Newbie to pfsence and need advice
-
Where it becomes bit of a more config is in the details of what else you might or might not want to do, exactly. A sg-3100 should be more than powerful enough to handle 100mbps connection.
100Mbps openvpn?
-
"100Mbps openvpn?"
Well from Ivor on reddit
https://www.reddit.com/r/PFSENSE/comments/71sgeh/a_few_more_sg3100_photos_performance_numbers_in/
up to 95Mbps throughput with OpenVPN AES128-CBC SHA1So I would say that pretty freaking close
And where did OP state openvpn?
up to 300Mbps throughput with IPsec AES128-CBC SHA1 -
"100Mbps openvpn?"
Well from Ivor on reddit
https://www.reddit.com/r/PFSENSE/comments/71sgeh/a_few_more_sg3100_photos_performance_numbers_in/
up to 95Mbps throughput with OpenVPN AES128-CBC SHA1So I would say that pretty freaking close
Any real world numbers? I don't know what "up to" means.
And where did OP state openvpn?
up to 300Mbps throughput with IPsec AES128-CBC SHA1It's pretty common for consumer vpn.
-
I do not have a sg-3100 to play with, or I would be more than happy to do some actual testing..
But there are many vpn services that provide ipsec.. For the consumer.. Do a simple google.. PPTP is also still common ;) So if the user doesn't actually come out and state who they are using and what protocol just guessing.
I would think that enough sg-3100 our out in the wild now that some real world numbers with different vpn service provides and protocols are out there somewhere.. I am saying what I have seen.. I will keep an eye out for some more detailed reporting of vpn speeds.
-
But there are many vpn services that provide ipsec.. For the consumer.. Do a simple google.. PPTP is also still common ;) So if the user doesn't actually come out and state who they are using and what protocol just guessing.
I felt the same after seeing an unconditional recommendation that a particular product would meet the requirements. ;-)
I would think that enough sg-3100 our out in the wild now that some real world numbers with different vpn service provides and protocols are out there somewhere..
You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.
-
Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.
-
You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.
Those numbers are valid and we stand behind them. I can confirm many of 3100 owners were satisfied with those speeds (thousands of units sold).
@johnkeates:
Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.
100Mbps OpenVPN seems to be fine for OP's requirements, you won't get some huge OpenVPN speeds from that i5 anyway. 3100 can deliver up to 300Mbps with IPsec too. If that's not enough we have higher end appliances as well.
Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.
-
You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.
Those numbers are valid and we stand behind them. I can confirm many of 3100 owners were satisfied with those speeds (thousands of units sold).
@johnkeates:
Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.
100Mbps OpenVPN seems to be fine for OP's requirements, you won't get some huge OpenVPN speeds from that i5 anyway. 3100 can deliver up to 300Mbps with IPsec too. If that's not enough we have higher end appliances as well.
Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.
Well, most of those speeds are possible while also limited to AES-128 in CBC mode with SHA1. Doesn't mean it's bad, and in this case the threat model probably doesn't require better crypto or hashing. So while not a problem today, buying something that is 'good' right now doesn't mean it will be 'good' in 3 years. And replacing it every 3 years is rather soon for a home setup.
I'd say, the SG-3100 would be a good choice if you're up to 60Mbit now, and want it to last and cover most changes for a period of 5 years.
-
@johnkeates:
And replacing it every 3 years is rather soon for a home setup.
I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.
And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.
-
@johnkeates:
And replacing it every 3 years is rather soon for a home setup.
I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.
And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.
Well, I don't replace my stuff that often, still running the Xeon E3 from 5 years ago just fine. And the topic starter might not want to do that either. Also, I'm not sure what NetGate is doing, and I'm not sure about TNSR and the other thing, not sure about DPDK and QaT coming etc, I'm sure a lot of stuff is being worked on, but none of it seems to have hit any public repositories, and maybe it never will.
-
@johnkeates:
still running the Xeon E3 from 5 years ago just fine.
I'm not sure about power consumption of that CPU but usually the same compute power with a current CPU uses significantly less power. Sometimes the savings pay for the device within a year's usage.
There might be quite different reasons to change gear more often than need be.(Having said that, I'm usually the one who sticks with gear longer than .. sometimes even makes sense. But don't tell! ;)
-
@johnkeates:
still running the Xeon E3 from 5 years ago just fine.
I'm not sure about power consumption of that CPU but usually the same compute power with a current CPU uses significantly less power. Sometimes the savings pay for the device within a year's usage.
There might be quite different reasons to change gear more often than need be.(Having said that, I'm usually the one who sticks with gear longer than .. sometimes even makes sense. But don't tell! ;)
Yeah, I know all about that ;-) I do have a bit of an advantage in that it's virtualised with a bunch of other things, pfSense gets 4 cores so it's not like a total waste on a 500/500 line, and there are about 4 OpenVPN client instances running at the same time.
Most new basic setups I do with mobile i3 or i5 CPUs, not much of an ARM fleet yet. Also because the price isn't quite there yet.
-
HERe is the current plan. Someone is donating an older pc to me. I’ll get that and throw another network card in it and play around and see what speeds I can get. What nic should I look out for? Assuming the box will only have one built onto the mobo.
-
@johnkeates:
And replacing it every 3 years is rather soon for a home setup.
I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.
And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.
What are you talking about?
-
What are you talking about?
You're asking this? :o
DPDK, VPP, … and what else you had in mind:
@ivor:Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.
-
Let's try again :)
I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.
And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.
What did you mean by this?
-
Let's try again :)
I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.
And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.
What did you mean by this?
He is aiming for: netgate is making new software, some of it might require new hardware.