[RESULTS] Potential build for pfSense + VPN on CLink Gigabit


  • Banned

    From what it sounds like you're trying to do I think you'll be fine with the current case and not need a PCIe card. I didn't bring it up to say that it was a bad config, just to make sure it wasn't a small oversight.

    VLANs are _V_irtual _L_ocal _A_rea _N_etworks
    https://doc.pfsense.org/index.php/VLAN_Trunking
    http://resources.intenseschool.com/pfsense-series-configuring-vlans/

    With two physical ethernet ports you can have a WAN and a LAN. If in the future you wanted to add more networks, you can use more physical ports, or you can use VLANs. In order to use VLANs you need a switch that supports VLANs.

    https://www.amazon.com/TP-Link-Gigabit-Ethernet-Managed-TL-SG108E/dp/B00K4DS5KU
    https://www.amazon.com/Cisco-SG300-10-10-port-Gigabit-SRW2008-K9-NA/dp/B0041ORN6U

    I have never used a VLAN so I don't know much of anything about them. It's just an option that you could use down the road to help you expand your network while just using two physical NICs if you needed to. At least that's my understanding of it. If I'm wrong hopefully someone who knows will chime in here.



  • Is there a reason for going with the T series CPU? Are you planning on cooling issues? Low TDP parts are for cooling constrained installations, not for power savings. The T series part will spend more time doing the same amount of work as a standard part and you gain nothing in power savings.

    I personally would get an i3 7100 as they both consume the same amount of power at idle which is where it will spend most of it's time and you hobble the performance when you need it with the T part.

    If you need more LAN ports don't add more NIC's add a switch. pfSense is a router/firewall not a switch.

    Edit: If you want to save a couple bucks you could get a G4620 (Kabylake) or G4520 (Skylake) CPU. They are nearly the same speed as the i3-7100, dual cores with hyperthreading and about $25 cheaper.



  • @Jailer:

    Is there a reason for going with the T series CPU? Are you planning on cooling issues? Low TDP parts are for cooling constrained installations, not for power savings. The T series part will spend more time doing the same amount of work as a standard part and you gain nothing in power savings.

    I personally would get an i3 7100 as they both consume the same amount of power at idle which is where it will spend most of it's time and you hobble the performance when you need it with the T part.

    If you need more LAN ports don't add more NIC's add a switch. pfSense is a router/firewall not a switch.

    Edit: If you want to save a couple bucks you could get a G4620 (Kabylake) or G4520 (Skylake) CPU. They are nearly the same speed as the i3-7100, dual cores with hyperthreading and about $25 cheaper.

    No, actually!  I mean, I wanted a very small build, so I thought putting as little load on the cooling system in the cramped space was a good idea.  I'm happy to go with a different processor.

    Out of curiosity, how much difference due a few tenths of a GHz make in this sort of use?  What I mean is, will there be a big difference in performance between 3.6 GHz and 3.9 or 4.1?



  • Depends. How many and what packages, if any, do you plan on running.


  • Banned

    @naporeon:

    I seem to have a 50/50 ceiling for the connection.  I'd like to push past that.  I know that I'm not going to get anywhere near the 900+/900+

    It would also be useful to know what kind of speeds you would like to see on your VPN?



  • @Jailer:

    Depends. How many and what packages, if any, do you plan on running.

    To start, just vanilla of Sense. My only real goal at this particular point is routing all traffic through a VPN.

    @pfBasic:

    It would also be useful to know what kind of speeds you would like to see on your VPN?

    I have no idea what to expect. Considering my absolute worst wired convection without a VPN has been around 600/700, I'd be happy with somewhere around 200 or 300. No idea what's realistic though.


  • Banned

    @naporeon:

    @Jailer:

    Depends. How many and what packages, if any, do you plan on running.

    To start, just vanilla of Sense. My only real goal at this particular point is routing all traffic through a VPN.

    @pfBasic:

    It would also be useful to know what kind of speeds you would like to see on your VPN?

    I have no idea what to expect. Considering my absolute worst wired convection without a VPN has been around 600/700, I'd be happy with somewhere around 200 or 300. No idea what's realistic though.

    This sounds attainable on your listed hardware.



  • @naporeon:

    No, actually!  I mean, I wanted a very small build, so I thought putting as little load on the cooling system in the cramped space was a good idea.  I'm happy to go with a different processor.

    It's certainly not a bad idea, but the regular desktop SKUs these days are very easy to cool, even in a confined space.  As long as you're not looking for passive cooling I'd just go with a regular desktop Kaby Lake.  Go for the highest base clock you can reasonably afford.  That will help you more than any other single factor with PIA.  It's also possible, from anecdotal evidence, that the PIA endpoints will restrict your speed through a tunnel more than your local hardware will.  If that's the case, multiple simultaneous tunnels are an option.  Best case you get much higher speeds.  Worst case it's the same as a single tunnel but with resiliency.



  • I'll start by elaborating on my intended implementation.  What I'd like to do is build a pfSense box that will serve as the router for my CLink Gigabit connection,

    Are you using PPPoE at Clink FTTH? If not you could be lucky with the fan less and silent Jetway NF9HG-2930.



  • I've updated the OP with my results.

    Build was completed and configured yesterday.  Thus far quite happy!


  • Banned

    That is really great OpenVPN throughput! How is your client configured?



  • 4 ms ping? VPN?



  • @Pippin:

    4 ms ping? VPN?

    I was surprised by that myself. Speedtest could very well be lying, but PIA does have a Seattle connection point.



  • @pfBasic:

    That is really great OpenVPN throughput! How is your client configured?

    Yeah, I'm very happy with it. Not to mention surprised.

    pfSense is just totally vanilla. For OpenVPN configuration, I am so far using the stock pfSense configuration provided by PIA.

    I will be tinkering to add a couple functions soon, but there do not appear to be any DNS leaks thus far, so I'll probably just get to that later this week.


  • Banned

    The best way to make sure you will never have a DNS leak is to use Unbound as a Resolver (don't change any settings or add any DNS IP's anywhere in your settings) then under Services / DNS Resolver / General Settings > Outgoing Network Interfaces: Select only your VPN interface.

    This way all of your DNS requests go straight through the Root Servers but via your VPN.



  • @pfBasic:

    The best way to make sure you will never have a DNS leak is to use Unbound as a Resolver (don't change any settings or add any DNS IP's anywhere in your settings) then under Services / DNS Resolver / General Settings > Outgoing Network Interfaces: Select only your VPN interface.

    This way all of your DNS requests go straight through the Root Servers but via your VPN.

    Sounds good! Also, I realize only a total scrub would ask this, but that would also mean that I'd effectively lose internet connectivity if the VPN is down, right?

    I ask because that is desirable to me.


  • Banned

    Yes you would lose anything that needed DNS, but if you are routing all of your traffic to the VPN except for DNS and the VPN went down, you would still lose internet even though the DNS query would go through because you couldn't get anything through port 80, 443, 123, etc.

    A good way to get some mitigation from a VPN client goin down is to use different servers in your gateway group. (Or put your WAN in the group in a lower tier, but you want a VPN killswitch so don't). I think you mentioned that you are using PIA? If so you get up to five clients through them so just group two of their servers together.

    I use two of their servers in a group and sometimes I'll see a lot of packet loss on one but the other will be working well. It has worked very reliably for me.



  • @naporeon:

    @Pippin:

    4 ms ping? VPN?

    I was surprised by that myself. Speedtest could very well be lying, but PIA does have a Seattle connection point.

    Possibly the LZO compression of OpenVPN is giving misleading results for speed tests that don't have randomized content.

    If you can disable LZO compression for the speed test that would be interesting.


  • Banned

    Actually, I would say leave LZO on just the you normally have it.

    Then do your best to max out your bandwidth, Steam downloads usually have great bandwidth and they have free titles (DOTA 2 is pretty big and free so it will run for long enough to see it on RRDs).
    You have a pretty beefy connection so you might also stream a bunch of UHD youtube videos, I think you can search for even 5k and 8k content that will really suck down some bandwidth!

    Anyawys, after you max out the connection for 5-10 minutes,

    go to Status / Monitoring and set it up like so:

    System > Processor on one side
    Traffic > WAN on the other side
    1 Hour, 1 Minute, Line, On, Never
    De-select everything on the graph except:
    user util
    nice util
    system util
    interrupt
    inpass total
    outpass total

    Screenshot the graph and data summary with your mouse hovering over a point on the graph where your bandwidth is maxed out to display the stats you selected and post it up here.

    That will give no bullshit real world VPN throughput:CPU usage data (assuming you are piping all of your traffic out through a VPN client as you stated).

    I know that's all a very specific request, but it would be greatly appreciated!



  • @naporeon:

    I am so far using the stock pfSense configuration provided by PIA.

    I think the stock PIA settings are to use Blowfish-128, SHA1 MAC, and RSA-2048.  The most concerning of these is the SHA1 MAC.  I'd personally use AES-128-CBC, SHA256 MAC, and RSA-2048 and see if performance is the same.  And the i3's AES-NI may possibly help out if you switch from Blowfish to AES.



  • The most concerning would be Blowfish because of SWEET32 attack, not SHA1.
    https://community.openvpn.net/openvpn/wiki/SWEET32
    https://sweet32.info/

    Also read this:
    https://sourceforge.net/p/openvpn/mailman/message/35699685/



  • @Pippin, interesting info.  Thanks for the reading.


Log in to reply