C2758 vs C3758 for Gigabit VPN?



  • Need a low powered CPU that can handle close to 1Gbps VPN.  I'd prefer to use OpenVPN but realize that's probably not going to happen based on it's single threaded nature.  Will the C2758 suffice or should go for the C3758?



  • While others with more knowledge than me will hopefully weigh in on this, I can say with pretty much certainty no C2000 chip is going to hit gigabit openvpn or even ipsec on pfsense. I'm very curious about the C3000 series as well..



  • @diablo266:

    While others with more knowledge than me will hopefully weigh in on this, I can say with pretty much certainty no C2000 chip is going to hit gigabit openvpn or even ipsec on pfsense. I'm very curious about the C3000 series as well..

    So what is the lowest powered CPU that can hit 1Gbps VPN in pfSense?



  • if you need gbit vpn you either need multiple processes or something other than openvpn. (you can also do it with some crazy openvpn configs that work in lab conditions but will cause pain sooner or later in actual internet use, but I don't count those.)



  • For max speed, ipsec.



  • @kejianshi:

    For max speed, ipsec.

    I'm happy to use ipsec.  I just need to find a CPU that can do 1Gbps ipsec.



  • Building or buying?  If you want to buy one, the pfsense admins know exactly which netgate systems can do it.



  • @kejianshi:

    Building or buying?  If you want to buy one, the pfsense admins know exactly which netgate systems can do it.

    Building.  I just need the CPU/MoBo combo to replace my a J1900 in one of the two sites as I have the rest of the parts for everything already in place (RAM, SataDOM, Chassis, PSU, etc.).



  • So, you need a mobo and a cpu?  Whats your feeling about power use and fans?



  • @kejianshi:

    So, you need a mobo and a cpu?  Whats your feeling about power use and fans?

    As my OP states I'm looking for as low power as possible.  I have a spare Xeon D-1508 board I could use which is 25w aCPU but that's about as high on the TDP I want to go.



  • https://forum.pfsense.org/index.php?topic=127757.msg707310#msg707310  (confirmed to work)

    I'd consider the Intel Core i3-7350K @ 4.20GHz since it is one of the fastest single thread cpus you can get.  Make sure the board supports it.  And the power.



  • Never tested with ipsec that I can tell, but anything with that much guts for openvpn is going to max out a 1gb wire speed.



  • I have an i3-6100 in another system that I could rearrange and use but was hoping to avoid using something that powerful.  This system is going to be sitting in the basement of my parents house with no cooling.

    Maybe I'll setup a test bed between the i3-6100 and the C2758 and see what results I get.



  • My method is like this…  In situations like that where you want big performance.

    Put it in a normal PC case.  Use a fanless power supply.

    Attach a way over kill heat sink like you might use on a 130w processor.  Attach a fan.

    Attach a fan to the PSU anyway...

    Put in a case fan...

    It will be ice cold and if all the fans fail it will keep working anyway.

    The one I'm using now is very old and is just such a setup.  Also sitting in the basement of my house in maryland.  Not touched in 5 years.

    Fanless is better if you have the money.



  • Like this….

    It will never ever get hot...

    ![Screenshot-2017-11-2 pfsensegateway localdomain - Status Dashboard.png](/public/imported_attachments/1/Screenshot-2017-11-2 pfsensegateway localdomain - Status Dashboard.png)
    ![Screenshot-2017-11-2 pfsensegateway localdomain - Status Dashboard.png_thumb](/public/imported_attachments/1/Screenshot-2017-11-2 pfsensegateway localdomain - Status Dashboard.png_thumb)



  • Haha nice, yea that thing is good to go.

    This project is really get out of hand and over budget unfortunately.  This all started when both mine and my parents go Gigabit fiber which is allowing me to move my local backup server off-site to their house (Site B) for weekly backups.  Buying a new CPU/MoBo combo to replace the current J1900 I have there in Site B and just slapping it into the current NUC sized Mini-ITX case was really the plan.  That plans is clearly that's going off the rails now.

    Maybe I need to rethink what my actual needs are.  As much as I'd like to saturate my gigabit link, if I can even get 50MB/s file transfers that would probably suffice.



  • I get gigabit throughput with about 60% processor using an old celeron.  Similar setup to what I just told you about.  $75

    That board you said you have laying around will do it….  Just strap on a huge heatsink, just to be sure.



  • Yeah - the Intel Xeon D-1518 is only 35w.  And has AES-NI support.  You have what you need already.



  • @kejianshi:

    I get gigabit throughput with about 60% processor using an old celeron.  Similar setup to what I just told you about.  $75

    That board you said you have laying around will do it….  Just strap on a huge heatsink, just to be sure.

    You get gigabit throughput across a Site-to-Site VPN?  If so, with what settings?



  • @kejianshi:

    Yeah - the Intel Xeon D-1518 is only 35w.  And has AES-NI support.  You have what you need already.

    I have the Xeon D-1508, not 1518.  Half the cores/threads.



  • No Havent not test with ipsec.  However, I've seen people test 8 core atom boards with less guts than your board and get gigabit speed.

    Its not hard to beat them as long as you have good per core performance, 2 or more cores and compatible gigabit NICs.

    It just gets hard and expensive when you try to do it with a fanless computer the size of a couple packs of cigarettes.



  • @kejianshi:

    No Havent not test with ipsec.  However, I've seen people test 8 core atom boards with less guts than your board and get gigabit speed.

    Its not hard to beat them as long as you have good per core performance, 2 or more cores and compatible gigabit NICs.

    It just gets hard and expensive when you try to do it with a fanless computer the size of a couple packs of cigarettes.

    Wait, I'm confused.  So the C2758 SHOULD do close to 1Gbps IPsec?  Because if it does than that solves all my issues.





  • @kejianshi:

    https://store.netgate.com/pfSense/C2758.aspx

    160

    However, I've seen people test 8 core atom boards with less guts than your board and get gigabit speed.

    What 8 core atom board are you referring to then?



  • I thought I was referring to that one!



  • @kejianshi:

    I thought I was referring to that one!

    So the reason I'm confused is in one post you say you've seen people with the C2758 (an 8 core atom board) hit gigabit vpn speed but then in the next post you say it only hits 160 as per Netgate.

    What am I missing?



  • haha.  You are missing me being mistaken about the throughput of that board.

    But I went looking again at an intel paper on ipsec and their chips and it does look like the best single core performance wins.

    https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf

    Notice their testing is 1 core and 1 tunnel.  Or 6 cores and 6 tunnels.  Then 12 cores and 12 tunnels.

    I still like the i3 kaby lake.



  • @kejianshi:

    https://store.netgate.com/pfSense/C2758.aspx

    160

    For some bizarre reason they're quoting speeds without AES-NI there, and no AES-GCM. So, basically irrelevant.



  • @kejianshi:

    haha.  You are missing me being mistaken about the throughput of that board.

    But I went looking again at an intel paper on ipsec and their chips and it does look like the best single core performance wins.

    https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf

    Notice their testing is 1 core and 1 tunnel.  Or 6 cores and 6 tunnels.  Then 12 cores and 12 tunnels.

    I still like the i3 kaby lake.

    I don't entirely understand what you think you're seeing there. It has a single westmere core doing ~2Gbps IPSec 7 years ago on linux 2.6.



  • @JimPhreak:

    Haha nice, yea that thing is good to go.

    This project is really get out of hand and over budget unfortunately.  This all started when both mine and my parents go Gigabit fiber which is allowing me to move my local backup server off-site to their house (Site B) for weekly backups.  Buying a new CPU/MoBo combo to replace the current J1900 I have there in Site B and just slapping it into the current NUC sized Mini-ITX case was really the plan.  That plans is clearly that's going off the rails now.

    Maybe I need to rethink what my actual needs are.  As much as I'd like to saturate my gigabit link, if I can even get 50MB/s file transfers that would probably suffice.

    How are you planning to do the backups?



  • I think I see a scenario where speed per tunnel is linked to speed per core.  So unless you need many tunnels, a few very fast cores is best.



  • @kejianshi:

    I think I see a scenario where speed per tunnel is linked to speed per core.  So unless you need many tunnels, a few very fast cores is best.

    7 years ago. On linux 2.6.



  • I'm not sure what your point is?  Perhaps I'm approaching this the wrong way.

    What would be the least expensive option to get 1 gb per sec on ipsec?  Today.



  • @kejianshi:

    I'm not sure what your point is?  Perhaps I'm approaching this the wrong way.

    The point is that quoting a paper that's almost a decade old for an obsolete version of a different operating system is not a useful way to predict performance characteristics.



  • OK - So, what would you suggest?  Do you have specs and testing for something that is shown to support wire speed on a gigabit to gigabit connection?
    My Feeling is that for a single tunnel the fastest dual core processor with AES-NI and good intel NIC will win.  I haven't found anything better.

    I'm also interested in seeing an actual test of two kaby lake pfsense with IPSEC throughput.



  • @VAMike:

    @JimPhreak:

    Haha nice, yea that thing is good to go.

    This project is really get out of hand and over budget unfortunately.  This all started when both mine and my parents go Gigabit fiber which is allowing me to move my local backup server off-site to their house (Site B) for weekly backups.  Buying a new CPU/MoBo combo to replace the current J1900 I have there in Site B and just slapping it into the current NUC sized Mini-ITX case was really the plan.  That plans is clearly that's going off the rails now.

    Maybe I need to rethink what my actual needs are.  As much as I'd like to saturate my gigabit link, if I can even get 50MB/s file transfers that would probably suffice.

    How are you planning to do the backups?

    Mainly using Veeam.  I'll map my offsite backup server as a backup repository in Veeam and do direct snapshot backups to it.  I also backup my PC images and documents that go to my onsite storage server.  So from there I can either do SMB file transfers or rsync since both servers are Linux based.



  • Your board you already have will work great.  I'm thinking about the future.  Does it have AES-NI?  You will get alot faster than 50 unless something is broken.



  • @kejianshi:

    Your board you already have will work great.  I'm thinking about the future.  Does it have AES-NI?

    Which board are you talking about?  My two endpoints are as follows:

    Site A:  Avoton C2758 (AES-NI)
    Site B:  Celeron J1900 (no AES-NI)

    I was hoping that the 2758 would be able to handle gigabit IPSec so that I could just replace Site B and be done with it.



  • Site A:  Avoton C2758 (AES-NI)
    Site B:  Celeron J1900 (no AES-NI)

    The J1900 is a no go long term due to future AES-NI requirement.

    The C2758 might not be very fast with just 1 tunnel.  But Its total power for doing lots of things at one is really nice.

    For this task I like the old xenon processor and board you talked about.  You have one right?  Just as long at it supports AES-NI.

    You wouldn't want to use the j1900 and just have to pull it back out in a year.



  • @kejianshi:

    Site A:  Avoton C2758 (AES-NI)
    Site B:  Celeron J1900 (no AES-NI)

    The J1900 is a no go long term due to future AES-NI requirement.

    The C2758 might not be very fast with just 1 tunnel.  But Its total power for doing lots of things at one is really nice.

    For this task I like the old xenon processor and board you talked about.  You have one right?

    I have the following two CPU/board combos available.  I'd prefer not to use the Xeon D since it has an on board LSI HBA able to support 16 drives that will be waisted in a pfSense box.  And the i3 board I have wouldn't really work since it only has a single onboard NIC so I'd have to buy an PCIe NIC and a new case.  I could take the i3 and find a different board for it but it's hard to find mini-itx i3 boards that have multiple NICs.

    Xeon D CPU/board:  https://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-2C-7TP4F.cfm

    i3-6100 CPU:  https://ark.intel.com/products/90729/Intel-Core-i3-6100-Processor-3M-Cache-3_70-GHz
    ASRock Board:  http://www.asrock.com/mb/Intel/H110M-ITXac/


Log in to reply