Asus N3050I-C for OpenVPN (100MBIT WAN)
-
@lra:
@mauroman33, Thanks for the follow-up post.
It seems the simple OpenVPN benchmark formula referenced here:
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743gives a reasonable base-line reference. I too have found the actual tested speed can be 5-20 % faster than the benchmark formula, and for some it is right on target.
Nothing beats an actual real-world test, but a quick CLI base-line test can be useful.
Hello, just a clarification.
Running the command I get this input:
27.41 real 25.62 user 1.77 sysWhat do you mean for "execution_time_seconds" in the formula? The "real" value or the "user" value?
-
@lra:
It seems the simple OpenVPN benchmark formula referenced here:
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743Hello, just a clarification.
Running the command I get this input:
27.41 real 25.62 user 1.77 sysWhat do you mean for "execution_time_seconds" in the formula? The "real" value or the "user" value?
Use the "real" value…
(3200 / 27.41) = 117 Mbps OpenVPN performance (estimate)
-
@lra:
@lra:
It seems the simple OpenVPN benchmark formula referenced here:
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743Hello, just a clarification.
Running the command I get this input:
27.41 real 25.62 user 1.77 sysWhat do you mean for "execution_time_seconds" in the formula? The "real" value or the "user" value?
Use the "real" value…
(3200 / 27.41) = 117 Mbps OpenVPN performance (estimate)
Thank you!
I saw that in a previous message you have tested a Celeron N2930 with those results
Execution time: 42.4 secs.
Maximum OpenVPN: 75 MbpsIf we consider that the Celeron N2930 is completely comparable with the Celeron N3150
http://www.cpubenchmark.net/compare.php?cmp%5B%5D=2255&cmp%5B%5D=2546
that got 117 Mbps as OpenVPN performance, we could assume the difference is totally due to the AES-NI support of the N3150.
What do you think about it? -
The AES-NI support of the N3150 is no doubt a large part of the increased performance, but there may be other factors as well.
Also, use this "OpenVPN benchmark formula" as a guide, not gospel.
-
@BlueKobold:
Could you please expand on why you think the APU2 would be better? To me it seems to have much slower performance on paper?
For sure I will do that. Only counting together the performance tech. specs. would be like:
-
APU2C2 is 4 CPU cores & AES-NI
-
Intel i210AT consumer grade NICs
-
2 GB normal RAM
-
3 x miniPCIe + SIM
-
mSATA support & SATA Port
-
wide spread and well supported
-
APU2C4 is 4 CPU cores & AES-NI
-
Intel i211AT LAN Ports server grade NICs
-
4 GB ECC RAM
-
3 x miniPCIe + SIM
-
mSATA support & SATA Port
-
wide spread and well supported
Both are available as a bundle for around ~220 € fully fan less and silent and are easy routing 100 MBit/s
with case and PSU. And it will be able also to route 250 MBit/s at the WAN Port with ease.How well is your board supported?
How well are the drivers are matching to that hardware?
How well it is playing together with pfSense (version 2.2.6)?The apu2 sports an AMD GX-412TC which clocks in at 1200MHz.
While the Intel n3150 clocks in at 1600MHz, and goes up to 2080MHz with turbo.Yep but would it do better then the APU2? It has more CPU power and thats it, perhaps it
would be better sorting the OpenVPN now, but since OpenVPN 2.4 and AES-GCM support
I would not swear on this! So I really thing there are other things similar matching but more
or better supported and running like hell. At the end of this thread I am counting together
some spare parts as an assemble, there are for sure better and stronger systems out there
but how well they are playing nice together with pfSense is the most question for me!This is an honest question, I really wonder, because I am trying to make this exact decision myself
Each of us has his own understanding, beloved hardware or systems he´s is more or less swearing
on for sure that must not be matching or considering the parts and interested in systems other would love
to go with.(Although I am looking at Jetway boards with mutliple NIC's, not Asus (With the cost of the extra NIC you're basically paying the same as a multi NIC board).).
Yes and no, sorry based on my lower English language skills I must take much more lines to explain something
but there are even also some strange differences and also if the hardware is based on the same SoC or CPU!
So there are J1900 and N2930 boards I hate and pfSense is causing problems with, and based on the same
CPUs or SoC, as explained in some line above, other boards will not have this failures, issues or malfunction.
And that mostly for only some bucks on top of the other hardware likes 20 € - 60 € and this is not really much
money of you can safe time and play around with your new hardware and don´t be boring about some problems.For your 100M connectivity, APU2/2150 should be able to handle the job easily, while the APU2 board comes with dual Intel i210/211 NICs which seems to be better.
Here in Germany are only some 100 MBit/s FTTH/FTTC connections able to get for private persons
and this is one of the most used self made firewall basis because pfSense, untangle UTM and Sophos
UTM are running fine on them too. The N2930 is working for edwardwong routing nearly 1 GBit/s at
the WAN port. I don´t know about the OpenVPN speed, but according to the AES-NI support in OpenVPN
version 2.4 it could really be that the APU2 is then better, perhaps also the Intel N3050i too, but from that
I don´t know the support of it. And due of the lack of AES-NI at the N2930 I was considering the APU2 as
a better choice.Entry Level:
-
APU2C4 bundle
-
Compex WLE200NX
-
Sierra Wireless MC7710 LTE
-
Crucial 30/60/120 GB mSATA
-
2 x 4 GB DDR3-1600MHz
-
Ubiquiti SR71-E WLAN card
-
Sierra Wireless MC7710 LTE
-
Crucial 30/60/120 GB mSATA
-
Supermicro A1SRi-2358 (new)
-
2 x 2 GB DDR3-1600MHz ECC RAM
-
Samsung840 Pro SSD 80/120/240 GB
pfSense SG-2220 / SG-2440
Mid ranged:
Supermicro A1SRi-2558
Supermicro A1SRi-2758- 2 x 4/8 GB DDR3-1600MHz ECC RAM
- Samsung840 Pro SSD 80/120/240 GB
pfSense SG-4860 / SG-8860
Professional:
- ASUS Q87T
- Gigabyte Q87T
- CPU support
Intel
Core
i7 (Haswell), Intel Core i5 (Haswell), Intel Core i3 (Haswell),
Intel Pentium G (Haswell), Intel Celeron G (Haswell), Intel Xeon E3 v3 (Haswell) - 2 x 2/4/8 GB S0-DIMM DDR3-1600MHz
- Intel Ethernet Server Adapter I350-T4
- WiFi Atheros AR9280 half length
- Crucial 30/60/120GB mSATA
- Noctua NH-L9i, CPU-Kühler
pfSense C2758 1U / XG-2758
High end:
- Gigabyte GA-6LISL
- Intel Xeon E3-12xxv3
- Intel i350 / i354 4x NIC
- 8/16 GB ECC DDR3 RAM
- Intel SLC/MLC 120/240 SSD
pfSense XG-2758 / XG-1500
I also encountered the same problem, this is useful information to me
Thank you so much -
-
@lra:
Perhaps a PC Engines APU or APU2 Board or bundle (PSU & case & Board) would be realizing this for you.
Could you please expand on why you think the APU2 would be better? To me it seems to have much slower performance on paper?
The apu2 sports an AMD GX-412TC which clocks in at 1200MHz.
While the Intel n3150 clocks in at 1600MHz, and goes up to 2080MHz with turbo.As for comparing OpenVPN performance, I have started using this benchmark:
openvpn --genkey --secret /tmp/secret time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbcThen to give the execution time in seconds a real-world meaning:
( 3200 / execution_time_seconds ) = Projected Maximum OpenVPN Performance in MbpsFor example (tested using Linux 3.2.x)…
PC Engines APU2 Quad Core AMD GX-412TC:
Execution time: 77.3 secs.
Maximum OpenVPN: 41 MbpsJetway NF9HG-2930 Quad Core Celeron N2930:
Execution time: 42.4 secs.
Maximum OpenVPN: 75 MbpsSo far, in my testing, this benchmark comes close to actual Maximum OpenVPN Performance measurements under optimum conditions. The projected speed should be an upper limit.
Note: The magic number of 3200 comes from summing 1 to 20000, multiply by 2 for encrypt and decrypt and by 8 bits/byte and divide by 1,000,000 for a result of Mbps
Do you really run AES256? Seems a little overkill.
If I want to know AES-128-CBC performance, can I just change it after –cipher?
Thanks,
Matt -
If I want to know AES-128-CBC performance, can I just change it after –cipher?
Yes, simply change to –cipher aes-128-cbc , the formula stays the same.
BTW, with OpenVPN 2.4 you can also test --cipher aes-256-gcm and --cipher aes-128-gcm .
-
would go for the quad core variant for not much more, if possible
apollo lake atom based board perhaps
-
FWIW, J3355B:
AES-256-CBC : 291.2Mbps
AES-256-GCM: 302.0MbpsAES-128-CBC: 293.5Mbps
AES-128-GCM: 307.9Mbps#: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.989u 0.015s 0:11.02 99.7% 819+178k 2+0io 0pf+0w #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.596u 0.023s 0:10.66 99.5% 817+178k 2+0io 0pf+0w #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.902u 0.015s 0:10.99 99.2% 821+178k 2+0io 0pf+0w #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.392u 0.015s 0:10.46 99.4% 818+177k 2+0io 0pf+0w -
FWIW, J3355B:
AES-256-CBC : 291.2Mbps
AES-256-GCM: 302.0MbpsAES-128-CBC: 293.5Mbps
AES-128-GCM: 307.9MbpsThanks for the useful information. I'm going to update the tread here:
https://forum.pfsense.org/index.php?topic=115673.0 -
@lra:
@mauroman33, Thanks for the follow-up post.
It seems the simple OpenVPN benchmark formula referenced here:
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743gives a reasonable base-line reference. I too have found the actual tested speed can be 5-20 % faster than the benchmark formula, and for some it is right on target.
Nothing beats an actual real-world test, but a quick CLI base-line test can be useful.
@mauroman33 did you test 256 or 128 cipher? did you have AES-NI active in pfsense when doing this test? Do you know what version of pfsense this was?
I have Celeron N3150 with AES-NI hardware accelerators. I'm little disappointed if 115Mbps is cap of this processor. It was said it can do 300Mbps on single core.
My ISP connection is 180Mbps i was hoping 10% less then my ISP connection so 160Mbs?
Can you test or anyone else with this buffer code along with hardware accelerators on for N3150?
https://forum.pfsense.org/index.php?topic=128698.msg714619#msg714619
fast-io sndbuf 524288 rcvbuf 524288I don't think one can estimate output when hardware accelerators are on as we don't know what factor that changes things. I'm assuming estimates are based on CPU cycles alone no? I spent ~$350 on this box 2 yrs ago and for it to come short it's bit disappointing.
Anyone have any suggestions on newer cheap <$200 NUCs with CPU that has AES-NI accelerators instructions. I'm still keeping hope i can max out my ISP connection with N3150? Maybe those buffer codes?
I will soon have vpn and will do tests myself even with those buffer codes. They seemed to speed things up quite a bit.
Is GCM suppose to be faster more secure then CBC? What's the deal-eo with that?
-
I confirm that 115Mbps are the limit of a Celeron N3150, even with AES-NI active and those lines in OpenVPN Custom Options.
300Mbps were related to a Celeron J3355. -
I confirm that 115Mbps are the limit of a Celeron N3150, even with AES-NI active and those lines in OpenVPN Custom Options.
300Mbps were related to a Celeron J3355.Thanks buddy. Little disappointed. I was hoping for 165Mbps. BTW check this out. This guy changed send and recieve windows not sure what speed boost he got from it. Did you try it?
" I also changed net.inet.tcp.recvspace & net.inet.tcp.sendspace (under System -> Advanced -> System Tunables) to max 2048K (=2097152 bytes)"
https://forum.pfsense.org/index.php?topic=112877.msg788565#msg788565
Do you know any NUC boxes (lowed powered boxes with no noise fans) that host this Celeron J3355 or other better cpu with AES-NI ext???
-
What encryption settings are you using?
AES-GCM will be faster the CBC+auth. It's faster even with auth but you don't need that with GCM as it's built in.
Are you sure your CPU is using it's turbo mode correctly?
Steve
-
I confirm that 115Mbps are the limit of a Celeron N3150, even with AES-NI active and those lines in OpenVPN Custom Options.
300Mbps were related to a Celeron J3355.Thanks buddy. Little disappointed. I was hoping for 165Mbps. BTW check this out. This guy changed send and recieve windows not sure what speed boost he got from it. Did you try it?
" I also changed net.inet.tcp.recvspace & net.inet.tcp.sendspace (under System -> Advanced -> System Tunables) to max 2048K (=2097152 bytes)"
https://forum.pfsense.org/index.php?topic=112877.msg788565#msg788565
Do you know any NUC boxes (lowed powered boxes with no noise fans) that host this Celeron J3355 or other better cpu with AES-NI ext???
Yes, same values here.
You could take a look on something like that
https://www.amazon.com/ZOTAC-i5-6300U-Bluetooth-Barebones-ZBOX-CI545NANO-U/dp/B071P596LH/ref=sr_1_1?ie=UTF8&qid=1520466138&sr=8-1&keywords=ci545&th=1 -
What encryption settings are you using?
AES-GCM will be faster the CBC+auth. It's faster even with auth nut you don't need that with GCM as it's built in.
Are you sure your CPU is using it's turbo mode correctly?
Steve
Steve this is what i'm using. Yes ext are active. I don't have VPN yet but am in process of getting it. My vpn will have GCM 128 and 256.
My impression was AES-NI was suppose to help exponentially in Mbps speeds not linearly. I'm seeing some other ppl with same CPU 1.8Ghz but newer process pushing 300Mbps.
Something doesn't make sense here. 200Mhz would not double the speed. It has to be AES-NI or special tweaks. Also my N3150 is quad core but i'm hearing vpn is single threaded.
Celeron-Processor-J3355 doing 300Mbps is only 400Mhz faster then my cpu. 400Mhz will not double the speed in Mbps. Something else is here in play. Inconsistent PIA servers perhaps?
I will not be on PIA also btw.https://ark.intel.com/products/95597/Intel-Celeron-Processor-J3355-2M-Cache-up-to-2_5-GHz
-
What encryption settings are you using?
AES-GCM will be faster the CBC+auth. It's faster even with auth nut you don't need that with GCM as it's built in.
Are you sure your CPU is using it's turbo mode correctly?
Steve
Steve how do i enable turbo mode? Is that in bios settings?
Edit found it and enabled in bios for turbo. Pfsense still shows 1.6GHZ tho as it should as that's burst mode only
-
hey guys check this out. In openvpn documentation it shows that tweaks not cpu cycles increase throughput but problem is that vpn provider won't allow you to change MTU size beyond 1500
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
-
My impression was AES-NI was suppose to help exponentially in Mbps speeds not linearly. I'm seeing some other ppl with same CPU 1.8Ghz but newer process pushing 300Mbps.
Something doesn't make sense here. 200Mhz would not double the speed. It has to be AES-NI or special tweaks. Also my N3150 is quad core but i'm hearing vpn is single threaded.
Celeron-Processor-J3355 doing 300Mbps is only 400Mhz faster then my cpu. 400Mhz will not double the speed in Mbps. Something else is here in play. Inconsistent PIA servers perhaps?
I will not be on PIA also btw.https://ark.intel.com/products/95597/Intel-Celeron-Processor-J3355-2M-Cache-up-to-2_5-GHz
A Celeron N3150 is two years older than a Celeron J3355 that has a better implementation of AES-NI, I think isn't just matter of Mhz…
-
I just signed up with vpn and did my own testing and compared to this guy here. AES-NI does not work at all. It offers ZERO assist. Not one 1Mbs.
I've proven it here. I have doubled my cpu power over my asus 87u and it doubled my speed but look at this other guy results. https://forum.pfsense.org/index.php?topic=139926.0
