Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard
-
Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard?
I am looking at sourcing new hardware for pfSense. Currently using OpenVPN but will be switching to WireGuard when available. Wondering if QAT will be beneficial and if so at what point.
The hardware that I am looking at is https://www.supermicro.com/en/products/system/1U/5018/SYS-5018D-FN8T.cfm which uses the Intel
Xeon processor D-1518 -
stephenw10 Netgate Administratorlast edited by stephenw10 Feb 3, 2021, 7:01 PM Feb 3, 2021, 7:01 PM
No QAT is not required.
No QAT would not help WireGuard anyway as the cipher it uses, chacha20/poly, is not accelerated by any current implementation.
Steve
-
@spielp said in Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard:
The hardware that I am looking at is https://www.supermicro.com/en/products/system/1U/5018/SYS-5018D-FN8T.cfm which uses the Intel Xeon processor D-1518
BTW: why are you looking for old 1st gen Xeon-D Hardware if you are buying new now when there already is 2nd gen Xeons available that are far better performing? (like SuperServer 5019D-FN8TP)
-
@jegr mainly because I found one for a good price. I ended up not purchasing it as I decided to see what happens with pfSense plus and running it on your own hardware.
-
@jegr also the system you linked is an 80w vs 35w
-
@spielp said in Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard:
@jegr also the system you linked is an 80w vs 35w
It was just an example though. But heard the 2nd gen boxes run immensly better then the first gens.
-
@jegr will check them out in more detail. Thanks for pointing it out.
-
stephenw10 Netgate Administratorlast edited by stephenw10 Feb 5, 2021, 2:57 PM Feb 5, 2021, 2:56 PM
Also TDP does not indicate the actual running power consumption. It shows the maximum power the cooling system must be able to handle.
And that's just the CPU.Steve
-
@jegr said in Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard:
5019D-FN8TP
I had the 5019D-FN8TP and sold it on reddit, it idles at 60w. and frankly is not that fast. My custom build of supermicro X11SCL-iF with SC505-203B chassis and a Pentium Gold G5400 and a X710-DA2 NIC is faster and idles 20w and maxes out at 54w .. vs 60w idle and 110w maxed out.. granted if you have a workload that needs more threads, etc, you could just get a different 1151 Xeon E CPU.
The newer Xeon D CPU just have a bunch of stuff like AVX-512 that make them power hogs and those instructions are worthless for pfSense/routing. Also having all those NICs, the 10g RJ45 chipset uses like 8w per port.
To me, it seemed like the X11SDV-8C-TP8F could be a great NAS/TrueNAS board, more so than a pfSense board..
I did some speed testing with pfSense 2.5 and the G5400 and wireguard... and 10g firewall.
https://forum.netgate.com/topic/160168/what-speeds-can-you-get-with-wg-on-a-sg-3100/2
-
@dirtyfreebooter out of curiosity what kind of heat sink/fan are you using for your cpu?
-
@spielp said in Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard:
@dirtyfreebooter out of curiosity what kind of heat sink/fan are you using for your cpu?
I started with the Dynatron Copper Heatsink K199, thinking would be nice to have an active cooler. Idled at 30C, which i thought was actually pretty bad for G5400 CPU. I re-applied the thermal grease, still 30C. I swapped it out for the supermicro one, SNK-P0049P and idle temps went down to 21C. I guess the airflow in the tight 1U case was just better with an passive heatsink.
-
@stephenw10 said in Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard:
No QAT would not help WireGuard anyway as the cipher it uses, chacha20/poly, is not accelerated by any current implementation.
http://patches.dpdk.org/cover/64728/
-
@ensnare said in Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard:
http://patches.dpdk.org/cover/64728/
any ideas on how much of a speedup QAT offers with chacha-poly? -
@ensnare said in Is Intel QuickAssist Technology (QAT) required/wanted for WireGuard:
http://patches.dpdk.org/cover/64728/
Mmm, well that could be interesting. Being in DPDK is quite a way from being in FreeBSD though.
Steve
-
I can give my own personal experience with the Xeon D1541/D2141 and EPYC 3251. The Xeon D2141/2121 series based appliances have a pretty high idle power draw at around 40-50 Watts. The AMD EPYC 3251 SuperMicro appliances/boards boards performance wise are close to the Xeon-D2141 (outside of AVX512 which is missing on the EPYC) with much lower real world idle and max power draw and cheaper and also run cooler. The D-1541 SuperMicro appliance (essentially the OEM version of Netgate's XG1541) usually idled a little higher (~32 Watts Idle and Max around 85-90 Watts) than the 3251 (31 Watts Idle and Max around 80-85 Watts) while performing much worse in general. I can run the 3251 in my home office with little noise at low to medium loads (2x 35dBm rated 40mm 8500 RPM Fans @1,600-2,000 RPM) unlike the D-1541/D-2141 which require much higher fan speeds even at idle (3,500-4,000 RPM). SuperMicro seems to have used better heatsinks with heat pipes on the EPYC. Also do note that the Wattage advertised is generally for stock clocks and doesn't take into account boost clocks so it can be misleading. Would be nice to see a Netgate branded appliance with an EPYC 3201/3251.
-
This post is deleted! -
It's 2023 now, was wondering if the QAT driver in pfSense 23.01 can accelerate WireGuard...
Thanks for any pointer!
-
Replied in the other thread.
-
Just here to report that enabling IPsec-MB on 23.05 has reduced the CPU usage quite a bit on my 5100 when using Wireguard.
