Pfsense hardware for max ipsec / vpn throughput



  • I've been using checkpoint boxes for years (soho type devices, currently on 680 series).  I've got 2 locations on Verizon FIOS that I connect via ipsec/vpn.  One side is 150/150 but the other side has been limited by Verizon's order system (residential+business on one ONT, long story).  It's at 75/75.  In the near future I'm going to have both sides at 300/300.  Those speeds will likely overrun my checkpoint boxes on VPN transfers and I'm also looking at FIOS Gig which is available.  Very few hardware vendors have boxes for gig, especially when I'm looking at ipsec/vpn throughput.  Saying I'll get 480mbps vpn is total defeat on a gig line.  I'd like to see the vpn speed match the line speed.

    My big want would be to develop a pfsense box (I love building), that could achieve full line speed across the ipsec / vpn for gigabit FIOS.  I would be moving data (backup data) across the line after hours.  Only a few users on each side, basic internet consumption so the high bar here is the vpn throughput.

    Ubituiti is coming out with a box ER-4 which is supposed to be a performer, but no schedule on when it would be available, and not much in the way of vpn/speed throughput.  They are still working through some firmware issues related to offload.

    So I'm guessing a fan-less device would be out of the question for pfSense based on my needs?  i3? i5? i7? Xeon?  Just trying to get a handle on what it would take for pfsense to do this job.  Then I have to figure out if it works financially.  Getting gig speeds over vpn seems like a quite a challenge.

    Thanks,

    Roveer



  • I am still confused by all that numbers you talk about here, sorry for that, but it could also be based on my
    english language skills.

    You say you have actual a 75/75 and want upgrade it to 300/300 in the near or later future, is this right?
    But you are talking about 1 GBit/s speed on the WAN sometimes and together with being able to get full
    VPN throughput from the line speed then, is this the 300/300 line speed or the 1 GBit/s line speed at the
    WAN port!? This is not really clear to me.

    Edit: typo!



  • @BlueKobold:

    I am still confused by all that numbers you talk about here, sorry for that, but it could also be based on my
    english language skills.

    You say you have actual a 75/75 and want upgrade it to 300/300 in the near or later future, is this right?
    But you are talking about 1 GBit/s speed on the WAN sometimes and together with being able to get full
    VPN throughput from the line speed then, is this the 300/300 line speed or the 1 GBit/s line speed at the
    WAN port!? This is not really clear to me.

    Edit: typo!

    Today I am at 75/75 on one side of my vpn.  My current equipment keeps up.

    Soon (1 month) I will be at 300/300 both sides and my current equipment will not be able to keep up.

    In the future (maybe a year or so), I might be 1g/1g both sides (actually not full gig, but Verizons 800/700ish FIOS)

    So If I am going to research, purchase, configure and install new firewall hardware I want to try and do it for my eventual line speed which will be FIOS gig service.  I really don't want to have to do this twice, once for when I go to 300/300 and again when I move to gig.  I'd like to determine what equipment can do full gig vpn and install that now.

    I hope my explanation is clearer.  Sorry for the confusion.



  • Today I am at 75/75 on one side of my vpn.  My current equipment keeps up.

    If I have to chose today a new hardware I´d waiting until the new Spuermicro Boards are both on the market.
    Intel Xeon D-15xxN (3rd. generation) and until the Intel Atom C3000 (Denverton) will be fully supported
    by NIC drivers too! And then one of this two new Chips will be mine. For sure perhaps I must wait a small time
    period, but then I am able to chose between board coming with, AES-NI, Intel QAT and DPDK support.

    Soon (1 month) I will be at 300/300 both sides and my current equipment will not be able to keep up.

    Again I really would wait as a minimum for the newer hardware from Netgate.

    In the future (maybe a year or so), I might be 1g/1g both sides (actually not full gig, but Verizons 800/700ish FIOS)

    Intel C2000 vs Intel C3000 AES-NI
    And from the 3rd. generation Intel Xeon D-15xxN I personally expect a little bit more as from the Denverton platform.

    So If I am going to research, purchase, configure and install new firewall hardware I want to try and do it for my eventual line speed which will be FIOS gig service.  I really don't want to have to do this twice, once for when I go to 300/300 and again when I move to gig.

    Is FIOS using PPPoE on its 1 GBit/s Internet connection?

    I'd like to determine what equipment can do full gig vpn and install that now.

    This might be to high in price if we are talking about 1 GBit/s OpenVPN speed, if we are talking about
    IPSec VPN speed this might be able to realize. With a small Intel Atom C2558 (Rangeley) you might be
    able to push ~470 MBit/s over a IPSec VPN tunnel and the Denverton is more strong and the D-15xxN
    will be topping this once more again! So it is also able to realize it with common consumer PC hardware
    if the CPU is strong enough and comes with AES-NI.

    I hope my explanation is clearer.  Sorry for the confusion.

    Yes for it is! You might be waiting one moth or two and perhaps netgate is bringing out then their new
    hardware based on a C3000 (Denverton) SoC, this might be better then for you to decide wether to go
    with in my eyes.

    So all variants are open to you, you may go with the new Netgate Hardware, the Denverton based Supermicro
    boards or the newer Xeon D-15xxN boards not able to get hands on today, or plain strong enough consumer PC
    hardware as you need or wish it!