then
I think the SG-4860 in my case will do the game as my new pfSense based home firewall. -
@BlueKobold:
In normal @MWP821 is right pointing it, but related to the 1 GBit/s WAN line, the most users
want to get out how much as they can do and this is the point you should think about first of
all. If you gets "only" 50 Mbit/s VPN throughput by owning a 1 GBit/s WAN line it can be worse
to life with this speed, but if you will be able to get more informations from other users how
much they will receive it would be better to compare those boxes as it is now able to do.And on top as I see it right , all is growing and/or falling with the usage of many cpu cores.
What does it if you get 8 cpu cores and only one is in heavy usage? Or what does it right if
the AES-NI is really speeding up the IPSec VPN enormously and you are using OpenVPN?
What does it bring to you if Intel QuickAssist is really speeding up snort, suricata or OpenDPI
and you are not using them all?I personally want to wait until summer to get more tech. specs. related user reports and then
I think the SG-4860 in my case will do the game as my new pfSense based home firewall.QuickAssist will not speed up snort/suricata/OpenDPI. Intel abandoned that codebase (you can't get the firmware.)
Correctly implemented (via /dev/crypto), QAT will accelerate OpenVPN. There is an open issue (being resolved with the OpenVPN project) using AES-NI with OpenVPN. When OpenVPN 2.4 ships (and is incorporated into a future version of pfSense), the AEAD (think: AES-GCM) modes will be supported, and OpenVPN should get faster. (Architecturally, OpenVPN will still be hampered by the tun/tap interface. Copying through userspace is teh suck.)
I have a 1Gbps connection to home, and one at work. I run a C2358-based system at home, and a C2758 system at work, both using pfSense (I've been running a version of 2.2 with AES-NI/AES-GCM support much longer than nearly anyone else.) I've posted throughput numbers before.) I have a 4860 at home on my desk, but I've not found time to put it in-place. The additional clock rate should give some boost to the IPsec connection.
Yes, work continues on making incremental improvement to all parts of the tack, with a current focus on making forwarding, filtering and crypto "go fast".
-
@gonzopancho
QuickAssist will not speed up snort/suricata/OpenDPI. Intel abandoned that codebase (you can't get the firmware.)
Oh thats new for me, I was really thinking it would speeding up exactly this packages and the
AES-NI the VPN part, fine for me I thought then the most security related components are
going to be pushed in the future I was thinking, really sad is that situation now.Correctly implemented (via /dev/crypto), QAT will accelerate OpenVPN. There is an open issue (being resolved with the OpenVPN project) using AES-NI with OpenVPN.
I am using primary IPSec VPN and so AES-NI is speeding it up much more as I could expect before.
-
@BlueKobold:
@gonzopancho
QuickAssist will not speed up snort/suricata/OpenDPI. Intel abandoned that codebase (you can't get the firmware.)
Oh thats new for me, I was really thinking it would speeding up exactly this packages and the AES-NI
the VPN part, fine for me I thought then the most security related components are going to be pushed
in the future I was thinking, really sad is that situation now.Correctly implemented (via /dev/crypto), QAT will accelerate OpenVPN. There is an open issue (being resolved with the OpenVPN project) using AES-NI with OpenVPN.
I am using primary IPSec VPN and so AES-NI is speeding it up much more as I could expect before.
We are quite aware of the AES-NI acceleration of IPsec. http://freebsdfoundation.blogspot.com/2014/08/freebsd-foundation-announces-ipsec.html
For VPN (including IPsec and OpenVPN), QAT will be faster, even on a C2358, but we did AES-NI first, because more people can benefit.
Even other forks, which sell their own hardware which is AES-NI enabled. PC Engines is working on a board that has Intel NICs and which supports AES-NI as well. QAT allows the supported ESP and AH transports to be processed in parallel. A large part of the gain of AES-GCM .vs AES-CBC with SHA1 is that AES-GCM is an Authenticated Encryption with Associated Data (AEAD)There are also future products that are quite a bit faster than what you can get today, some of them are tuned to large Snort/Suricata installations.