Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie to pfsence and need advice

    Scheduled Pinned Locked Moved Hardware
    25 Posts 8 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kendalja
      last edited by

      Here is my current setup and the issue I am currently having. I have a Netgear R7000 router flashed with DD-WRT on it and run PIA VPN. When I connect through the VPN on the router I see max speeds of 30Mbps and when disconnected from the VPN I see speeds of 100Mbp+. After doing some reading online it seems as though my router is not powerful enough to process the VPN hence the bottleneck in my speeds. I would like to ask some people on here for opinions as I do not have much knowledge with VPN's and how taxing it is or isn't on the router side of things. My goal ultimately when I got the R7000 was to have ALL my devices (wired and wireless) connect directly through the VPN, thus eliminating individual VPN client based apps on all the devices. If I could I would like to find a low cost solution to my issue. If anyone has suggestions I am all ears. At this point I figure here are my options:

      1. Buy a pfsense preconfigured machine with built in Wi-Fi and ditch the R7000
      2. Buy a pfsense preconfigured machine and still use the R7000 as an AP for all wireless devices.
      3. Build or buy something and configure it myself.

      I would really like to keep the price down and if there is already a machine I can buy (older thin client) or something similar again I am all ears. Looking for ideas/feedback/suggestions to my problem.

      Thanks and I appreciate everyone's time if you are reading this.

      1 Reply Last reply Reply Quote 0
      • SammyWooS
        SammyWoo
        last edited by

        If your other VPN endpoint is not commercial, be aware you may have to take care of that end too.  Yeah, combo boxes tend to have weak "just wet your appetite" performance.  pFsense will do it and u can always throw a better CPU at it.  Got an old PC box sitting around?  that would be the best thing use to test, just to see exactly, how much CPU u need.

        1 Reply Last reply Reply Quote 0
        • V
          VAMike
          last edited by

          @kendalja:

          2. Buy a pfsense preconfigured machine and still use the R7000 as an AP for all wireless devices.

          Do this or get a dedicated AP. Don't bother trying to make pfsense an AP.

          1 Reply Last reply Reply Quote 0
          • K
            kendalja
            last edited by

            @VAMike:

            @kendalja:

            2. Buy a pfsense preconfigured machine and still use the R7000 as an AP for all wireless devices.

            Do this or get a dedicated AP. Don't bother trying to make pfsense an AP.

            Can you recommend any good preconfigured devices?

            1 Reply Last reply Reply Quote 0
            • jahonixJ
              jahonix
              last edited by

              @kendalja:

              Can you recommend any good preconfigured devices?

              Do you mean pfSense pre-configured or the AP?

              You get pfSense devices from netgate store or a local rep, check netgate.com where to buy.
              AccessPoints usually come unconfigured and I don't know of a single deviation from this rule.

              1 Reply Last reply Reply Quote 0
              • K
                kendalja
                last edited by

                @jahonix:

                @kendalja:

                Can you recommend any good preconfigured devices?

                Do you mean pfSense pre-configured or the AP?

                You get pfSense devices from netgate store or a local rep, check netgate.com where to buy.
                AccessPoints usually come unconfigured and I don't know of a single deviation from this rule.

                I already have a Netgear R7000 that I can use as an wireless AP. I was asking about a preconfigured box for my VPN. I need one that can handle at least 100Mbps. Thanks!

                1 Reply Last reply Reply Quote 0
                • GrimsonG
                  Grimson Banned
                  last edited by

                  @kendalja:

                  I was asking about a preconfigured box for my VPN. I need one that can handle at least 100Mbps. Thanks!

                  As has already been said, the only legal hardware with pfSense already installed comes from Netgate: https://www.pfsense.org/products/

                  The configuration has to be done by yourself. If you are incapable or unwilling to learn how to do it you're simply in the wrong place here. Paid support might be willing to do it, but that's going to cost a lot of money.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Pfsense out of the box is pretty clickity clickity to get up and running.. Adding a vpn connection to that is pretty much just loading the config from whatever vpn service you want to connect to.. Many of which will route all traffic out the vpn, etc.

                    Where it becomes bit of a more config is in the details of what else you might or might not want to do, exactly.  A sg-3100 should be more than powerful enough to handle 100mbps connection.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • V
                      VAMike
                      last edited by

                      @johnpoz:

                      Where it becomes bit of a more config is in the details of what else you might or might not want to do, exactly.  A sg-3100 should be more than powerful enough to handle 100mbps connection.

                      100Mbps openvpn?

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        "100Mbps openvpn?"

                        Well from Ivor on reddit

                        https://www.reddit.com/r/PFSENSE/comments/71sgeh/a_few_more_sg3100_photos_performance_numbers_in/
                        up to 95Mbps throughput with OpenVPN AES128-CBC SHA1

                        So I would say that pretty freaking close

                        And where did OP state openvpn? 
                        up to 300Mbps throughput with IPsec AES128-CBC SHA1

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • V
                          VAMike
                          last edited by

                          @johnpoz:

                          "100Mbps openvpn?"

                          Well from Ivor on reddit

                          https://www.reddit.com/r/PFSENSE/comments/71sgeh/a_few_more_sg3100_photos_performance_numbers_in/
                          up to 95Mbps throughput with OpenVPN AES128-CBC SHA1

                          So I would say that pretty freaking close

                          Any real world numbers? I don't know what "up to" means.

                          And where did OP state openvpn? 
                          up to 300Mbps throughput with IPsec AES128-CBC SHA1

                          It's pretty common for consumer vpn.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            I do not have a sg-3100 to play with, or I would be more than happy to do some actual testing..

                            But there are many vpn services that provide ipsec.. For the consumer.. Do a simple google.. PPTP is also still common ;)  So if the user doesn't actually come out and state who they are using and what protocol just guessing.

                            I would think that enough sg-3100 our out in the wild now that some real world numbers with different vpn service provides and protocols are out there somewhere..  I am saying what I have seen..  I will keep an eye out for some more detailed reporting of vpn speeds.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • V
                              VAMike
                              last edited by

                              @johnpoz:

                              But there are many vpn services that provide ipsec.. For the consumer.. Do a simple google.. PPTP is also still common ;)  So if the user doesn't actually come out and state who they are using and what protocol just guessing.

                              I felt the same after seeing an unconditional recommendation that a particular product would meet the requirements. ;-)

                              I would think that enough sg-3100 our out in the wild now that some real world numbers with different vpn service provides and protocols are out there somewhere..

                              You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.

                              1 Reply Last reply Reply Quote 0
                              • ?
                                Guest
                                last edited by

                                Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.

                                1 Reply Last reply Reply Quote 0
                                • ivorI
                                  ivor
                                  last edited by

                                  @VAMike:

                                  You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.

                                  Those numbers are valid and we stand behind them. I can confirm many of 3100 owners were satisfied with those speeds (thousands of units sold).

                                  @johnkeates:

                                  Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.

                                  100Mbps OpenVPN seems to be fine for OP's requirements, you won't get some huge OpenVPN speeds from that i5 anyway. 3100 can deliver up to 300Mbps with IPsec too. If that's not enough we have higher end appliances as well.

                                  Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.

                                  Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    @ivor:

                                    @VAMike:

                                    You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.

                                    Those numbers are valid and we stand behind them. I can confirm many of 3100 owners were satisfied with those speeds (thousands of units sold).

                                    @johnkeates:

                                    Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.

                                    100Mbps OpenVPN seems to be fine for OP's requirements, you won't get some huge OpenVPN speeds from that i5 anyway. 3100 can deliver up to 300Mbps with IPsec too. If that's not enough we have higher end appliances as well.

                                    Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.

                                    Well, most of those speeds are possible while also limited to AES-128 in CBC mode with SHA1. Doesn't mean it's bad, and in this case the threat model probably doesn't require better crypto or hashing. So while not a problem today, buying something that is 'good' right now doesn't mean it will be 'good' in 3 years. And replacing it every 3 years is rather soon for a home setup.

                                    I'd say, the SG-3100 would be a good choice if you're up to 60Mbit now, and want it to last and cover most changes for a period of 5 years.

                                    1 Reply Last reply Reply Quote 0
                                    • jahonixJ
                                      jahonix
                                      last edited by

                                      @johnkeates:

                                      And replacing it every 3 years is rather soon for a home setup.

                                      I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.

                                      And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.

                                      1 Reply Last reply Reply Quote 0
                                      • ?
                                        Guest
                                        last edited by

                                        @jahonix:

                                        @johnkeates:

                                        And replacing it every 3 years is rather soon for a home setup.

                                        I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.

                                        And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.

                                        Well, I don't replace my stuff that often, still running the Xeon E3 from 5 years ago just fine. And the topic starter might not want to do that either. Also, I'm not sure what NetGate is doing, and I'm not sure about TNSR and the other thing, not sure about DPDK and QaT coming etc, I'm sure a lot of stuff is being worked on, but none of it seems to have hit any public repositories, and maybe it never will.

                                        1 Reply Last reply Reply Quote 0
                                        • jahonixJ
                                          jahonix
                                          last edited by

                                          @johnkeates:

                                          still running the Xeon E3 from 5 years ago just fine.

                                          I'm not sure about power consumption of that CPU but usually the same compute power with a current CPU uses significantly less power. Sometimes the savings pay for the device within a year's usage.
                                          There might be quite different reasons to change gear more often than need be.

                                          (Having said that, I'm usually the one who sticks with gear longer than .. sometimes even makes sense. But don't tell!  ;)

                                          1 Reply Last reply Reply Quote 0
                                          • ?
                                            Guest
                                            last edited by

                                            @jahonix:

                                            @johnkeates:

                                            still running the Xeon E3 from 5 years ago just fine.

                                            I'm not sure about power consumption of that CPU but usually the same compute power with a current CPU uses significantly less power. Sometimes the savings pay for the device within a year's usage.
                                            There might be quite different reasons to change gear more often than need be.

                                            (Having said that, I'm usually the one who sticks with gear longer than .. sometimes even makes sense. But don't tell!  ;)

                                            Yeah, I know all about that ;-) I do have a bit of an advantage in that it's virtualised with a bunch of other things, pfSense gets 4 cores so it's not like a total waste on a 500/500 line, and there are about 4 OpenVPN client instances running at the same time.

                                            Most new basic setups I do with mobile i3 or i5 CPUs, not much of an ARM fleet yet. Also because the price isn't quite there yet.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.