SG-1100 Crypto Hardware
-
@chrismacmahon So, what is the openvpn performance of this machine with no hardware crypto acceleration? (Which by the way is something that should have been in big bold red letters in the advertisements and specifications. I have an expectation that all new pfsense hardware will have WORKING hardware crypto acceleration. I do not like my first hint that it might not work yet being me getting the unit, turning it on and seeing "Crypto: (Inactive)". I do not trust "The check is in the mail" with no timeframes mentioned. If I built a pfsense of course unsupported features are not your problem, but when I buy direct from Netgate I have an expectation of a product with primary features that work. Crypto acceleration is a primary feature. If I didn't need/want it I could use a computer that is 2 decades old.
-
@kejianshi i have done tests with my 100Mbit line and VPN works great with top speed. I have 2 tunnels running and i think i have not seen any cpu usage above 50%.. I think i read somewhere that it can do 900Mbit but dont quote me on that.
-
@Taz79 I hope you are right. I don't need to max out gigabit ethernet or anything. Just run a few tunnels with relatively low bandwidth requirement. 10 - 30 MB/s. I just don't like being surprised (-;
Thanks for your reply. Its encouraging. I just got this thing hooked up from about 8700 miles away and I'm really hoping its as stable as the box its replacing. I do like the low power, small form factor etc etc. I will configure the VPN and let you know how it performs long-haul. -
I have seen ~150Mbps OpenVPN in local iperf3 testing here. Latency and packet size variation etc will impact that though.
Steve
-
@kejianshi the 900Mbit i saw must have been the performance of the routing. Not the VPN speed when i think about it. But i have tested with 117Mbit/s that is my max speed of my connection and it works great. My box were up for 65 days before i needed to shut it down to move it :)
-
@stephenw10 Thanks old timer. Still at it huh? This tiny box is replacing a AMD X2 3800... I got a LOT of miles out of that box!
-
Yup, still here.
-
Any ballpark estimates on the gains that will be seen by even supporting the hardware cryptography?
I'm assuming in daily operation it won't matter so much but only on ipsec and openvpn.I bought a few of these, I might put one in place of my current home FW which is a 3rd gen Intel Core i5 on an Intel DQ77MK mobo. I have 500mbps internet and three ipsec vpn tunnels, and 2 vlans.
-
We are doing the work on our own on this, we do expect gains but to put out firm numbers would be a disservice to all involved.
-
@chrismacmahon
Will there be any support for the crypto hardware on the SG-1000 (now EoS)? -
That's a good question. Let me get back to you on that.
-
@bigsy We don't think the work will be impacting the SG-1000.
-
@chrismacmahon Thanks for all your hard work! What would be the best way to keep tabs on the development of this driver?
-
Our blog, twitter or in the forums. We will announce it when the time comes.
You can also have a RSS feed on your dashboard in pfSense.
-
@chrismacmahon said in SG-1100 Crypto Hardware:
We will announce it when the time comes.
Is there any ETA for when ARM crypto hardware acceleration will be released for the SG-1100 and is it money-back guaranteed for people who purchase them? And is the performance of the ARM acceleration expected to be similar to AES-NI?
I'm ready to purchase 2 firewalls but I'm leaning towards the Pc-Engines APU2D4 mainly because it has acceleration. I see that developers are working on it but I recognize that one possible outcome is that the devs could say "well, we tried to make it work but it just can't happen." So it would be nice to hear some inside knowledge about the progress and expectations.
-
Is this still being worked on? As the above person mentioned an ETA would be helpful. Even a very conservative ETA would be great, just to let people know that the feature is definitely coming.
-
Is this still being worked on: Most definitely.
Do we have an ETA: I'm not aware of an ETA, there is a lot of work that goes into this.
-
Wouldn't that be in redmine? It should have a projected version that functionality would be in like 2.4.5 or 2.5, etc...
Wouldn't that make it easier to track? I mean 2.5 should be here by 2020. So if you plan on having it done prior to 2.5 then you have a pretty decent ballpark of 3-6 months.
-
@PhlMike I see it like this. Lessons I learned from talking to girls when I was young seem to apply here... Maybe = no. Perhaps later = no. I'll think about it = no. I like to take my time = no. The only thing that means yes is yes. If these guys were working on it, they would be advertising their progress, but they aren't so its obviously not in the works if you ask me. I think they are waiting for someone else to develop opensource code and if that happens they might incorporate it but I seriously doubt there is a team assigned to creating this code at netgate. Never trust "The check is in the mail".
-
@kejianshi You have a point. Since tnsr came about PfSense got shoved to a back burner. Tnsr looks cool and all but at its price and the fact I don't need routing above 10gig and I like a web interface at least as a backup to central mgmt it's better to stick with PfSense.
So now we'll see Jim T's "further" ideas for a python html5 php as root free PfSense not happen by 3.0.
And I buy > $10k in negates a year. Not the 1100I only bought 3 of those. The 3100 I buy out. Still no promised wall mount for that one.
