Intel I5-3470 8GB RAM
I am planning implement a Intel I5-3470 with 8GB RAM and SSD disk system for Pfsense.
This router must have one SPF+ NIC with Intel X520-DA1-82599ES Chip for LAN and one Gigabit PCIE I350-T4 - Intel I350 Chip, Quad RJ45 Ports, 1Gbit for four WANs at 1Gbit/s rate.
Most traffic on the four WANs is encrypted via OpenVPN or IPSec. And this traffic include daily data backups of 50GB.
¿Is this equipment adecuate for obtain very good performance in OpenVPN or IPSec over the WANs?
¿Which can be the aproxx throughput?
Sorry by my poor english
So 4x 1Gbps WAN connections? And 1x 10Gbps LAN?
Throughput across a VPN will depend significantly on latency and what protocol you're using.
I would say in the 300-400Mbps range per tunnel for OpenVPN. More for IPSec potentially. Hard to say more accurately.
Is this replacing something? What performance do you see there?
Thanks by your reply!
Yes, 1x10Gbps LAN and 4x1Gbps WAN (Internet, Radio PtP Links, Fiber coper).
No, this is a new project. No previous experience with PFsense but a lot with Freebsd ten years ago...
Put here some performance test for reference:
APU2 (AMD GX412TC Soc, 4cpu, AES-NI yes) from Teklager (SW)
Single 1Gbps LAN to LAN ==>> 937Mbit/s
Single 1Gbps LAN to LAN OpenVPN Performance ==>> 100Mbit/s
Single 1Gbps LAN to LAN Wireward Performance ==>> 650Mbit/s
This CPU (AMD GX412TC) have aproxx 1497 index benchmark in http://www.cpubenchmark.net/
The I5-3470 have an 6716 index.
And the Intel Xeon E31230 V2 @ 3.30GHz have 8853 index benchmark (This CPU is used by an colleage at this forum and he says "all ports simultaneously, VLAN-to-VLAN 1G throughput is a non-issue with a few rules in place...100+Mb of OpenVPN throughput (WAN links are 100Mb")
See post https://forum.netgate.com/topic/94041/share-your-pfsense-stories/13
I think that with this data the I5-3470 must perform 1Gbit/s for all 1Gbit/s ports simultaneously (total 4Gbits/s from LAN to WAN) and -more difficult- 250Mbit/s OpenVPN on all 1Gbits/s ports simultaneously (total 1Gbit/s encrypted fron LAN to WAN).
Any ideas or consideration about this?
Best regards to all,
You should have no problem passing 1Gbps unencrypted across at least 3 of those links. Probably close to all 4 given latency and packet size limitations.
The encrypted throughput for OpenVPN is single threaded so you want the best single core performance for that. It's approximately 4 times the rating of the gx-412hc but it doesn't scale linearly due to the context switching overhead so 300-400Mbps seems about right.
IPSec, especially with asynchronous crypto enabled, can be much faster. I've seen the C3558 we use get close to 1Gbps in local tests. It will be less over a real distance.
Thanks for your help and opinions.
I'm going to evaluate the possibility of an I7 processor with a higher clock speed or an Ryzen 5 2600 to obtain six cores for processing the VPNs (Four cores for the VPNs and two cores for general processing).
Indeed, as you say, you get better performance with IPSec and that will be my first option for VPN.
When I have the system running I will publish real performance tests here.
If someone has some idea or suggestion, I would like to have your opinion and experience.
Greetings to all,
I may be wrong but I remember a big and well-written article from Netgate's own Jim Thompson about AMD's Ryzen architecture not being very well suited/optimal for network-style throughput e.g. PPS/packets per second as to the CPU core and L1-3 cache implementations. Not bad or worse than or anything but other than Intel or ARM and essentially leaving it less ns per cycle for package processing. Can't find it ATM by a simple search but I think it was a big response on reddit or an article as blog. Was a very interesting read though, so would be great if anyone could find it again. Perhaps @stephenw10 or anyone at Netgate can help out :)
Thank you very much JeGr for your very interesting contribution. I will avoid AMD Ryzen ...
Thank you all
That is more relevant to TNSR though.
Thank you very much for the information.
It is of a high technical level and must be studied with time and attention.
Anyway, I think TNSR is too much for my needs. I could study it as learning but not for production at this time. But first implement Pfsense and then we will see about making improvements
Thanks again for your interest !!!
That is more relevant to TNSR though.
Thanks! I searched for that quite a bit but didn't find it again. Although yes it speaks of TNSR, the raw ns calculations stand (with first gen Ryzen's at least) and the higher the bandwith (talking about 10gbps) the more latency comes into play. It's quite highly technical but it has it's reason, that intel dedicated chipset series like the Atom C2xx8/3xx8 for network usage as for Ryzen's more a general purpose desktop system. For speeds up to 1gbps ranges that might not come into play but if we talk bigger bandwiths I'd definitly keep that in mind.