Pfsense hardware for home
-
pfSense i7-4510U + 2x Intel 82574 + 2x Intel i350 (miniPCIE) Mini-ITX Build
did you test the power usage?
You will be able to push gigabit speeds with this setup, but you wont be able to get 100mbits over OpenVPN (most likely).
thanks! Is 50 Mbits OpenVPN possible?
Another configuration (which is available in Germany and without assemble):
- Intel Celeron N2930 4-Core 2,16 GHz 2MB
- 2x 1 GBit/s LAN (RJ-45) Intel
82583V - 8 GB DDR3 1600 LV SO-DIMM ATP
- 80 GB SATA III Intel SSD MLC 2,5“ (DC S3510)
–> Unfortunately, no AES
Is that better?
50mbps over openvpn should be possible.
OpenVPN does not support AES yet anyway - it should support it soon.
I built a similar machine with an i7 for less than 500 usd.
https://forum.pfsense.org/index.php?topic=113610.msg631641#msg631641
-
You might want to take a look at the current APU2:
http://pcengines.ch/apu2c4.htmIt doesn't reach wire speed when forwarding with rules, but around 650Mbit.
It easiely does 100Mbit openvpn. -
Maybe you'd consider sth like this:
Barebone:
http://geizhals.de/shuttle-xpc-slim-xh110v-pib-xh110v11-a1408110.htmlCPU (i3 Dual-Core with SMT):
http://geizhals.de/intel-core-i3-6100-bx80662i36100-a1329935.html?hloc=at&hloc=deRAM (dual rank 2x4GB):
2x http://geizhals.de/crucial-so-dimm-4gb-ct51264bf160b-a673173.html?hloc=at&hloc=deand f.i. a 120 GB MLC SSD (240GB+ would be even better looking at current GB-per-€ ratio…all depends on how much you are willing to spend):
http://geizhals.de/sandisk-plus-120gb-sdssda-120g-g25-a1218323.html?hloc=at&hloc=deTotal: ca. € 380,-
If you go for a 2-core CPU without SMT, like an Intel G3900 (supports AES-NI as well), you'd be at € 300,- total.
Small, easy to install, PSU included, 2x Intel NIC included...I would have bought sth like that, if I'd build it from scratch. Or at least sth in the same size.
-
You might want to take a look at the current APU2:
…
It easiely does 100Mbit openvpn.is the "AMD Embedded G series GX-412TC, 1 GHz quad" for openvpn better than as an Intel Pentium Processor N3700?
CPU (i3 Dual-Core with SMT):
http://geizhals.de/intel-core-i3-6100-bx80662i36100-a1329935.html?hloc=at&hloc=deUnfortunately, the TDP is very high (TDP: 51W)
I've found the Supermicro A1SRi-2358F and X11SBA-LN4F Mainboard:
Supermicro A1SRi-2358F ( Intel Atom processor C2358):
- 1,7 - 2 Ghz
- 2 Core
- Intel QuickAssist
- AES-NI
- ECC Ram possible
Supermicro X11SBA-LN4F (Intel Pentium Processor N3700)
- 1.6 GHz - 2.4 GHz
- 4 Core
- no Intel QuickAssist
- no ECC RAM
so which Mainboard should I use for my configuration?
-
is the "AMD Embedded G series GX-412TC, 1 GHz quad" for openvpn better than as an Intel Pentium Processor N3700?
I have a hard time believing that the AMD would be faster. Even at the same clock speed, the Intel chip will beat the AMD in pretty much any task. Both CPUs support AES-NI.
For reference I'm running an AMD CPU with 2 Jaguar (same architecture as the GX-412TC) cores at 1.45GHz. I'm still tweaking, but currently getting about 80Mbps over OpenVPN. That's with AES-NI enabled. I think it should do better, but that's the best I've achieved so far. OpenVPN is single threaded, so the core count doesn't matter in this case.
-
I've found the Supermicro A1SRi-2358F and X11SBA-LN4F Mainboard:
Supermicro A1SRi-2358F ( Intel Atom processor C2358):
- 1,7 - 2 Ghz
- 2 Core
- Intel QuickAssist
- AES-NI
- ECC Ram possible
Supermicro X11SBA-LN4F (Intel Pentium Processor N3700)
- 1.6 GHz - 2.4 GHz
- 4 Core
- no Intel QuickAssist
- no ECC RAM
so which Mainboard should I use for my configuration?
Between those two I'd choose the X11SBA-LN4F. ECC isn't really necessary for an application like pfsense. QuickAssist support is on the radar but won't help you now. I'd choose the N3700 for the higher turbo clock speed and additional cores.
-
Between those two I'd choose the X11SBA-LN4F. ECC isn't really necessary for an application like pfsense. QuickAssist support is on the radar but won't help you now. I'd choose the N3700 for the higher turbo clock speed and additional cores.
thank you very much! Did you test the openvpn performance?
-
Is a SG-4860 enough for 250 Mbit openvpn throughput ?
-
Between those two I'd choose the X11SBA-LN4F. ECC isn't really necessary for an application like pfsense. QuickAssist support is on the radar but won't help you now. I'd choose the N3700 for the higher turbo clock speed and additional cores.
thank you very much! Did you test the openvpn performance?
I don't own the N3700, so no. I'm just going on what I know about OpenVPN. The N3700 is a faster CPU than the C2358 and thus will provide better OpenVPN performance. I can't say in absolute terms how well it will perform, though.
-
Is a SG-4860 enough for 250 Mbit openvpn throughput ?
take a look here: https://forum.pfsense.org/index.php?topic=115673.0
I dont think it will safely push that much bandwidth. Based on the PassMark benchmark, its about half the capacity of the i7-4510U - I can push about 300mbps OpenVPN theoretically when my CPU is set to CMax (turbo at 3.0ghz)
i7-4510U PassMark: https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i7-4510U+%40+2.00GHz
C2558 Atom CPU PassMark: http://www.cpubenchmark.net/cpu.php?cpu=Intel+Atom+C2558+%40+2.40GHz -
- Intel Pentium Processor N3700
- X11SBA-LN4F Supermicro
- 8 GB S0-DDR3
- Kingston SV300S37A/60G SSDNow V300 interne SSD-Festplatte 60GB
is it possible to use Snort with this config?
- Intel
-
- Intel Pentium Processor N3700
- X11SBA-LN4F Supermicro
- 8 GB S0-DDR3
- Kingston SV300S37A/60G SSDNow V300 interne SSD-Festplatte 60GB
is it possible to use Snort with this config?
Yes, snort and pfblockerng will work and love the 8gb of ram
- Intel
-
- Intel Pentium Processor N3700
- X11SBA-LN4F Supermicro
- 8 GB S0-DDR3
- Kingston SV300S37A/60G SSDNow V300 interne SSD-Festplatte 60GB
is it possible to use Snort with this config?
I got a miniPC with the Celeron N3150 as home router with a fiber connection 100/100
I've added 8GB RAM and a 120GB SSD (not easy to find less). Total cost was about $220.
It has two Realtek NICs, maybe I'm lucky but I've never seen lost packets in four months.
I'm really satisfied, it's capable to run snort, pfBlocker and the OpenVpn client to PIA smooth as silk.
No problem to reach the full line speed in OpenVPN.
Intel N3700 it's a little more performant than N3150 so I think you should easily reach 130Mbs in OpenVPN. - Intel
-
Just a note with the N3700… while it doesn't have QuickAssist support, it does still have AES-NI support. I did some digging and see that about 6 months ago, OpenVPN added support for AES-GCM (ticket 301), so if you can set it up to use that, you might find much faster VPN performance. Not sure if it's set to take advantage of the Intel AES-NI or not, but it might help.
If pfSense doesn't have that option for OpenVPN, then going with IPSEC using AES-GCM should also be accelerated. Of course, that's a much larger change to be making.
-
@virgiliomi:
Just a note with the N3700… while it doesn't have QuickAssist support, it does still have AES-NI support. I did some digging and see that about 6 months ago, OpenVPN added support for AES-GCM (ticket 301), so if you can set it up to use that, you might find much faster VPN performance. Not sure if it's set to take advantage of the Intel AES-NI or not, but it might help.
If pfSense doesn't have that option for OpenVPN, then going with IPSEC using AES-GCM should also be accelerated. Of course, that's a much larger change to be making.
currently pfSense only supports AES acceleration via IPsec, not through OpenVPN. I believe the developers are looking to add support for AES with OpenVPN on the next release.
-
@virgiliomi:
Just a note with the N3700… while it doesn't have QuickAssist support, it does still have AES-NI support. I did some digging and see that about 6 months ago, OpenVPN added support for AES-GCM (ticket 301), so if you can set it up to use that, you might find much faster VPN performance. Not sure if it's set to take advantage of the Intel AES-NI or not, but it might help.
If pfSense doesn't have that option for OpenVPN, then going with IPSEC using AES-GCM should also be accelerated. Of course, that's a much larger change to be making.
currently pfSense only supports AES acceleration via IPsec, not through OpenVPN. I believe the developers are looking to add support for AES with OpenVPN on the next release.
Ok, good to know. But that's still a plus that the N3700 will offer, when the update comes. That will bring even more value to the N3700 system then!
-
currently pfSense only supports AES acceleration via IPsec, not through OpenVPN
You sure?
Do you know that OpenSSL, which is part of OpenVPN, will automatically use AES-NI when available on SOC?
No need to enable anything in pfSense in that case, as in, do not load any module, to take advantage of it.It does very well support AES through OpenVPN, no doubt about it.
The problem is more the hashing that takes place which will be "kind of history" when GCM comes with OpenVPN 2.4.Just do
env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-cbcfor speedtest without AES-NI, and
openssl speed -elapsed -evp aes-256-cbcwith AES-NI.
See the (big) difference? -
currently pfSense only supports AES acceleration via IPsec, not through OpenVPN
You sure?
Do you know that OpenSSL, which is part of OpenVPN, will automatically use AES-NI when available on SOC?
No need to enable anything in pfSense in that case, as in, do not load any module, to take advantage of it.It does very well support AES through OpenVPN, no doubt about it.
The problem is more the hashing that takes place which will be "kind of history" when GCM comes with OpenVPN 2.4.Just do
env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-cbcfor speedtest without AES-NI, and
openssl speed -elapsed -evp aes-256-cbcwith AES-NI.
See the (big) difference?You may be right, but I dont see the difference:
[2.3.3-DEVELOPMENT][root@pfSense.pf.lan]/root: env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-256-cbc for 3s on 16 size blocks: 1714069 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 64 size blocks: 1577402 aes-256-cbc's in 3.01s Doing aes-256-cbc for 3s on 256 size blocks: 1283958 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 1024 size blocks: 744736 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 8192 size blocks: 149773 aes-256-cbc's in 3.00s OpenSSL 1.0.1s-freebsd 1 Mar 2016 built on: date not available options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 9141.70k 33563.84k 109564.42k 254203.22k 408980.14k[2.3.3-DEVELOPMENT][root@pfSense.pf.lan]/root: openssl speed -elapsed -evp aes-256-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-256-cbc for 3s on 16 size blocks: 1725942 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 64 size blocks: 1580980 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 256 size blocks: 1281281 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 1024 size blocks: 740019 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 8192 size blocks: 148567 aes-256-cbc's in 3.00s OpenSSL 1.0.1s-freebsd 1 Mar 2016 built on: date not available options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 9205.02k 33727.57k 109335.98k 252593.15k 405686.95kBelow is a screenshot of my pfSense GUI showing I have AES functionality support for my CPU:
-
Do you have any Cryptographic Hardware module loaded in pfSense?
System/ Advanced/ Miscellaneous
Set to none and reboot.Without AES-NI
env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 23990.78k 28635.43k 29824.77k 75725.14k 76436.82kWith AES-NI
openssl speed -elapsed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 132721.93k 211522.30k 244506.28k 254213.80k 256557.76kWith aesni.ko module loaded, meaning Cryptographic Hardware is set to AES-NI
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 4643.26k 17799.15k 57819.31k 136405.67k 218895.70k -
Do you have any Cryptographic Hardware module loaded in pfSense?
System/ Advanced/ Miscellaneous
Set to none and reboot.Without AES-NI
env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 23990.78k 28635.43k 29824.77k 75725.14k 76436.82kWith AES-NI
openssl speed -elapsed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 132721.93k 211522.30k 244506.28k 254213.80k 256557.76kYes, I have Cryptographic Hardware set to AES-NI CPU-based Acceleration
OpenVPN's Hardware Crypto is set to BSD Cryptodev EngineAre these settings correct?
[2.3.3-DEVELOPMENT][root@pfSense.pf.lan]/root: dmesg | grep -i aes [15] aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm> on motherboard Features2=0x7fdafbbf<sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,fma,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,movbe,popcnt,tscdlt,aesni,xsave,osxsave,avx,f16c,rdrand></sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,est,tm2,ssse3,sdbg,fma,cx16,xtpr,pdcm,pcid,sse4.1,sse4.2,movbe,popcnt,tscdlt,aesni,xsave,osxsave,avx,f16c,rdrand></aes-cbc,aes-xts,aes-gcm,aes-icm>[2.3.3-DEVELOPMENT][root@pfSense.pf.lan]/root: cryptostats 10953025 symmetric crypto ops (0 errors, 0 times driver blocked) 0 key ops (0 errors, 0 times driver blocked) 0 crypto dispatch thread activations 0 crypto return thread activations
