HAProxy + Intel QAT
-
Anyone happen to know the status of movement to OpenSSL v1.1.x and HAProxy v1.8, so that Intel QAT can be utilized? Running Supermicro's 5019D-FN8TP with the Xeon D-2146NT CPU. This may be equally interesting for offloading in other components as well.
Thanks!
-
I haven't really been a pfSense user, but if this can be done with pfSense, I'm interested in this as well. As you suggest, the QAT offloading is available starting with HAProxy 1.8. This video provides details, with reference back to 01.org.
-
openssl 1.1.x will be in pfSense 2.5.x.. first development snaphots should arrive 'soon' i guess.
-
Excellent news! Anxious to see it in operation.
-
Did you end up getting QAT to properly work on this platform?
-
Honestly, have not. Unfortunately, as with most things - priorities change with each week. Recently, have been more focused on "openvpn --show-engines" revealing nothing and whether or not that has material implications to other parts of pfSense as well. I'll need to check one device as it has QAT built-in for up to 40Gbps crypto/compression acceleration (Supermicro 5019D-FN8TP). When I get a chance to review, I'll let you know if the dashboard status has changed from "QAT Crypto: No" to "QAT Crypto: <positive response>". Then it would be a question of doing some bench mark work to determine what it means in context. The primary interests in this were for VPN (OpenVPN/WireGuard) and SSL offload (HAProxy). One of Intel's own whitepapers on the subject (https://networkbuilders.intel.com/solutionslibrary/accelerating-haproxy-with-intel-quickassist-technology) is rather interesting to see the differential. As with most things, it's likely "best case" for each bucket but interesting nonetheless.
-
@justme2 Gotcha, well this is a good start at least. I'm considering the same platform for a proper 10 gigabit system (WAN side with NAT) as my Netgate 6100 isn't keeping up with my new WAN provider. QAT is fairly important for me though as well.
