Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Trying to decide on hardware, IPSEC and OpenVPN server/client

    Hardware
    3
    21
    1898
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User last edited by

      I am trying to figure out which hardware I need, next. My current site is running off of old hardware and my VPN speeds (via IPSEC tunnel and OpenVPN client on windows 10) never exceed 10 Mbps. It turns out the CPU in my pfsense box isn't VPN friendly.

      Before I go and buy a pre-built box from the pfsense store (looking at SG-3100) I want to make sure I don't find myself in the same situation.

      The main thing I'm looking for are better speeds over IPSEC VPN and OpenVPN server/client. I'd have a 3100 on both sides of the tunnel, but I'd start by buying 1 to test OpenVPN server/client. If the speeds are improved, then I'd by a second one to solve the IPSEC tunnel issue.

      Can someone confirm VPN speeds with this hardware?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • NollipfSense
        NollipfSense last edited by

        You might have to be the Guinea Pig as not everyone with such box doing exactly what you desire to do.

        pfSense+ 22.01 Lenovo Thinkcentre M93P SFF Quadcore i7 Raid-ZFS 128GB-SSD 32GB-RAM PCI-dual Intel i350 NIC.

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User last edited by

          @NollipfSense:

          You might have to be the Guinea Pig as not everyone with such box doing exactly what you desire to do.

          I have a very hard time believing there aren't any 3100 owners that are not using OpenVPN and/or IPSEC. Even if that were true, I don't know why anyone would buy the hardware when someone from the netgate team could easily test this.

          I'm not against building my own setup, I just don't want to do it with older computer parts that won't give me the CPU support needed for OpenVPN/IPSEC. Also, I'm referring to the traditional PC with large power supplies, I would build something or buy something pre-built as long as it doesn't throttle me to 10 Mbps when the connection is 100 Mbps or better on both sites. I'm not expecting 100 Mbps over the VPN, but maxing out at 10 Mbps is not acceptable.

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User last edited by

            I just remembered that I have a small PC I built, years ago, that isn't being used, it has a Intel Core i5-3350P Ivy Bridge Quad-Core 3.1GHz CPU and two NICs. I'll have to install pfsense on here and test out OpenVPN/IPSEC speeds.

            Here is a link to the specs of the CPU- https://ark.intel.com/products/69114/Intel-Core-i5-3350P-Processor-6M-Cache-up-to-3_30-GHz

            Intel 64- Yes
            Instruction Set- 64-bit
            Intel AES New Instructions- Yes

            1 Reply Last reply Reply Quote 0
            • ?
              Guest last edited by

              It will work just fine.

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User last edited by

                @johnkeates:

                It will work just fine.

                The 3100 will work just fine or the CPU I plan on testing with will work fine?

                Edit- or both will work just fine?

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest last edited by

                  @tdhuck:

                  @johnkeates:

                  It will work just fine.

                  The 3100 will work just fine or the CPU I plan on testing with will work fine?

                  Edit- or both will work just fine?

                  Both indeed. Also, if you want a better aim so you know what you'll need, we have to know your raw uplink/downlink speeds and preferred VPN speeds. De 3100 and any i5 will, however, have no problems pushing 90Mbit-ish AES VPN at least, but an i5 will probably get close to 1000Mbit if you don't set to much crypto.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User last edited by

                    @johnkeates:

                    @tdhuck:

                    @johnkeates:

                    It will work just fine.

                    The 3100 will work just fine or the CPU I plan on testing with will work fine?

                    Edit- or both will work just fine?

                    Both indeed. Also, if you want a better aim so you know what you'll need, we have to know your raw uplink/downlink speeds and preferred VPN speeds. De 3100 and any i5 will, however, have no problems pushing 90Mbit-ish AES VPN at least, but an i5 will probably get close to 1000Mbit if you don't set to much crypto.

                    The location of the main pfsense box is ~100 Mbps down and ~30 Mbps up and the location where I'll be using OpenVPN is 100 Mbps down/up and I'll be running OpenVPN client on a windows 10 laptop.

                    The IPSEC tunnel will use the main pfsense box (speeds above) and the other end of the IPSEC tunnel is ~50 Mpbs down and ~15 Mbps up.

                    I know that a good CPU is needed for improved VPN performance, but I also thought AES-NI was needed. Is that true? If not, which is more important for better VPN performance?

                    Anything is better than 10 Mbps over a VPN tunnel and OpenVPN client, which is where I am at, today.

                    I'll be testing the spare PC with the CPU specs I posted above, hopefully today.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest last edited by

                      You need AES-NI and good CPU clock speeds. Two threads at the same time is good, but more than that won't actually improve performance in a noticeable manner.

                      OpenVPN is still single-threaded so only clock speeds help that, as well as AES-NI and other offloading functions. (but only AES-NI at this time it seems)

                      I think you should try the i5, if that gets you the speed you need, the only thing you'll have to think about is power consumption. If it turns out the i5 box doesn't actually use that much (40 watts or less) you can just leave it as-is depending on your power cost. If it's more, it'll get interesting to look at the 3100 in terms of optimisation of cost.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User last edited by

                        @johnkeates:

                        You need AES-NI and good CPU clock speeds. Two threads at the same time is good, but more than that won't actually improve performance in a noticeable manner.

                        OpenVPN is still single-threaded so only clock speeds help that, as well as AES-NI and other offloading functions. (but only AES-NI at this time it seems)

                        I think you should try the i5, if that gets you the speed you need, the only thing you'll have to think about is power consumption. If it turns out the i5 box doesn't actually use that much (40 watts or less) you can just leave it as-is depending on your power cost. If it's more, it'll get interesting to look at the 3100 in terms of optimisation of cost.

                        I have the new box setup, but I am currently on site and won't have a chance to test OpenVPN in my normal network/setup for a couple more days. I enabled AES-NI

                        CPU Type Intel(R) Core(TM) i5-3350P CPU @ 3.10GHz
                        Current: 3100 MHz, Max: 3101 MHz
                        4 CPUs: 1 package(s) x 4 core(s)
                        AES-NI CPU Crypto: Yes (active)
                        Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

                        Under the misc. options, I set it to, 'AES-NI CPU-based acceleration' and saved the setting.

                        I do plan on using this for IPSEC and OpenVPN, not one or the other, hopefully the change I made above is adequate for both.

                        EDIT- I was able to do some initial testing with OpenVPN on my phone. When using my phone and OpenVPN, I am not concerned with speed, I mainly use the Synology DS Camera App to view a camera at home. Before testing AES-NI enabled on this box, and using it for years on my old box w/o AES-NI, I was able to connect to OpenVPN and view the camera, everything worked great.

                        I enabled AES-NI (see above) on the new box and I can connect to the camera app just fine, but the video is either 10 seconds behind audio is basically live, no delay or the video freezes once I enter in the frame. I'll start walking, on camera, but I see a frozen image on my phone (disconnected from home wifi, connected to OpenVPN over cell network).

                        I immediately disable AES-NI, basically putting it back to the default option, and the camera image freezing issue goes away.

                        This is only one of my tests, I still want to test speeds when I am on a remote network (not cellular) using my laptop.

                        EDIT 2- Now I'm not convinced AES-NI being active is related to the issue, I took a second look at my phone and apparently I am getting poor reception, which wasn't the case, several months ago. I have re-enabled AES-NI and I'll have to wait until I am on another network to test from my laptop and from cellular, assuming I have a better cellular connection.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User last edited by

                          Tested at one of the locations (via IPSEC) and it appears the tunnel is still capped at 10 Mbps down with the new CPU.

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest last edited by

                            @tdhuck:

                            Tested at one of the locations (via IPSEC) and it appears the tunnel is still capped at 10 Mbps down with the new CPU.

                            Keep in mind that this depends on both sides of the connection. So a weak client will still limit you.

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User last edited by

                              @johnkeates:

                              @tdhuck:

                              Tested at one of the locations (via IPSEC) and it appears the tunnel is still capped at 10 Mbps down with the new CPU.

                              Keep in mind that this depends on both sides of the connection. So a weak client will still limit you.

                              I'm not convinced. What you say is absolutely true, but there has to be another issue, somewhere. I just disconnected the IPSEC tunnel and opened up my NAS to the internet and started to transfer a 3GB ISO file, I am still being capped at 10 Mbps w/o going through a VPN and having to worry about encryption throughput. Something seems like it isn't functioning at 100%

                              1 Reply Last reply Reply Quote 0
                              • ?
                                Guest last edited by

                                In that case, do have a different problem indeed. Make sure pfSense's interfaces are setup correctly (automatic mode etc) and check if any Link status LED's match the link speeds. If those are good, you probable have to look outside of pfSense to find the problem. Have you tried iperf yet? And packet capture to figure out if maybe a lot of trash is happening on the network?

                                This speed is not related to the CPU or anything like that, even a pentium 3 pulls much more bits than that.

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  A Former User last edited by

                                  @johnkeates:

                                  In that case, do have a different problem indeed. Make sure pfSense's interfaces are setup correctly (automatic mode etc) and check if any Link status LED's match the link speeds. If those are good, you probable have to look outside of pfSense to find the problem. Have you tried iperf yet? And packet capture to figure out if maybe a lot of trash is happening on the network?

                                  This speed is not related to the CPU or anything like that, even a pentium 3 pulls much more bits than that.

                                  Right, I'm convinced there is another issue since I am seeing these same issues with my other pfsense box, this rules out the interfaces, I would think, I doubt I'd have issues with interfaces on two different pfsense boxes.

                                  My ISP equipment is a cable modem that is in bridge mode, I don't have issues getting full speeds when I am at the main network and running a speed test. Latency/ping/speeds all look normal. I stream 4k media all the time and have never seen buffering/pixelation/etc. I'm not saying that nothing needs to be checked, I am simply pointing out that there aren't any obvious issues to make me think something is wrong with the circuit.

                                  I do think the problem is at the main connection since I experience the same 10 Mbps when I am at several different locations, two of those locations have connections of 100 Mbps or better.

                                  I will say this, in all my tests, I am downloading files from my NAS, I guess I will start there and see if there is anything obvious. I do have two switches between my NAS box and the pfsense box, but all links should be gigabit (they were last time I checked).

                                  EDIT- I am not physically on site at the main location (where the new pfsense install was done, yesterday), but I used SSH over the IPSEC tunnel to check the port status, everything is connected at 1000 Mbps Full Duplex. I'll see if I can run iperf from both pfsense boxes and see what that shows…

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest last edited by

                                    Also see if you can try iperf between de NAS and pfSense or another device on the same switch.

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User last edited by

                                      @johnkeates:

                                      Also see if you can try iperf between de NAS and pfSense or another device on the same switch.

                                      Here are the results from iperf between the two pfsense boxes, no VPN, I opened up port 5001 on the main (new) pfsense box.

                                      Not looking good…


                                      Client connecting to xxx.xxx.xxx.xxx, TCP port 5001
                                      TCP window size: 64.2 KByte (default)

                                      [  3] local xxx.xxx.xxx.xxx port 50004 connected with xxx.xxx.xxx.xxx port 5001
                                      [ ID] Interval      Transfer    Bandwidth
                                      [  3]  0.0-10.0 sec  7.25 MBytes  6.06 Mbits/sec

                                      1 Reply Last reply Reply Quote 0
                                      • ?
                                        A Former User last edited by

                                        Here are the results when running iperf on a device connected to the main switch where the new pfsense box is located (not running off NAS). IPSEC/VPN tunnel

                                        This is the server side:
                                        [ ID] Interval          Transfer    Bandwidth
                                        [  5]  0.00-1.00  sec  634 KBytes  5.18 Mbits/sec                 
                                        [  5]  1.00-2.00  sec  1.08 MBytes  9.05 Mbits/sec                 
                                        [  5]  2.00-3.00  sec  1.25 MBytes  10.5 Mbits/sec                 
                                        [  5]  3.00-4.00  sec  1.38 MBytes  11.5 Mbits/sec                 
                                        [  5]  4.00-5.00  sec  1.24 MBytes  10.4 Mbits/sec                 
                                        [  5]  5.00-6.00  sec  1.29 MBytes  10.8 Mbits/sec                 
                                        [  5]  6.00-7.00  sec  1.19 MBytes  9.97 Mbits/sec                 
                                        [  5]  7.00-8.00  sec  1.28 MBytes  10.7 Mbits/sec                 
                                        [  5]  8.00-9.00  sec  1.18 MBytes  9.92 Mbits/sec                 
                                        [  5]  9.00-10.00  sec  1.15 MBytes  9.70 Mbits/sec                 
                                        [  5]  10.00-10.04  sec  28.3 KBytes  6.03 Mbits/sec


                                        [ ID] Interval          Transfer    Bandwidth
                                        [  5]  0.00-10.04  sec  0.00 Bytes  0.00 bits/sec                  sender
                                        [  5]  0.00-10.04  sec  11.7 MBytes  9.77 Mbits/sec                  receiver

                                        This is the client side:
                                        [ ID] Interval          Transfer    Bandwidth      Retr  Cwnd
                                        [  4]  0.00-1.00  sec  724 KBytes  5.93 Mbits/sec    0  45.2 KBytes     
                                        [  4]  1.00-2.00  sec  1.10 MBytes  9.27 Mbits/sec    1  50.9 KBytes     
                                        [  4]  2.00-3.00  sec  1.27 MBytes  10.7 Mbits/sec    0  67.9 KBytes     
                                        [  4]  3.00-4.00  sec  1.37 MBytes  11.5 Mbits/sec    0  82.0 KBytes     
                                        [  4]  4.00-5.00  sec  1.28 MBytes  10.7 Mbits/sec    1  65.0 KBytes     
                                        [  4]  5.00-6.00  sec  1.29 MBytes  10.9 Mbits/sec    1  58.0 KBytes     
                                        [  4]  6.00-7.00  sec  1.15 MBytes  9.62 Mbits/sec    1  50.9 KBytes     
                                        [  4]  7.00-8.00  sec  1.30 MBytes  10.9 Mbits/sec    0  65.0 KBytes     
                                        [  4]  8.00-9.00  sec  1.19 MBytes  9.95 Mbits/sec    3  59.4 KBytes     
                                        [  4]  9.00-10.00  sec  1.14 MBytes  9.57 Mbits/sec    2  55.1 KBytes


                                        [ ID] Interval          Transfer    Bandwidth      Retr
                                        [  4]  0.00-10.00  sec  11.8 MBytes  9.90 Mbits/sec    9            sender
                                        [  4]  0.00-10.00  sec  11.7 MBytes  9.81 Mbits/sec                  receiver

                                        I've checked all interfaces on both pfsense boxes (via the pfsense GUI) everything is gigabit and full duplex. No errors/collisions.
                                        I've checked all the interfaces on the switches, everything is gigabit and full duplex. No errors/collisions.

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          A Former User last edited by

                                          I have good news and bad news.

                                          Good news is that I am maxing out the connection at 10 Mbps on and off the VPN, on both pfsense boxes and now I know why (see bad news).

                                          Bad news is that the ISP must have changed something or I have a problem, when I do a speed test, I get 105 Mbps down and 11 Mbps up.

                                          Now that I know the upload is maxing at 11 Mbps, all my results are normal (see good news).

                                          However, I have never seen cable internet, at the 100 Mbps download tier, come with 10 Mbps of upload speed. I either have an issue on the line/in the network or the ISP did in fact change their upload speeds on their packages. I am absolutely certain that my upload was more than 10 Mbps, in the past.

                                          1 Reply Last reply Reply Quote 0
                                          • ?
                                            Guest last edited by

                                            Well, now we know. Bloody ISPs and their bad uploads!  :-X

                                            1 Reply Last reply Reply Quote 0
                                            • ?
                                              A Former User last edited by

                                              @johnkeates:

                                              Well, now we know. Bloody ISPs and their bad uploads!  :-X

                                              I am disappointed, years ago I had much better performance, but it was before I setup a VPN connection. I was simply streaming an IP camera (strong password and only allowed from specific WAN IPs) then I setup OpenVPN, speeds were not really an issue since the camera worked just fine, but I started testing file transfers and I always thought it was the encryption causing bad performance, turns out, the ISP is tweaking the tiers/packages. Upload doesn't matter as much as download, until/unless you are doing what I was wanting to do….....

                                              1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post