C2758 vs C3758 for Gigabit VPN?
-
haha. You are missing me being mistaken about the throughput of that board.
But I went looking again at an intel paper on ipsec and their chips and it does look like the best single core performance wins.
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf
Notice their testing is 1 core and 1 tunnel. Or 6 cores and 6 tunnels. Then 12 cores and 12 tunnels.
I still like the i3 kaby lake.
-
https://store.netgate.com/pfSense/C2758.aspx
160
For some bizarre reason they're quoting speeds without AES-NI there, and no AES-GCM. So, basically irrelevant.
-
haha. You are missing me being mistaken about the throughput of that board.
But I went looking again at an intel paper on ipsec and their chips and it does look like the best single core performance wins.
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf
Notice their testing is 1 core and 1 tunnel. Or 6 cores and 6 tunnels. Then 12 cores and 12 tunnels.
I still like the i3 kaby lake.
I don't entirely understand what you think you're seeing there. It has a single westmere core doing ~2Gbps IPSec 7 years ago on linux 2.6.
-
Haha nice, yea that thing is good to go.
This project is really get out of hand and over budget unfortunately. This all started when both mine and my parents go Gigabit fiber which is allowing me to move my local backup server off-site to their house (Site B) for weekly backups. Buying a new CPU/MoBo combo to replace the current J1900 I have there in Site B and just slapping it into the current NUC sized Mini-ITX case was really the plan. That plans is clearly that's going off the rails now.
Maybe I need to rethink what my actual needs are. As much as I'd like to saturate my gigabit link, if I can even get 50MB/s file transfers that would probably suffice.
How are you planning to do the backups?
-
I think I see a scenario where speed per tunnel is linked to speed per core. So unless you need many tunnels, a few very fast cores is best.
-
I think I see a scenario where speed per tunnel is linked to speed per core. So unless you need many tunnels, a few very fast cores is best.
7 years ago. On linux 2.6.
-
I'm not sure what your point is? Perhaps I'm approaching this the wrong way.
What would be the least expensive option to get 1 gb per sec on ipsec? Today.
-
I'm not sure what your point is? Perhaps I'm approaching this the wrong way.
The point is that quoting a paper that's almost a decade old for an obsolete version of a different operating system is not a useful way to predict performance characteristics.
-
OK - So, what would you suggest? Do you have specs and testing for something that is shown to support wire speed on a gigabit to gigabit connection?
My Feeling is that for a single tunnel the fastest dual core processor with AES-NI and good intel NIC will win. I haven't found anything better.I'm also interested in seeing an actual test of two kaby lake pfsense with IPSEC throughput.
-
Haha nice, yea that thing is good to go.
This project is really get out of hand and over budget unfortunately. This all started when both mine and my parents go Gigabit fiber which is allowing me to move my local backup server off-site to their house (Site B) for weekly backups. Buying a new CPU/MoBo combo to replace the current J1900 I have there in Site B and just slapping it into the current NUC sized Mini-ITX case was really the plan. That plans is clearly that's going off the rails now.
Maybe I need to rethink what my actual needs are. As much as I'd like to saturate my gigabit link, if I can even get 50MB/s file transfers that would probably suffice.
How are you planning to do the backups?
Mainly using Veeam. I'll map my offsite backup server as a backup repository in Veeam and do direct snapshot backups to it. I also backup my PC images and documents that go to my onsite storage server. So from there I can either do SMB file transfers or rsync since both servers are Linux based.
-
Your board you already have will work great. I'm thinking about the future. Does it have AES-NI? You will get alot faster than 50 unless something is broken.
-
Your board you already have will work great. I'm thinking about the future. Does it have AES-NI?
Which board are you talking about? My two endpoints are as follows:
Site A: Avoton C2758 (AES-NI)
Site B: Celeron J1900 (no AES-NI)I was hoping that the 2758 would be able to handle gigabit IPSec so that I could just replace Site B and be done with it.
-
Site A: Avoton C2758 (AES-NI)
Site B: Celeron J1900 (no AES-NI)The J1900 is a no go long term due to future AES-NI requirement.
The C2758 might not be very fast with just 1 tunnel. But Its total power for doing lots of things at one is really nice.
For this task I like the old xenon processor and board you talked about. You have one right? Just as long at it supports AES-NI.
You wouldn't want to use the j1900 and just have to pull it back out in a year.
-
Site A: Avoton C2758 (AES-NI)
Site B: Celeron J1900 (no AES-NI)The J1900 is a no go long term due to future AES-NI requirement.
The C2758 might not be very fast with just 1 tunnel. But Its total power for doing lots of things at one is really nice.
For this task I like the old xenon processor and board you talked about. You have one right?
I have the following two CPU/board combos available. I'd prefer not to use the Xeon D since it has an on board LSI HBA able to support 16 drives that will be waisted in a pfSense box. And the i3 board I have wouldn't really work since it only has a single onboard NIC so I'd have to buy an PCIe NIC and a new case. I could take the i3 and find a different board for it but it's hard to find mini-itx i3 boards that have multiple NICs.
Xeon D CPU/board: https://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-2C-7TP4F.cfm
i3-6100 CPU: https://ark.intel.com/products/90729/Intel-Core-i3-6100-Processor-3M-Cache-3_70-GHz
ASRock Board: http://www.asrock.com/mb/Intel/H110M-ITXac/ -
Sent you a PM… Let me know what you think.
-
You are not going to get anywhere close to the speed you want without buying faster hardware. But the combination of the xenon and the atom will be the fastest and most supported moving forward.
Otherwise, the cheapest and fastest I can think of today is new I3 based pfsense on both sides and I still don't know if it will max your connection. I'd bet it can.
But then there is the budget…
-
You are not going to get anywhere close to the speed you want without buying faster hardware. But the combination of the xenon and the atom will be the fastest and most supported moving forward.
Otherwise, the cheapest and fastest I can think of today is new I3 based pfsense on both sides and I still don't know if it will max your connection. I'd bet it can.
But then there is the budget…
I think I'm going to try the i3-6100 I have with the C2758 and see what kind of speeds it can push. If I'm unhappy with it, I'll upgrade the C2758. That's about as far as I'm willing to push the budget for this project.
-
Test it on a table through a switch before you install it.
Mine is right here:
https://www.cpubenchmark.net/cpu.php?cpu=AMD+Athlon+64+X2+Dual+Core+4800%2B
I will eventually upgrade it when it either dies or my bandwidth overpowers it. 60/60 is nothing for it.
-
Mainly using Veeam. I'll map my offsite backup server as a backup repository in Veeam and do direct snapshot backups to it. I also backup my PC images and documents that go to my onsite storage server. So from there I can either do SMB file transfers or rsync since both servers are Linux based.
The reason I asked is that if it were just using ssh/rsync I'd say skip all this farting around with VPNs and just port forward ssh. You can get ~600Mbps with ssh on a c2758. Given that you don't have a hard performance requirement, I mostly think you're overthinking this. Even with a VPN the C2758 will work fine.
-
Mainly using Veeam. I'll map my offsite backup server as a backup repository in Veeam and do direct snapshot backups to it. I also backup my PC images and documents that go to my onsite storage server. So from there I can either do SMB file transfers or rsync since both servers are Linux based.
The reason I asked is that if it were just using ssh/rsync I'd say skip all this farting around with VPNs and just port forward ssh. You can get ~600Mbps with ssh on a c2758. Given that you don't have a hard performance requirement, I mostly think you're overthinking this. Even with a VPN the C2758 will work fine.
Either way I have to upgrade Site B as the J1900 will not suffice. Yes I don't have a hard performance requirement but I would like to know what the max the C2758 will do over VPN. But I'm realizing I wont' know that without testing it myself. Since Site B is less utilized that Site A (my home), I'm thinking I move the C2758 to Site B and put something at Site A that will have some headroom for the future.