Why does Gigabit throughput require such high end hardware?
-
@gonzopancho:
I don't see Melanox ConnectX-3 being significantly less expensive than Chelsio T5-based product.
For example:
Melanox ConnectX-3 dual-port 10G adapter $235:
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1303&idcategory=6Chelsio T520-SO-CR dual-port 10G adapter: $234:
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=2084&idcategory=6Mellanox ConnectX-3 Dual-Port 40G Adapter $470:
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1327&idcategory=6Chelsio T580-SO-CR 40 Gigabit adapter: $399
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=2083&idcategory=6Ahhh for sure I was not recognizing that Chelsio is also offering 40 GBit/s equipment!
So far and in short thats it, for sure you are right with the comparing, but before the European
pfSense Shop is opening I was thing to refer before about the new Intel Atom C2000 Boards
something, and I was finding up this thread here very exiting: A Rangeley Board Review and so I was triggered to research over the Mellanox cards and where finding this equipment right here: 12 Port Mellanox Switch &
Mellanox Dual Port 56 GBit/s card and this was bringing me to the point that it could perhaps being interesting to get support for.And, of course:
Rangeley C2758 via Netgate $999:
http://store.netgate.com/Firewall/C2758.aspxChelsio T520-SO-CR via Netgate $245:
http://store.netgate.com/Chelsio/T520-SO-CR.aspxFor sure the "Rangeley" platform will be the right thing as I see it now also.
A little bit sad for the IPSec will not profit from AES-NI but ok I can life with that
for sure if the QuickAssist is speeding up then other things. Perhaps this is owed also
to the circumstances that I was having a looking eyes an a Supermicro platform at first!
Because there are boards with one PCIe slot for the Comtech AHA compression card I want
to use inside and adding much more RAM is also a point that was given, but wit three miniPCIe
slots for mSATA, Modem and WLAN and more GB lan ports it will be also very interesting for me
otherwise. For sure not so easy to come closer to a right decision these days.So let me see what is going on if the pfSense shop in Europe is opened.
But for the detailed informations you draw spread over so many threads I will say thank you
at this time first, glad to here about those things more and more. -
@BlueKobold:
@gonzopancho:
I don't see Melanox ConnectX-3 being significantly less expensive than Chelsio T5-based product.
For example:
Melanox ConnectX-3 dual-port 10G adapter $235:
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1303&idcategory=6Chelsio T520-SO-CR dual-port 10G adapter: $234:
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=2084&idcategory=6Mellanox ConnectX-3 Dual-Port 40G Adapter $470:
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1327&idcategory=6Chelsio T580-SO-CR 40 Gigabit adapter: $399
http://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=2083&idcategory=6Ahhh for sure I was not recognizing that Chelsio is also offering 40 GBit/s equipment!
So far and in short thats it, for sure you are right with the comparing, but before the European
pfSense Shop is opening I was thing to refer before about the new Intel Atom C2000 Boards
something, and I was finding up this thread here very exiting: A Rangeley Board Review and so I was triggered to research over the Mellanox cards and where finding this equipment right here: 12 Port Mellanox Switch &
Mellanox Dual Port 56 GBit/s card and this was bringing me to the point that it could perhaps being interesting to get support for.And, of course:
Rangeley C2758 via Netgate $999:
http://store.netgate.com/Firewall/C2758.aspxChelsio T520-SO-CR via Netgate $245:
http://store.netgate.com/Chelsio/T520-SO-CR.aspxFor sure the "Rangeley" platform will be the right thing as I see it now also.
A little bit sad for the IPSec will not profit from AES-NI but ok I can life with that
for sure if the QuickAssist is speeding up then other things. Perhaps this is owed also
to the circumstances that I was having a looking eyes an a Supermicro platform at first!
Because there are boards with one PCIe slot for the Comtech AHA compression card I want
to use inside and adding much more RAM is also a point that was given, but wit three miniPCIe
slots for mSATA, Modem and WLAN and more GB lan ports it will be also very interesting for me
otherwise. For sure not so easy to come closer to a right decision these days.So let me see what is going on if the pfSense shop in Europe is opened.
But for the detailed informations you draw spread over so many threads I will say thank you
at this time first, glad to here about those things more and more.IPsec does profit from AES-NI, it's AES-CBC + HMAC-SHA1 that suffers. We're not done, either. For now, using AES-GCM with AES-NI will provide the largest gains. Again, we're not done here, but the current project is QAT.
I don't have as much interest in Mellanox as I do in Chelsio and the newer Intel 10G/40G parts.
-
I don't have as much interest in Mellanox as I do in Chelsio and the newer Intel 10G/40G parts.
For sure, after I was lead by your last comment that Chelsio is also having 40 Gbit/s adapters
it is really obsolete. -
In MO… We have 10/1 MB ($40/m) now and cable co start to offer 100/20 MB ($110/m)...and here you guys talking GB!!$$$$
-
Current offerings here in Denmark is 1Gbit/1Gbit for around 349DKK which is the equivalent of 49USD with current exchange rates….
-
In MO… We have 10/1 MB ($40/m) now and cable co start to offer 100/20 MB ($110/m)...and here you guys talking GB!!$$$$
You are talking about the WAN speed! And we where talking about the LAN speed!
This is quite different from each other, and the ConnectX 2 Series from Mellanox is supported
so it was only in my mind to find out if the new series will be perhaps also be supported, not
more and not less. And if we are talking about 40 GBit/s adapters this is more for the LAN
connection and not the WAN connection..and here you guys talking GB!!$$$$
pfSense is not only used in home networks and in corporate networks you have to deal
also with other throughput for the entire company to deliver a moderate speed to all
the clients, servers and SANs and there fore it would even be great, to be able not
to create a so called bottleneck inside your LAN. -
Current offerings here in Denmark is 1Gbit/1Gbit for around 349DKK which is the equivalent of 49USD with current exchange rates….
In HK 1G up/down is less than 30 USD/month, and there is vendor planning to work out a 10G residential plan.
-
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
-
Why do governments act like children on the internet?
-
In Hungary we have 1G/300M for about 15USD/month including 110 DVB TV channels and landline phone.
-
In Manila we have 5/1 coax connection for about $30 per month and TV is another $15 extra… And the picture is shit... (-:
-
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
-
I know. Do you use VPN to overcome that?
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
-
In Hungary we have 1G/300M for about 15USD/month including 110 DVB TV channels and landline phone.
I guess everything is relative but still. :o
Steve
-
I know. Do you use VPN to overcome that?
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself…. -
@gonzopancho:
IPsec does profit from AES-NI, it's AES-CBC + HMAC-SHA1 that suffers. We're not done, either. For now, using AES-GCM with AES-NI will provide the largest gains. Again, we're not done here, but the current project is QAT.
At my last place, they used a patch from a consulting company that implemented AES-CBC with HMAC-SHA-xx with AES-NI acceleration. I have since moved on. If I can get more info / link on that, I will share.
-
You can't accelerate SHA with AES-NI.
Very modern Intel CPUs have instructions that will accelerate SHA/SHA2, but there is no support for that in FreeBSD or pfSense yet.
-
@jwt:
You can't accelerate SHA with AES-NI.
Very modern Intel CPUs have instructions that will accelerate SHA/SHA2, but there is no support for that in FreeBSD or pfSense yet.
I still don't have all the details. So can't comment in depth. I have sent a query to my ex-colleagues. SHA-xx is not supported by AES-NI. Whereas CBC is indeed accelerated. But the combo AES-CBC with SHA-xx is the problem. So if this combo is offered during negotiations, it is rejected…until 'net.inet.ipsec.crypto_support' is disabled. I see this all the time in ipsec vpn, And also specially when L2TP / IPSec from Windows 7 and 10 clients.
VhPham
-
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself….Actually, it doesn't 'know' OVPN traffic. per se.
It scans traffic in waves and explicitly blocks the common IPSEC/ GRE/ L2TP ports etc.What it can't inspect (implying encrypted traffic or VPN traffic on non-common protocols or ports) when it catches during these waves of scanning, it logs, when the second or third wave picks up the same traffic pattern, it will assume it's VPN traffic and blocks it - that's how they catch on to OVPN and the likes of.
To bypass this, some VPN providers basically provide a tunnel within tunnel kind of configuration. It transfers the outer tunnel to roll between different endpoints to avoid being caught between waves and hopefully, the timing is just enough to let the GFW ignore it.
-
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself….Actually, it doesn't 'know' OVPN traffic. per se.
It scans traffic in waves and explicitly blocks the common IPSEC/ GRE/ L2TP ports etc.What it can't inspect (implying encrypted traffic or VPN traffic on non-common protocols or ports) when it catches during these waves of scanning, it logs, when the second or third wave picks up the same traffic pattern, it will assume it's VPN traffic and blocks it - that's how they catch on to OVPN and the likes of.
To bypass this, some VPN providers basically provide a tunnel within tunnel kind of configuration. It transfers the outer tunnel to roll between different endpoints to avoid being caught between waves and hopefully, the timing is just enough to let the GFW ignore it.
In China there are also some good VPN ISPs that are offering to the non-chinese companies or citizens really
good performing VPN capable Internet account where such needed ports are open and not closed. So actually
a VPN tunnel or connection can be done with ease for foreign peoples ion china, only to them self or Chinese
citizens this Internet account are allowed.
