Newbie to pfsence and need advice



  • Here is my current setup and the issue I am currently having. I have a Netgear R7000 router flashed with DD-WRT on it and run PIA VPN. When I connect through the VPN on the router I see max speeds of 30Mbps and when disconnected from the VPN I see speeds of 100Mbp+. After doing some reading online it seems as though my router is not powerful enough to process the VPN hence the bottleneck in my speeds. I would like to ask some people on here for opinions as I do not have much knowledge with VPN's and how taxing it is or isn't on the router side of things. My goal ultimately when I got the R7000 was to have ALL my devices (wired and wireless) connect directly through the VPN, thus eliminating individual VPN client based apps on all the devices. If I could I would like to find a low cost solution to my issue. If anyone has suggestions I am all ears. At this point I figure here are my options:

    1. Buy a pfsense preconfigured machine with built in Wi-Fi and ditch the R7000
    2. Buy a pfsense preconfigured machine and still use the R7000 as an AP for all wireless devices.
    3. Build or buy something and configure it myself.

    I would really like to keep the price down and if there is already a machine I can buy (older thin client) or something similar again I am all ears. Looking for ideas/feedback/suggestions to my problem.

    Thanks and I appreciate everyone's time if you are reading this.



  • If your other VPN endpoint is not commercial, be aware you may have to take care of that end too.  Yeah, combo boxes tend to have weak "just wet your appetite" performance.  pFsense will do it and u can always throw a better CPU at it.  Got an old PC box sitting around?  that would be the best thing use to test, just to see exactly, how much CPU u need.



  • @kendalja:

    2. Buy a pfsense preconfigured machine and still use the R7000 as an AP for all wireless devices.

    Do this or get a dedicated AP. Don't bother trying to make pfsense an AP.



  • @VAMike:

    @kendalja:

    2. Buy a pfsense preconfigured machine and still use the R7000 as an AP for all wireless devices.

    Do this or get a dedicated AP. Don't bother trying to make pfsense an AP.

    Can you recommend any good preconfigured devices?



  • @kendalja:

    Can you recommend any good preconfigured devices?

    Do you mean pfSense pre-configured or the AP?

    You get pfSense devices from netgate store or a local rep, check netgate.com where to buy.
    AccessPoints usually come unconfigured and I don't know of a single deviation from this rule.



  • @jahonix:

    @kendalja:

    Can you recommend any good preconfigured devices?

    Do you mean pfSense pre-configured or the AP?

    You get pfSense devices from netgate store or a local rep, check netgate.com where to buy.
    AccessPoints usually come unconfigured and I don't know of a single deviation from this rule.

    I already have a Netgear R7000 that I can use as an wireless AP. I was asking about a preconfigured box for my VPN. I need one that can handle at least 100Mbps. Thanks!


  • Banned

    @kendalja:

    I was asking about a preconfigured box for my VPN. I need one that can handle at least 100Mbps. Thanks!

    As has already been said, the only legal hardware with pfSense already installed comes from Netgate: https://www.pfsense.org/products/

    The configuration has to be done by yourself. If you are incapable or unwilling to learn how to do it you're simply in the wrong place here. Paid support might be willing to do it, but that's going to cost a lot of money.


  • LAYER 8 Global Moderator

    Pfsense out of the box is pretty clickity clickity to get up and running.. Adding a vpn connection to that is pretty much just loading the config from whatever vpn service you want to connect to.. Many of which will route all traffic out the vpn, etc.

    Where it becomes bit of a more config is in the details of what else you might or might not want to do, exactly.  A sg-3100 should be more than powerful enough to handle 100mbps connection.



  • @johnpoz:

    Where it becomes bit of a more config is in the details of what else you might or might not want to do, exactly.  A sg-3100 should be more than powerful enough to handle 100mbps connection.

    100Mbps openvpn?


  • LAYER 8 Global Moderator

    "100Mbps openvpn?"

    Well from Ivor on reddit

    https://www.reddit.com/r/PFSENSE/comments/71sgeh/a_few_more_sg3100_photos_performance_numbers_in/
    up to 95Mbps throughput with OpenVPN AES128-CBC SHA1

    So I would say that pretty freaking close

    And where did OP state openvpn? 
    up to 300Mbps throughput with IPsec AES128-CBC SHA1



  • @johnpoz:

    "100Mbps openvpn?"

    Well from Ivor on reddit

    https://www.reddit.com/r/PFSENSE/comments/71sgeh/a_few_more_sg3100_photos_performance_numbers_in/
    up to 95Mbps throughput with OpenVPN AES128-CBC SHA1

    So I would say that pretty freaking close

    Any real world numbers? I don't know what "up to" means.

    And where did OP state openvpn? 
    up to 300Mbps throughput with IPsec AES128-CBC SHA1

    It's pretty common for consumer vpn.


  • LAYER 8 Global Moderator

    I do not have a sg-3100 to play with, or I would be more than happy to do some actual testing..

    But there are many vpn services that provide ipsec.. For the consumer.. Do a simple google.. PPTP is also still common ;)  So if the user doesn't actually come out and state who they are using and what protocol just guessing.

    I would think that enough sg-3100 our out in the wild now that some real world numbers with different vpn service provides and protocols are out there somewhere..  I am saying what I have seen..  I will keep an eye out for some more detailed reporting of vpn speeds.



  • @johnpoz:

    But there are many vpn services that provide ipsec.. For the consumer.. Do a simple google.. PPTP is also still common ;)  So if the user doesn't actually come out and state who they are using and what protocol just guessing.

    I felt the same after seeing an unconditional recommendation that a particular product would meet the requirements. ;-)

    I would think that enough sg-3100 our out in the wild now that some real world numbers with different vpn service provides and protocols are out there somewhere..

    You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.



  • Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.


  • Galactic Empire

    @VAMike:

    You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.

    Those numbers are valid and we stand behind them. I can confirm many of 3100 owners were satisfied with those speeds (thousands of units sold).

    @johnkeates:

    Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.

    100Mbps OpenVPN seems to be fine for OP's requirements, you won't get some huge OpenVPN speeds from that i5 anyway. 3100 can deliver up to 300Mbps with IPsec too. If that's not enough we have higher end appliances as well.

    Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.



  • @ivor:

    @VAMike:

    You'd think, yet I haven't seen any. Hence the question about whether there was any real third party experience behind the recommendation. Apparently not.

    Those numbers are valid and we stand behind them. I can confirm many of 3100 owners were satisfied with those speeds (thousands of units sold).

    @johnkeates:

    Don't get the sg-3100, it's right on the edge of what you need, if your needs change just slightly you'll be running into problems. Get a mobile i5 type of box, that's the power you need to get it running for today but the next 5 years as well.

    100Mbps OpenVPN seems to be fine for OP's requirements, you won't get some huge OpenVPN speeds from that i5 anyway. 3100 can deliver up to 300Mbps with IPsec too. If that's not enough we have higher end appliances as well.

    Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.

    Well, most of those speeds are possible while also limited to AES-128 in CBC mode with SHA1. Doesn't mean it's bad, and in this case the threat model probably doesn't require better crypto or hashing. So while not a problem today, buying something that is 'good' right now doesn't mean it will be 'good' in 3 years. And replacing it every 3 years is rather soon for a home setup.

    I'd say, the SG-3100 would be a good choice if you're up to 60Mbit now, and want it to last and cover most changes for a period of 5 years.



  • @johnkeates:

    And replacing it every 3 years is rather soon for a home setup.

    I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.

    And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.



  • @jahonix:

    @johnkeates:

    And replacing it every 3 years is rather soon for a home setup.

    I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.

    And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.

    Well, I don't replace my stuff that often, still running the Xeon E3 from 5 years ago just fine. And the topic starter might not want to do that either. Also, I'm not sure what NetGate is doing, and I'm not sure about TNSR and the other thing, not sure about DPDK and QaT coming etc, I'm sure a lot of stuff is being worked on, but none of it seems to have hit any public repositories, and maybe it never will.



  • @johnkeates:

    still running the Xeon E3 from 5 years ago just fine.

    I'm not sure about power consumption of that CPU but usually the same compute power with a current CPU uses significantly less power. Sometimes the savings pay for the device within a year's usage.
    There might be quite different reasons to change gear more often than need be.

    (Having said that, I'm usually the one who sticks with gear longer than .. sometimes even makes sense. But don't tell!  ;)



  • @jahonix:

    @johnkeates:

    still running the Xeon E3 from 5 years ago just fine.

    I'm not sure about power consumption of that CPU but usually the same compute power with a current CPU uses significantly less power. Sometimes the savings pay for the device within a year's usage.
    There might be quite different reasons to change gear more often than need be.

    (Having said that, I'm usually the one who sticks with gear longer than .. sometimes even makes sense. But don't tell!  ;)

    Yeah, I know all about that ;-) I do have a bit of an advantage in that it's virtualised with a bunch of other things, pfSense gets 4 cores so it's not like a total waste on a 500/500 line, and there are about 4 OpenVPN client instances running at the same time.

    Most new basic setups I do with mobile i3 or i5 CPUs, not much of an ARM fleet yet. Also because the price isn't quite there yet.



  • HERe is the current plan. Someone is donating an older pc to me. I’ll get that and throw another network card in it and play around and see what speeds I can get. What nic should I look out for? Assuming the box will only have one built onto the mobo.


  • Galactic Empire

    @jahonix:

    @johnkeates:

    And replacing it every 3 years is rather soon for a home setup.

    I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.

    And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.

    What are you talking about?



  • @ivor:

    What are you talking about?

    You're asking this?  :o

    DPDK, VPP, … and what else you had in mind:
    @ivor:

    Future wise all pfSense official appliances will have an opportunity to have a lot better OpenVPN performance. I can't comment right now about it, since new technologies are still in development.


  • Galactic Empire

    Let's try again :)

    @jahonix:

    I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.

    And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.

    What did you mean by this?



  • @ivor:

    Let's try again :)

    @jahonix:

    I change my car more often so why not change a security appliance when requirements bump up? A good working unit can still be sold then.

    And if you read some background information about what netgate is working on you might want to replace your unit within this three year time span anyways.

    What did you mean by this?

    He is aiming for: netgate is making new software, some of it might require new hardware.


Log in to reply