Best 2017 hardware for gigabit fiber + VPN
-
It looks like the intent is to move away from DPDK but will still implement it in some form?
Perhaps not for the general or public usage? Who knows. Link
Hopefully someone more knowledgeable can chime in but I thought I'd share the post.
Would be nice to hear some news about that DPDK, netmap-fwrd and QuickAssist this might be the
most interesting things for me to hear about. -
@BlueKobold:
I'm planning to build my first pfSense box. I live in Europe and I have a 1 gigabit fiber optical connection. I plan to use OpenVPN or IPSec or what is the fastest VPN I can get on the box. Therefore, the CPU must be at least AES-NI.
If the CPU is strong or powerful enough it might be not necessary to have AES-NI inside, it might be good for IPsec for
sure but at the moment for OpenVPN it is may be not really pushing the throughput. Doing an OpenSSL test on the
same unit is not the same as doing it between two units over the internet.I really wish you would stop spreading FUD about AES-NI and OpenVPN. There is a significant performance benefit from using AES-NI hardware with OpenVPN, end of story.
So, what do you guys think about it ? Should I go for the above setup or use a i3/i7 skylake/kaby lake that supports AES-NI and forget about QAT/DPDK ? Any coments are welcome !
Only for SPI/NAT & VPN it will be to much or with other words go and have a look for the Qoton J1900 box for $260
that will not route that 1 GBit/s at the WAN interface but is nice and cheap. If you are willing to be future proof the
C2758 will be a really bomb, or you take something between this parts, like a Intel core i3 cpu and you will be happy!Neither the C2758 nor the J1900 can do gigabit OpenVPN. If that's the requirement, go with a fast current i3 (you still probably won't hit a full gigabit without some questionable tuning tradeoffs, but you'll get a lot closer). Forget QAT, it's a pipe dream. You don't need DPDK.
-
careful with the c2758 as it may have the clock generator bug depending on the revision: https://www.theregister.co.uk/2017/02/06/cisco_intel_decline_to_link_product_warning_to_faulty_chip/
you could get a ryzen 1700 with a b350 board as well
-
you could get a ryzen 1700 with a b350 board as well
I am looking forward to seeing Ryzen CPU's popping up in the pfSense world to see where they fit in for budget horsepower.
-
you could get a ryzen 1700 with a b350 board as well
It would be nice to see some relevant benchmarks for that platform.
-
This maybe helps goo.gl/WWGIcT
That Ryzen really kicks Xeon behinds.
The past two weeks I'm like a hawk on reading steroids. Trying to find the definitive answer on the "how to obtain 1 gbps (VPN) throughput without applying for a new mortgage" question. This thread is a great help so thank you all guys!
-
This maybe helps goo.gl/WWGIcT
Nope, those are pretty irrelevant benchmarks. :) At this point I don't have any real reason to think that a $400 ryzen will outperform a $120 i3 for this application. (It's not an application that scales well with increasing core count, and it does respond well to increasing clock speed. Up to a point–it also gets bottlenecked by packet/buffer sizing issues and increasing CPU performance tends to see diminishing returns.) It's a conversation that will get more interesting when we see what AMD offers on the lower end because building a pfsense on a 1700x doesn't make a whole lot more sense than building one on an E5. If AMD offers something comparable to denverton at a much better price/performance ratio than we've seen so far from avoton/rangely (intel's denverton strategy is still mostly a mystery), then that will shake up this space.
Trying to find the definitive answer on the "how to obtain 1 gbps (VPN) throughput without applying for a new mortgage" question.
Either that's hyperbole or you have a really small mortgage. The answer to this is pretty straightforward–buy the highest clocked i3 or i5 you can find/afford. You are unlikely to hit 1Gbps with a single OpenVPN stream regardless of the CPU. If you use multiple OpenVPN instances or use a different implementation (ipsec) then the 1Gbps target isn't that hard or expensive. Certainly less than the ryzen 1700x.
-
This thread has been cold for a few months, but it's still seems relevant. I'm also looking for the best inexpensive hardware for a full time VPN tunnel to saturate a 1GB fibre connection.
Looking about, it seems like these are good candidates:
- http://www.lannerinc.com/products/x86-network-appliances/desktop/?option=com_content&view=article&id=1879:nca-1031&catid=26:desktop
http://www.jetwaycomputer.com/JBC38AF542AA.html
http://www.jetwaycomputer.com/JBC390F541AA.html
Although the J1900, while cheap doesn't offer the AES-NI instructions, which seems like a non-starter for a VPN device.
Any thoughts?
Most polished/appliance-like look. Atom x7-3950… less CPU power than the Haswell device
Most power, and bad-ass looking heat fin case. Haswell processor
Least powerful, but cheap. There are even cheaper J1900 devices from Qoton
- http://www.lannerinc.com/products/x86-network-appliances/desktop/?option=com_content&view=article&id=1879:nca-1031&catid=26:desktop
-
Not even close. You won't fit gigabit VPN even with the latest high clock i7.
Gigabit openvpn is limited by openvpn at this point.
You can get gigabit openvpn with gateway groups on an i3, but that setup has its own set of limitations and advantages.
-
Not even close. You won't fit gigabit VPN even with the latest high clock i7.
Gigabit openvpn is limited by openvpn at this point.
You can get gigabit openvpn with gateway groups on an i3, but that setup has its own set of limitations and advantages.
Hmmm… what about IPSec IKEv2? I'm less worried about industrial espionage and more worried about my ISP selling/analyzing my connection log, traffic and browser history. Perhaps a lower level of encryption would be adequate?
-dw
-
I've never used ipsec but I would guess you'd have no problem with that. You can use the oldest most broken / compromised encryption you want for that.
Your ISP will not attempt to decrypt your encrypted traffic no matter how easy it might be to do so.
-
Not even close. You won't fit gigabit VPN even with the latest high clock i7.
Gigabit openvpn is limited by openvpn at this point.
You can get gigabit openvpn with gateway groups on an i3, but that setup has its own set of limitations and advantages.
Hmmm… what about IPSec IKEv2? I'm less worried about industrial espionage and more worried about my ISP selling/analyzing my connection log, traffic and browser history. Perhaps a lower level of encryption would be adequate?
-dw
IPsec isn't less secure than openvpn, it's just more of a pain to set up and much harder to reliably access from arbitrary locations on the internet. If you can use IPsec it's likely to perform better, but if you don't control both ends it might be hard to get working.
-
Did someone say an I5-7600k can't do a gigabit/s but they think the lastest I3 can?
-
Did someone say an I5-7600k can't do a gigabit/s but they think the lastest I3 can?
No, they said even the fastest CPU can't achieve single stream gigabit because of non-CPU bottlenecks which dominate far below 1gbps. With multiple OpenVPN instances you can achieve 1gbps in aggregate even with a relatively modest CPU.
-
Explain what this bottle neck is clearly then. Can I just use one PFsense router and run multiple instances of the VPN. Then tell the same Pfsense router to merge it as a multi-WAN connection?
-
Somewhere in openvpn software it simply does not scale to gigabit.
So you create multiple instances, which will utilize multiple cores/threads. Create a gateway group and you can bypass the restriction for some types of traffic but not all. I.e., anything that uses only one connection will be limited to the max throughout of one openvpn instance.
-
Explain what this bottle neck is clearly then.
On OpenVPN the TUN/TAP architecture for sure.
Can I just use one PFsense router and run multiple instances of the VPN.
On OpenVPN you might be able to set up several tunnels and they all can be running on one cpu core each!
Over IPsec you might be able to set up also more then one IPsec tunnel too, but with the need of more IP addresses. -
@BlueKobold:
Explain what this bottle neck is clearly then.
On OpenVPN the TUN/TAP architecture for sure.
Not really. There are more fundamental problems with the openvpn protocol that prevent it from approaching the limits of tun/tap. In my experience when it maxes out on a high speed link, it will do so before it runs out of CPU. Fundamentally, the problem is that it can't keep enough packets in flight to saturate a higher speed link. Too much of the code is synchronous: in a simplified view, the receiver will get a packet, process it, send it on, tell the sender it's ready for another one, etc. In a more asynchronous/threaded model the receiver would get a packet, tell the sender it's ready for another one, start processing the first one, get a second one, tell the sender it's ready for another one, start processing the second one, tell the sender it's ready for another one, send the first packet on, etc. At that point the tun interface becomes a bottleneck, but one you could throw hardware at (throwing hardware at openvpn now doesn't really change things much).
-
Does the attached diagram I made shed light on the subject?
-
Yeah, you can get in the neighborhood of 300Mbps AES-128 with an SoC J3355 Celeron @ 2.0 GhZ.
Throwing a 4.2 GhZ i3-7350k at it only gets you in the 650Mbps range. Beyond that it didn't get much faster.
While that may seem like linear scaling, it isn't. One part is an SoC Celeron architecture, the other is an actively cooled desktop part with a very high clock meant to be overclocked.
