Xeon X3440 VPN + Throughput
-
Hello! I was wondering, how much VPN traffic do you guys think I could push through with a Xeon X3440?
How much with AES-128 and no encryption at all?
Also, how is the throughput difference betwene IPSec and OpenVPN?
I couldn't find much on pfSense and the X3440 specifically with VPNs, my current VM pfSense with the X5560 (same performance) only pushes around 20~ Mbps even with encryption 100% off, I was hoping to push more than that.
Thank you!
-
AES-128 is encryption. The X3xxx has no AES-NI, so you will have pretty bad performance. Sub-50Mbit. You can get it up by using multiple connection and load-balancing them to use more cores, but even then you'll be burning a lot of power for something you can do with a china box for 250 or less.
-
$250 is out of my $60 budget, how about no encryption? I feel like there's something with OpenVPN because even if 0 encryption it still had horrible performance. Also I run Snort with 60-100 mbps of traffic going through it so I'm not sure how those $250 routers do.
-
Are you sure you are turning off all the crypto?
Encryption Algorithm needs to be set to None and Auth digest algorithm as well. Both of them are slow on CPUs without acceleration for hashing etc.
-
All encryption off including auth digest, it doesn't use a whole lot of the CPU but I lose 80~ Mbps of throughput. This is an X5560 under ESXi, I don't know if ESXi has any effect on it.
-
Oh yes, ESXi will trash it. That's the problem.
-
I was hoping that'd be the answer, hopefully I'll get more on the hardware based. I thought it was weird having low CPU usage but only 30~ Mbps throughput. Is there any way to accelerate AES without an AES CPU?
I've seen AES accelerator cards around Ebay but I don't think they'd be useful, but I'm just curious.
-
Yes, QuickAssist in the future (but by then the CPU won't be supported by pfSense anymore) and right now there are things like HiFn accelerator cards, they do AES.
-
You should see waaay more than 20Mbps with an X3440. An old school Atom could push ~50Mbps OpenVPN with low encryption settings.
OpenVPN will always be slower than IPSec because of the kernel mode / user mode switches required.
Steve