Why does Gigabit throughput require such high end hardware?
-
Why do governments act like children on the internet?
-
In Hungary we have 1G/300M for about 15USD/month including 110 DVB TV channels and landline phone.
-
In Manila we have 5/1 coax connection for about $30 per month and TV is another $15 extra… And the picture is shit... (-:
-
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
-
I know. Do you use VPN to overcome that?
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
-
In Hungary we have 1G/300M for about 15USD/month including 110 DVB TV channels and landline phone.
I guess everything is relative but still. :o
Steve
-
I know. Do you use VPN to overcome that?
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself…. -
@gonzopancho:
IPsec does profit from AES-NI, it's AES-CBC + HMAC-SHA1 that suffers. We're not done, either. For now, using AES-GCM with AES-NI will provide the largest gains. Again, we're not done here, but the current project is QAT.
At my last place, they used a patch from a consulting company that implemented AES-CBC with HMAC-SHA-xx with AES-NI acceleration. I have since moved on. If I can get more info / link on that, I will share.
-
You can't accelerate SHA with AES-NI.
Very modern Intel CPUs have instructions that will accelerate SHA/SHA2, but there is no support for that in FreeBSD or pfSense yet.
-
@jwt:
You can't accelerate SHA with AES-NI.
Very modern Intel CPUs have instructions that will accelerate SHA/SHA2, but there is no support for that in FreeBSD or pfSense yet.
I still don't have all the details. So can't comment in depth. I have sent a query to my ex-colleagues. SHA-xx is not supported by AES-NI. Whereas CBC is indeed accelerated. But the combo AES-CBC with SHA-xx is the problem. So if this combo is offered during negotiations, it is rejected…until 'net.inet.ipsec.crypto_support' is disabled. I see this all the time in ipsec vpn, And also specially when L2TP / IPSec from Windows 7 and 10 clients.
VhPham
-
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself….Actually, it doesn't 'know' OVPN traffic. per se.
It scans traffic in waves and explicitly blocks the common IPSEC/ GRE/ L2TP ports etc.What it can't inspect (implying encrypted traffic or VPN traffic on non-common protocols or ports) when it catches during these waves of scanning, it logs, when the second or third wave picks up the same traffic pattern, it will assume it's VPN traffic and blocks it - that's how they catch on to OVPN and the likes of.
To bypass this, some VPN providers basically provide a tunnel within tunnel kind of configuration. It transfers the outer tunnel to roll between different endpoints to avoid being caught between waves and hopefully, the timing is just enough to let the GFW ignore it.
-
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself….Actually, it doesn't 'know' OVPN traffic. per se.
It scans traffic in waves and explicitly blocks the common IPSEC/ GRE/ L2TP ports etc.What it can't inspect (implying encrypted traffic or VPN traffic on non-common protocols or ports) when it catches during these waves of scanning, it logs, when the second or third wave picks up the same traffic pattern, it will assume it's VPN traffic and blocks it - that's how they catch on to OVPN and the likes of.
To bypass this, some VPN providers basically provide a tunnel within tunnel kind of configuration. It transfers the outer tunnel to roll between different endpoints to avoid being caught between waves and hopefully, the timing is just enough to let the GFW ignore it.
In China there are also some good VPN ISPs that are offering to the non-chinese companies or citizens really
good performing VPN capable Internet account where such needed ports are open and not closed. So actually
a VPN tunnel or connection can be done with ease for foreign peoples ion china, only to them self or Chinese
citizens this Internet account are allowed. -
@BlueKobold:
In China there are also some good VPN ISPs that are offering to the non-chinese companies or citizens really
good performing VPN capable Internet account where such needed ports are open and not closed. So actually
a VPN tunnel or connection can be done with ease for foreign peoples ion china, only to them self or Chinese
citizens this Internet account are allowed.There are.. The GFW is more concerned about traffic to international endpoints than domestic endpoints.
What a lot of companies (from US and EU) do is to actually buy a MPLS from an ISP like AT&T who has a datacenter or PoP within China. Their traffic goes through the MPLS to the DC within China and transits through the private international lines after that.
-
So to bring the actual topic to a point… would a 2358 make a Gbit capable pfSense platform