Celeron J1900 only pushing 125Mbps over IKEv2 IPSec?
-
I currently have a site-to-site OpenVPN tunnel between two sites and I want to migrate that tunnel to an IPsec tunnel to be able to achieve full line speed (1Gbps). Are there any docs/links that explain how to setup a new IPsec tunnel on pfSense 2.4 for someone who's only experience is with OpenVPN?
-
OK I was able to get an IKEv2 IPSec tunnel setup. What's the best way to test the speed of this tunnel as I've heard that SMB transfers are not a good indicator as they can be really slow over WAN links (I'm getting about 15MB/s currently over the tunnel). The slower (CPU wise) endpoint (J1900) hits about 35-38% CPU usage during these transfers so I'm thinking I have more headroom.
-
iperf.
-
iperf.
I just tried this but for some reason I can't communicate directly between pfSense boxes. Site B endpoint can not ping Site A endpoint. But a device in the LAN subnet as Site B endpoint CAN ping and communicate with Site A. Firewall rule for IPsec is allowing ANY/ANY on both sides right now.
Basically I can ping and access Site A endpoint and devices behind the endpoint from devices behind Site B endpoint but not directly from Site B endpoint.
EDIT: Check that, I can't ping either endpoint from the the other but can from devices in the same subnets as the endpoints.
-
Ok. I wound up just running iperf between two devices directly connected to pfSense on each end and the speed is the same I'm getting during my SMB test transfers (roughly 125Mbps). So that does appear to be the limit of my tunnel as currently constructed or based on hardware.
Can anyone comment on whether or not the Celeron J1900 should be able to handle higher speed than that? If not I'll upgrade it. I have a C2758 available to use, would that suffice?
-
Don't think the J1900 supports AES-NI.
https://ark.intel.com/products/78867/Intel-Celeron-Processor-J1900-2M-Cache-up-to-2_42-GHz
The C2758 does.
https://ark.intel.com/products/77988/Intel-Atom-Processor-C2758-4M-Cache-2_40-GHz
https://en.wikipedia.org/wiki/AES_instruction_set
-
Don't think the J1900 supports AES-NI.
https://ark.intel.com/products/78867/Intel-Celeron-Processor-J1900-2M-Cache-up-to-2_42-GHz
The C2758 does.
https://ark.intel.com/products/77988/Intel-Atom-Processor-C2758-4M-Cache-2_40-GHz
https://en.wikipedia.org/wiki/AES_instruction_set
Yes I'm aware that the J1900 does not and the C2758 does. My question really boils down to whether or not the C2758 with AES-NI will handle 1Gbps IPsec.
-
Just had a play you can bind iperf to an ip address via the console using -B
[2.4.1-RELEASE][admin@pfSense-vm1.localdomain]/root: iperf -B 10.0.1.1 -c 10.0.2.1
–----------------------------------------------------------
Client connecting to 10.0.2.1, TCP port 5001
Binding to local address 10.0.1.1
TCP window size: 64.2 KByte (default)[ 3] local 10.0.1.1 port 2344 connected with 10.0.2.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 152 MBytes 127 Mbits/sec
[2.4.1-RELEASE][admin@pfSense-vm1.localdomain]/root:[2.4.1-RELEASE][admin@pfSense-vm2.localdomain]/root: iperf -B 10.0.2.1 -s
–----------------------------------------------------------
Server listening on TCP port 5001
Binding to local address 10.0.2.1
TCP window size: 63.7 KByte (default)[ 4] local 10.0.2.1 port 5001 connected with 10.0.1.1 port 2344
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 152 MBytes 127 Mbits/sec -
Just had a play you can bind iperf to an ip address via the console using -B
[2.4.1-RELEASE][admin@pfSense-vm1.localdomain]/root: iperf -B 10.0.1.1 -c 10.0.2.1
–----------------------------------------------------------
Client connecting to 10.0.2.1, TCP port 5001
Binding to local address 10.0.1.1
TCP window size: 64.2 KByte (default)[ 3] local 10.0.1.1 port 2344 connected with 10.0.2.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 152 MBytes 127 Mbits/sec
[2.4.1-RELEASE][admin@pfSense-vm1.localdomain]/root:[2.4.1-RELEASE][admin@pfSense-vm2.localdomain]/root: iperf -B 10.0.2.1 -s
–----------------------------------------------------------
Server listening on TCP port 5001
Binding to local address 10.0.2.1
TCP window size: 63.7 KByte (default)[ 4] local 10.0.2.1 port 5001 connected with 10.0.1.1 port 2344
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 152 MBytes 127 Mbits/secI get "Can't assign requested address" if I try that.
