SG-5100 open vpn speeds
-
One of the variables though is the capacity of the CPU and AES-NI enabled. What is the theoretical limit based on the CPU? I understand all the other network conditions can impact it - but that's not my question. What is the limitation of the CPU?
-
The table you have is what is available.
-
@derelict The table doesn't answer the question with AES-NI enabled. So basically Netgate are selling a box that can't tell me what the CPU limitations are with a VPN with AES-NI enabled for OpenVPN?
-
AES-NI is going to do very little for OpenVPN. OpenVPN spends most of its time context switching between user and kernel modes, not performing encryption.
-
Crickey - so there really isn't anything that does 100mbps or gigabit VPN other than building my own PC with a decent CPU?
-
The SG-5100 has a decent CPU. It's a 2.2GHz Denverton. But, yeah, for OpenVPN, single-core performance is what you seek as the code stands right now. I would expect the SG-5100 to be able to do better than 100Mbps OpenVPN if there isn't anything else (latency, the VPN provider, etc) slowing it down. But as I said, there are lots of factors in play.
-
My XG-7100 does around 280 MBit/s AES-256-GCM per OpenVPN Instance/Core and got the same CPU then the SG-5100 as far as I know.
Just for your reference point.-Rico
-
For what it's worth and because this thread got pointed out to me multiple times now as "source", the SG-5100 (and another device with the same SOC, Atom C3558) has quite more punch as ~250-300Mbps.
Netgate itself states on its product page, that they measured it with current pfSense versions >2.4.4+ with AES-128-GCM setup (either OpenVPN[!] or IPSEC) at around 475Mbps with pf enabled.
As we currently have one device with similar hardware/SOC to spare and test with, we put it to test ourselves and got very very similar numbers with various settings of OpenVPN and IPSEC. Especially with GCM we got almost consistent values with IPerf checks at around 465-470Mbps, so if someone plans to bring it to bear with WAN uplinks at around 200-400Mbps you can go fully encrypted easily with IPSec or OpenVPN and using AES-256-GCM/SHA256 or AES-256-GCM/SHA384. Always depends on the payload and usage of course, but as an "educated guess", it will bring you almost up to 500Mbps with encryption. That's a great deal.
-
@jegr said in SG-5100 open vpn speeds:
Netgate itself states on its product page, that they measured it with current pfSense versions >2.4.4+ with AES-128-GCM setup (either OpenVPN[!] or IPSEC) at around 475Mbps with pf enabled.
What is "pf enabled"? Do you mean PD as in Power D, or something else?
-
Nope, I was referring to the measurements from the Netgate Blog:
https://www.netgate.com/blog/sg-5100-desktop-available-for-pre-order.html
it was measured with pf (Package Filter - filtering) enabled and disabled.We only took measures with pf enabled as we run the device as full firewall and not routing only. So just as a side note should if the question comes up if something was disabled that could have lessen the performance impact.
-
No. Disabling pf means disabling all firewall functions:
pfctl -dDisables
pfctl -eEnablesOr this:
System > Advanced, Firewall & NAT
-
@jegr said in SG-5100 open vpn speeds:
Nope, I was referring to the measurements from the Netgate Blog:
https://www.netgate.com/blog/sg-5100-desktop-available-for-pre-order.html
it was measured with pf (Package Filter - filtering) enabled and disabled.We only took measures with pf enabled as we run the device as full firewall and not routing only. So just as a side note should if the question comes up if something was disabled that could have lessen the performance impact.
OK got it. Quite a powerful box then. Just a shame its AUD$1400 in my country and makes it unviable to purchase :(
