Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asus N3050I-C for OpenVPN (100MBIT WAN)

    Scheduled Pinned Locked Moved Hardware
    44 Posts 14 Posters 21.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      messerchmidt
      last edited by

      would go for the quad core variant for not much more, if possible

      apollo lake atom based board perhaps

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        FWIW, J3355B:

        AES-256-CBC : 291.2Mbps
        AES-256-GCM: 302.0Mbps

        AES-128-CBC: 293.5Mbps
        AES-128-GCM: 307.9Mbps

        
        #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
        disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
        10.989u 0.015s 0:11.02 99.7%    819+178k 2+0io 0pf+0w
        #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
        disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
        10.596u 0.023s 0:10.66 99.5%    817+178k 2+0io 0pf+0w
        #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc
        disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
        10.902u 0.015s 0:10.99 99.2%    821+178k 2+0io 0pf+0w
        #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
        disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
        10.392u 0.015s 0:10.46 99.4%    818+177k 2+0io 0pf+0w
        
        
        1 Reply Last reply Reply Quote 0
        • M
          mauroman33
          last edited by

          @pfBasic:

          FWIW, J3355B:

          AES-256-CBC : 291.2Mbps
          AES-256-GCM: 302.0Mbps

          AES-128-CBC: 293.5Mbps
          AES-128-GCM: 307.9Mbps

          Thanks for the useful information. I'm going to update the tread here:
          https://forum.pfsense.org/index.php?topic=115673.0

          1 Reply Last reply Reply Quote 0
          • RangoR
            Rango
            last edited by

            @lra:

            @mauroman33, Thanks for the follow-up post.

            It seems the simple OpenVPN benchmark formula referenced here:
            https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743

            gives a reasonable base-line reference. I too have found the actual tested speed can be 5-20 % faster than the benchmark formula, and for some it is right on target.

            Nothing beats an actual real-world test, but a quick CLI base-line test can be useful.

            @mauroman33 did you test 256 or 128 cipher? did you have AES-NI active in pfsense when doing this test? Do you know what version of pfsense this was?

            I have Celeron N3150 with AES-NI hardware accelerators. I'm little disappointed if 115Mbps is cap of this processor. It was said it can do 300Mbps on single core.

            My ISP connection is 180Mbps i was hoping 10% less then my ISP connection so 160Mbs?

            Can you test or anyone else with this buffer code along with hardware accelerators on for N3150?

            https://forum.pfsense.org/index.php?topic=128698.msg714619#msg714619

            fast-io
            sndbuf 524288
            rcvbuf 524288
            

            I don't think one can estimate output when hardware accelerators are on as we don't know what factor that changes things. I'm assuming estimates are based on CPU cycles alone no? I spent ~$350 on this box 2 yrs ago and for it to come short it's bit disappointing.

            Anyone have any suggestions on newer cheap <$200 NUCs with CPU that has AES-NI accelerators instructions. I'm still keeping hope i can max out my ISP connection with N3150? Maybe those buffer codes?

            I will soon have vpn and will do tests myself even with those buffer codes. They seemed to speed things up quite a bit.

            Is GCM suppose to be faster more secure then CBC? What's the deal-eo with that?

            1 Reply Last reply Reply Quote 0
            • M
              mauroman33
              last edited by

              I confirm that 115Mbps are the limit of a Celeron N3150, even with AES-NI active and those lines in OpenVPN Custom Options.
              300Mbps were related to a Celeron J3355.

              1 Reply Last reply Reply Quote 0
              • RangoR
                Rango
                last edited by

                @mauroman33:

                I confirm that 115Mbps are the limit of a Celeron N3150, even with AES-NI active and those lines in OpenVPN Custom Options.
                300Mbps were related to a Celeron J3355.

                Thanks buddy. Little disappointed. I was hoping for 165Mbps. BTW check this out. This guy changed send and recieve windows not sure what speed boost he got from it. Did you try it?

                " I also changed net.inet.tcp.recvspace & net.inet.tcp.sendspace (under System -> Advanced -> System Tunables) to max 2048K (=2097152 bytes)"

                https://forum.pfsense.org/index.php?topic=112877.msg788565#msg788565

                Do you know any NUC boxes (lowed powered boxes with no noise fans) that host this Celeron J3355 or other better cpu with AES-NI ext???

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  What encryption settings are you using?

                  AES-GCM will be faster the CBC+auth. It's faster even with auth but you don't need that with GCM as it's built in.

                  Are you sure your CPU is using it's turbo mode correctly?

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • M
                    mauroman33
                    last edited by

                    @Rango:

                    @mauroman33:

                    I confirm that 115Mbps are the limit of a Celeron N3150, even with AES-NI active and those lines in OpenVPN Custom Options.
                    300Mbps were related to a Celeron J3355.

                    Thanks buddy. Little disappointed. I was hoping for 165Mbps. BTW check this out. This guy changed send and recieve windows not sure what speed boost he got from it. Did you try it?

                    " I also changed net.inet.tcp.recvspace & net.inet.tcp.sendspace (under System -> Advanced -> System Tunables) to max 2048K (=2097152 bytes)"

                    https://forum.pfsense.org/index.php?topic=112877.msg788565#msg788565

                    Do you know any NUC boxes (lowed powered boxes with no noise fans) that host this Celeron J3355 or other better cpu with AES-NI ext???

                    Yes, same values here.
                    You could take a look on something like that
                    https://www.amazon.com/ZOTAC-i5-6300U-Bluetooth-Barebones-ZBOX-CI545NANO-U/dp/B071P596LH/ref=sr_1_1?ie=UTF8&qid=1520466138&sr=8-1&keywords=ci545&th=1

                    1 Reply Last reply Reply Quote 0
                    • RangoR
                      Rango
                      last edited by

                      @stephenw10:

                      What encryption settings are you using?

                      AES-GCM will be faster the CBC+auth. It's faster even with auth nut you don't need that with GCM as it's built in.

                      Are you sure your CPU is using it's turbo mode correctly?

                      Steve

                      Steve this is what i'm using. Yes ext are active. I don't have VPN yet but am in process of getting it. My vpn will have GCM 128 and 256.

                      My impression was AES-NI was suppose to help exponentially in Mbps speeds not linearly. I'm seeing some other ppl with same CPU 1.8Ghz but newer process pushing 300Mbps.

                      Something doesn't make sense here. 200Mhz would not double the speed. It has to be AES-NI or special tweaks. Also my N3150 is quad core but i'm hearing vpn is single threaded.

                      Celeron-Processor-J3355 doing 300Mbps is only 400Mhz faster then my cpu. 400Mhz will not double the speed in Mbps. Something else is here in play. Inconsistent PIA servers perhaps?
                      I will not be on PIA also btw.

                      https://ark.intel.com/products/95597/Intel-Celeron-Processor-J3355-2M-Cache-up-to-2_5-GHz

                      1 Reply Last reply Reply Quote 0
                      • RangoR
                        Rango
                        last edited by

                        @stephenw10:

                        What encryption settings are you using?

                        AES-GCM will be faster the CBC+auth. It's faster even with auth nut you don't need that with GCM as it's built in.

                        Are you sure your CPU is using it's turbo mode correctly?

                        Steve

                        Steve how do i enable turbo mode? Is that in bios settings?

                        Edit found it and enabled in bios for turbo. Pfsense still shows 1.6GHZ tho as it should as that's burst mode only

                        1 Reply Last reply Reply Quote 0
                        • RangoR
                          Rango
                          last edited by

                          hey guys check this out. In openvpn documentation it shows that tweaks not cpu cycles increase throughput but problem is that vpn provider won't allow you to change MTU size beyond 1500

                          https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

                          1 Reply Last reply Reply Quote 0
                          • M
                            mauroman33
                            last edited by

                            @Rango:

                            My impression was AES-NI was suppose to help exponentially in Mbps speeds not linearly. I'm seeing some other ppl with same CPU 1.8Ghz but newer process pushing 300Mbps.

                            Something doesn't make sense here. 200Mhz would not double the speed. It has to be AES-NI or special tweaks. Also my N3150 is quad core but i'm hearing vpn is single threaded.

                            Celeron-Processor-J3355 doing 300Mbps is only 400Mhz faster then my cpu. 400Mhz will not double the speed in Mbps. Something else is here in play. Inconsistent PIA servers perhaps?
                            I will not be on PIA also btw.

                            https://ark.intel.com/products/95597/Intel-Celeron-Processor-J3355-2M-Cache-up-to-2_5-GHz

                            A Celeron N3150 is two years older than a Celeron J3355 that has a better implementation of AES-NI, I think isn't just matter of Mhz…

                            1 Reply Last reply Reply Quote 0
                            • RangoR
                              Rango
                              last edited by

                              I just signed up with vpn and did my own testing and compared to this guy here. AES-NI does not work at all. It offers ZERO assist. Not one 1Mbs.

                              I've proven it here. I have doubled my cpu power over my asus 87u and it doubled my speed but look at this other guy results. https://forum.pfsense.org/index.php?topic=139926.0

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                What settings are you using?

                                AES-NI will be accelerating almost every setting to some extent. To test it's effects accurately you will need to enable/disable it in the BIOS though.

                                The Turbo mode is show as 1601MHz vs 1600MHz for non-turbo.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • RangoR
                                  Rango
                                  last edited by

                                  @stephenw10:

                                  What settings are you using?

                                  AES-NI will be accelerating almost every setting to some extent. To test it's effects accurately you will need to enable/disable it in the BIOS though.

                                  The Turbo mode is show as 1601MHz vs 1600MHz for non-turbo.

                                  Steve

                                  Steve thanks for feedback. AES-NI is enabled as you can clearly see in screenshot of pfsense that it says it's active to yes it's active in bios and should work. Turbo i enabled last night in bios but that will never take effect as one would have to max out cpu to 100% for turbo to kick it. My cpu maxes out 50% in pfsense during encryption testing so it will never get there. But to your point it shows in pfsense as 1601 so turbo is enabled as well. Look

                                  I have chosen freebsd hardware acceleration in both vpn client and under networking in advanced options which boosted my Mbps by 10Mbps but i max out at 120Mbs now. It won't do more. It's all about

                                  CPU cycles from what i see. I commented on this more here. Let me know your thoughts if you want. I think CPU cycle rate needs to be 3Ghz for ideal setup. Those AMD APU A10 7800k are 4.0Ghz and

                                  are cheap enough but how to chose motherboard with 2 nics, ideally intel onces in mini itx form. I have 2 1gb realtek once and have no problem at all with them in pfsense like some suggest they do. They do their job.

                                  https://forum.pfsense.org/index.php?topic=139926.msg788801#msg788801

                                  This thread is also right on the money but it's 2 yrs old now so not ideal hardware anymore. That last celeron is cheap but i can't seem to find nuc or motherboard in itx form for it. I think ideal would be AMD A10 APU. Low power and high cycle rate but not sure about mini itx motherboard with 2 nics and what case. Etc. Then again that AMD doesn't have AES-NI so when pfsense 2.5 comes out it will become obsolete without those instructions. So scratch AMD without AES-NI too. This is a quest.

                                  https://forum.pfsense.org/index.php?topic=115673.0

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    If you are seeing CPU usage at 50% overall then it's likely at least one of your 4 CPU cores is at 100%. To see the full break down of cpu usage across cores run at the command line:

                                    top -aSH
                                    

                                    If one core is at 100% it should be running in Turbo mode.

                                    Specifically which A10 CPU were you looking at? As far as I know most of those support AES instructions. AMD have been shipping processors that will be supported in 2.5 since 2010.
                                    https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html

                                    Without seeing te exact settings you're running it's hard to comment further. It seems likely you should be able to see more bandwidth from that CPU though. In the thread you linked Pippom reports 160Mbps from that same CPU with higher encryption settings.

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.