Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another "What CPU for Gigabit" thread (with details)

    Scheduled Pinned Locked Moved Hardware
    6 Posts 3 Posters 909 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JimPhreak
      last edited by

      Currently I have a c2758 on both ends of an IKEv2 IPSec Site-to-Site tunnel. I can get a max of 600-650Mbps over my 1Gbps line using the following settings which in my testing has yielded me the best speeds:

      alt text

      I currently have no IPS/DPI enabled. I'd like to be able to get as close to maxing out my IPSec VPN connection and I'd like to be able to enable Suricata.

      Can anyone who is doing 1Gbps IPSec with Suricata tell me what CPU you are using or recommend me an upgrade?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        How are you testing the speed? What is the latency across the tunnel?

        Do you have asynchronous cryptography enabled?

        Steve

        J 1 Reply Last reply Reply Quote 0
        • H
          hescominsoon
          last edited by

          a c series is not going to cut it. you are going to need core i-3 or higher at at least 3ghz or faster. vpn is not multi-threaded IIRC so you need the fastest single threaded performance you can get.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            If you have asynchronous cryptography enabled in the IPSec advanced settings it is able to use the CPU cores far more effectively. I've seen the SG-5100 push close to 1Gbps in local testing using that with it's C3558. However on some systems it kills throughput completely so it's not something you want to enable without careful testing.

            Steve

            1 Reply Last reply Reply Quote 0
            • J
              JimPhreak @stephenw10
              last edited by

              @stephenw10 said in Another "What CPU for Gigabit" thread (with details):

              How are you testing the speed? What is the latency across the tunnel?

              Do you have asynchronous cryptography enabled?

              Steve

              Now that I think of it, it's probably the file transfer protocols I'm using (samba/rsync) that are causing the slowdowns. iperf shows full line speed (940Mbps+). Latency is 4ms across the tunnel. I am using async crypto.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Ah, well hard to argue with that! 😉

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.