SG-5100 open vpn speeds

Larrikin

What is the maximum open vpn speeds should i expect from one point to point open vpn using an SG-5100 stock configuration?

viragomann

Take the SG-4860 for reference: https://www.netgate.com/docs/pfsense/book/hardware/hardware-sizing-guidance.html
It has a similar CPU, so I expect that the VPN throughput also will be similar.

Larrikin

Thanks for this.

I note this paragraph:

"Where high VPN throughput is a requirement for a firewall, hardware crypto acceleration is of utmost importance to ensure not only fast transmission speeds but also less CPU overhead. The reduction in CPU overhead means the VPN will not lower the performance of other services on the firewall. The current best available acceleration is available by using a CPU which includes AES-NI support combined with AES-GCM in IPsec."

Does the SG-5100 CPU support AES-NI and AES-GCM?

viragomann

The SG-5100 has an Atom C3558 CPU and that supports AES-NI. Use it with an up-to-date pfSense (at least 2.4) to get benefit of AES-GCM.

Larrikin

Thanks for that. I'm still not sure I really have an answer on what speeds to expect with Open VPN and AES-NI. There is nothing in the documentation that tells me what I should expect other than it will be faster than what is in the table.

I'd love to know the Mbps throughout of what I'd get.

Derelict

Depends on too many variables such as the link speeds at each end, latency between them, load at each end, etc.

Larrikin

One of the variables though is the capacity of the CPU and AES-NI enabled. What is the theoretical limit based on the CPU? I understand all the other network conditions can impact it - but that's not my question. What is the limitation of the CPU?

Derelict

The table you have is what is available.

Larrikin

@derelict The table doesn't answer the question with AES-NI enabled. So basically Netgate are selling a box that can't tell me what the CPU limitations are with a VPN with AES-NI enabled for OpenVPN?

Derelict

AES-NI is going to do very little for OpenVPN. OpenVPN spends most of its time context switching between user and kernel modes, not performing encryption.

Larrikin

Crickey - so there really isn't anything that does 100mbps or gigabit VPN other than building my own PC with a decent CPU?

Derelict

The SG-5100 has a decent CPU. It's a 2.2GHz Denverton. But, yeah, for OpenVPN, single-core performance is what you seek as the code stands right now. I would expect the SG-5100 to be able to do better than 100Mbps OpenVPN if there isn't anything else (latency, the VPN provider, etc) slowing it down. But as I said, there are lots of factors in play.

Rico

My XG-7100 does around 280 MBit/s AES-256-GCM per OpenVPN Instance/Core and got the same CPU then the SG-5100 as far as I know.
Just for your reference point.

-Rico

JeGr

For what it's worth and because this thread got pointed out to me multiple times now as "source", the SG-5100 (and another device with the same SOC, Atom C3558) has quite more punch as ~250-300Mbps.

Netgate itself states on its product page, that they measured it with current pfSense versions >2.4.4+ with AES-128-GCM setup (either OpenVPN[!] or IPSEC) at around 475Mbps with pf enabled.

As we currently have one device with similar hardware/SOC to spare and test with, we put it to test ourselves and got very very similar numbers with various settings of OpenVPN and IPSEC. Especially with GCM we got almost consistent values with IPerf checks at around 465-470Mbps, so if someone plans to bring it to bear with WAN uplinks at around 200-400Mbps you can go fully encrypted easily with IPSec or OpenVPN and using AES-256-GCM/SHA256 or AES-256-GCM/SHA384. Always depends on the payload and usage of course, but as an "educated guess", it will bring you almost up to 500Mbps with encryption. That's a great deal.

Larrikin

@jegr said in SG-5100 open vpn speeds:

Netgate itself states on its product page, that they measured it with current pfSense versions >2.4.4+ with AES-128-GCM setup (either OpenVPN[!] or IPSEC) at around 475Mbps with pf enabled.

What is "pf enabled"? Do you mean PD as in Power D, or something else?

JeGr

Nope, I was referring to the measurements from the Netgate Blog:
https://www.netgate.com/blog/sg-5100-desktop-available-for-pre-order.html
it was measured with pf (Package Filter - filtering) enabled and disabled.

We only took measures with pf enabled as we run the device as full firewall and not routing only. So just as a side note should if the question comes up if something was disabled that could have lessen the performance impact.

Derelict

No. Disabling pf means disabling all firewall functions:

pfctl -d Disables
pfctl -e Enables

Or this:

System > Advanced, Firewall & NAT

Larrikin

@jegr said in SG-5100 open vpn speeds:

Nope, I was referring to the measurements from the Netgate Blog:
https://www.netgate.com/blog/sg-5100-desktop-available-for-pre-order.html
it was measured with pf (Package Filter - filtering) enabled and disabled.

We only took measures with pf enabled as we run the device as full firewall and not routing only. So just as a side note should if the question comes up if something was disabled that could have lessen the performance impact.

OK got it. Quite a powerful box then. Just a shame its AUD$1400 in my country and makes it unviable to purchase :(