SG-1100 Crypto Hardware
-
I have seen ~150Mbps OpenVPN in local iperf3 testing here. Latency and packet size variation etc will impact that though.
Steve
-
@kejianshi the 900Mbit i saw must have been the performance of the routing. Not the VPN speed when i think about it. But i have tested with 117Mbit/s that is my max speed of my connection and it works great. My box were up for 65 days before i needed to shut it down to move it :)
-
@stephenw10 Thanks old timer. Still at it huh? This tiny box is replacing a AMD X2 3800... I got a LOT of miles out of that box!
-
Yup, still here.
-
Any ballpark estimates on the gains that will be seen by even supporting the hardware cryptography?
I'm assuming in daily operation it won't matter so much but only on ipsec and openvpn.I bought a few of these, I might put one in place of my current home FW which is a 3rd gen Intel Core i5 on an Intel DQ77MK mobo. I have 500mbps internet and three ipsec vpn tunnels, and 2 vlans.
-
We are doing the work on our own on this, we do expect gains but to put out firm numbers would be a disservice to all involved.
-
@chrismacmahon
Will there be any support for the crypto hardware on the SG-1000 (now EoS)? -
That's a good question. Let me get back to you on that.
-
@bigsy We don't think the work will be impacting the SG-1000.
-
@chrismacmahon Thanks for all your hard work! What would be the best way to keep tabs on the development of this driver?
-
Our blog, twitter or in the forums. We will announce it when the time comes.
You can also have a RSS feed on your dashboard in pfSense.
-
@chrismacmahon said in SG-1100 Crypto Hardware:
We will announce it when the time comes.
Is there any ETA for when ARM crypto hardware acceleration will be released for the SG-1100 and is it money-back guaranteed for people who purchase them? And is the performance of the ARM acceleration expected to be similar to AES-NI?
I'm ready to purchase 2 firewalls but I'm leaning towards the Pc-Engines APU2D4 mainly because it has acceleration. I see that developers are working on it but I recognize that one possible outcome is that the devs could say "well, we tried to make it work but it just can't happen." So it would be nice to hear some inside knowledge about the progress and expectations.
-
Is this still being worked on? As the above person mentioned an ETA would be helpful. Even a very conservative ETA would be great, just to let people know that the feature is definitely coming.
-
Is this still being worked on: Most definitely.
Do we have an ETA: I'm not aware of an ETA, there is a lot of work that goes into this.
-
Wouldn't that be in redmine? It should have a projected version that functionality would be in like 2.4.5 or 2.5, etc...
Wouldn't that make it easier to track? I mean 2.5 should be here by 2020. So if you plan on having it done prior to 2.5 then you have a pretty decent ballpark of 3-6 months.
-
@PhlMike I see it like this. Lessons I learned from talking to girls when I was young seem to apply here... Maybe = no. Perhaps later = no. I'll think about it = no. I like to take my time = no. The only thing that means yes is yes. If these guys were working on it, they would be advertising their progress, but they aren't so its obviously not in the works if you ask me. I think they are waiting for someone else to develop opensource code and if that happens they might incorporate it but I seriously doubt there is a team assigned to creating this code at netgate. Never trust "The check is in the mail".
-
@kejianshi You have a point. Since tnsr came about PfSense got shoved to a back burner. Tnsr looks cool and all but at its price and the fact I don't need routing above 10gig and I like a web interface at least as a backup to central mgmt it's better to stick with PfSense.
So now we'll see Jim T's "further" ideas for a python html5 php as root free PfSense not happen by 3.0.
And I buy > $10k in negates a year. Not the 1100I only bought 3 of those. The 3100 I buy out. Still no promised wall mount for that one.
-
@PhlMike I hadn't even been paying any attention to tnsr. My impression of 2.5 and 3.0 pfsense is that its primarily designed to obsolete older hardware, force hardware updates and limit the hardware it will run on. (To hardware sold by netgate). If 2.5 comes out and the SG-1100 is supported but not with crypto acceleration while pfsense 2.5 will not run on other hardware without crypto acceleration, that will be the proof that pfsense could work fine on new and old hardware without crypto acceleration but they went out of their way to break it to sell new hardware.
-
@PhlMike for your question on
wouldn't that be in a redminethe answer is yes. As it deals with the internal parts of the ARM processor, the work is done in a private manner and not open to the public.Sorry.
@kejianshi We are not advertising our progress. Not because we are delaying it; but because it the process it is a bit more involved than just setting the Hardware crypto to enabled. We have engineering staff dedicated to getting this working as we believe it gives our customers the assurance they are running genuine pfSense software.
As for pfSense getting development getting pushed back with the launch of TNSR, that is just not correct. We have dedicated staff working to pushing both software products forward.
-
@dennis_s I understand you saying that pfSense isn't dead, but indicative of the sentiments of a large portion of the pfSense community we feel neglected as of late.
It's business, I run a business, I understand: TNSR is the new cash cow, non-free with yearly license fees. With behavior I have seen over the past two years, you needed the revenue to sustain operations. There was no way hardware alone was going to keep the boat afloat. Even with the release of sub $500 equipment. Margins are tight.
But pfSense was the shining light for people who abhorred the Cisco model, yet you still went that model with tnsr and double downed on it, with a $300/year fee. I learn by using, lots of people learn by using. The vast majority of people who use netgate/pfSense in business use it at home. We can't use tnsr at home. I'm not spending $300/year and succuming to an API or command line. I can understand, a $5+MM/year business spending that kind of money, but when you buy 10G+ internet the ISP includes a firewall, usually a Palo Alto and they charge under $1k/year for it. At that point would I spend $300/year to load TNSR on a $3,200 supermicro or two to run it? If I am going to buy 50-100-300 routers and needed 10G+ backbones, I can waltz in to Cisco, Palo Alto, Juniper, F5 and the likes and with that kind of weight I can assure you I'm not spending $300/fw/year. And I still get a web interface so I don't have to go all command line. At that point if I wanted to go commandline commando on a firewall I'd use Vyatta, it's 100% free and can run some blistering speeds.
If tnsr was the grand realization and next generation of pfsense, and had a model that worked for a person who wanted to stick it in his house and a web ui. We would be less offended by it. As it stands now, its a slap to our face and we feel betrayed. It's worse than if you sold out to Cisco and they started charging $100,000/second for pfsense.
Then we have this secrecy and privacy and vague answers. Day by day, you keep turning into those corporations we hate. No transparency, rising costs, innovations only for the super rich with deep pockets. We would rather have "We will have this out by 2023" and have you come out and say "Oh well it will be 2024 because we had issues" then "We are not advertising our progress". That makes us think the truth is, "Dude this is a $160 device and doesn't make us enough revenue to afford to put more than the intern from the mail room on, and it will get done and it gets done if at all and if you want that feature, open up your wallet you darn peasant and give us more money for a $400+ device"
