IPsec gigabit throughput
-
What is the best way to encrypt a gigabit fibre connection between 2 pfsense servers(2.2.4-RELEASE) keeping high performance?
I tested IPsec but I got +/- 8MB/s
disabling IPsec I got +/- 75MB/sEnglish isn't my first language, so please excuse any mistakes.
-
What sort of hardware do you have running pfSense? Does it have a CPU with AES-NI on both ends?
-
What is the best way to encrypt a gigabit fibre connection between 2 pfsense servers(2.2.4-RELEASE
Is this an Internet connection over an ISPs with 1 GBit/s or is this a fiber connection over two SFP modules local?
keeping high performance?
Hardware with VPN hardware acceleration or built in AES-NI support in the SoC or CPU.
Likes the Intel Atom C2x58, Xeon D-1540, Xeon E3 or Xeon E5 is serving you.I tested IPsec but I got +/- 8MB/s
disabling IPsec I got +/- 75MB/sWhich encryption were you are using for IPSec connection?
~ 80 MBit/s raw throughput without VPN is able over an older Alix Board.
~ 40 MBit/s throughput is able with IPSec VPNCPU, RAM, Board, drive or storage and NICs or miniPCI slots will be fine to know.
-
Is a fiber connection over two SFP modules local, but provided by a third party company.
For now only made local tests with ethernet cables.
I not tested on the fiberSide A
HP PROLIANT ML310e Gen8
Proc: Intel Quad-Core Xeon E3-1220v3 3.10Ghz 8MB L3 Cache (with AES-NI)
Mem: 8GB DDR3Side B
Dell Vostro 230s
Proc: Pentium(R) Dual-Core CPU E5400 @ 2.70GHz (without AES-NI)
Mem: 3GB DDR3I made 2 tests:
1 - Copying files from side A to side B, I got +/- 8MB/s (CPU usage in side A is around 2% and 30% in side B)2 - Copying the same files from side B to side A, I got +/- 30MB/s (CPU usage in site A is around 10% and 100% in side B)
Next week I will change the server B to a core i3(4150) with AES-NI to improve performance.
but i don't understand why the test 1 is so slow, even with low CPU usage.
-
I not tested on the fiber
Ok I understand.
Side A
HP PROLIANT ML310e Gen8
Proc: Intel Quad-Core Xeon E3-1220v3 3.10Ghz 8MB L3 Cache (with AES-NI)
Mem: 8GB DDR3Cool pfSense box but lame NICs as I see it right!
Side B
Dell Vostro 230s
Proc: Pentium(R) Dual-Core CPU E5400 @ 2.70GHz (without AES-NI)
Mem: 3GB DDR3If you are able to get an Intel Core i3 or i5 please try out to get the biggest as you are able to get your hands on!
And if you are able to get a CPU with more then 3,0GHz so better for you!
AES-NI on both sides will be speed up many as I see it right now.I made 2 tests:
1 - Copying files from side A to side B, I got +/- 8MB/s (CPU usage in side A is around 2% and 30% in side B)2 - Copying the same files from side B to side A, I got +/- 30MB/s (CPU usage in site A is around 10% and 100% in side B)
For a real test that is also confidential and you can trust on, it might be the best to install on both
sides a PC and then doing an iPerf Test that is not based on protocols as SMB and CIF!Next week I will change the server B to a core i3(4150) with AES-NI to improve performance.
Bestwill be Core i3 or Core i5 with 4 Cores @3,1GHz or more
but i don't understand why the test 1 is so slow, even with low CPU usage.
By copiying files over you are using the protocol likes SMB and/or CIF but in real you want to know how much
in theoretical the line will be offering and not the protocols!So iPerf or NetIO are the best tools for doing a test you can count on
-
Tested with iPerf and I got +/-280 Mbits/s in both ways(limited by CPU of B side). ;D
It seems that IPsec is OK but I will need to transfer large files over this channel.
Googling I found that the problem with smb protocol can be fixed changing MTU value.
I will test and post the results.
-
Googling I found that the problem with smb protocol can be fixed changing MTU value.
We've also transferred large files with SFTP or SCP and it doesn't have the same speed issues as SMB. That may be an option for you too.