• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ARM Cortex vs Intel?

Scheduled Pinned Locked Moved Hardware
armcortexintel
9 Posts 5 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    valnar
    last edited by May 27, 2020, 2:10 PM

    I've been using pfSense for 10 years and only on Intel boxes - mostly on the ALIX/APU2 series from PC Engines. I know within that timeframe, ARM processor support is relatively new. For the first time I'm considering "upgrading" to one of the smaller official Netgate boxes.

    Is there anything I would be missing by moving from Intel --> ARM? 'Maybe not necessarily pfSense specific, but within FreeBSD? I see if you look at the official pfSense hardware they relegate ARM based boards to the lower tier, and keep Intel for the higher-end (I realize that is for speed, what's available within both chip makers, etc).

    So what I'm basically asking is, is there anything I would give up, either in capability, reliability or maturity, by moving to an ARM Cortex based box?

    1 Reply Last reply Reply Quote 0
    • B
      bigsy
      last edited by May 28, 2020, 8:00 AM

      Crypto hardware support.

      It never appeared for the SG-1000.
      Appears to be "in development" for the SG-1100 but currently AES-128-CBC only.
      Available on the SG-3100 which, AFAIK, supports AES-256-CBC but not AES-GCM.

      B 1 Reply Last reply Jun 5, 2020, 3:38 PM Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by May 29, 2020, 12:00 AM

        Yup work continues on the safexcel driver for the SG-1100 and others. It should support more than just aes-128-cbc, hopefully including aes-gcm which would give a good improvement in IPSec.

        There are some packages that are not available on arm currently. Mostly because they have dependencies on other languages like RUST or GO which gives problems cross compiling. Notably Telegraf right now.

        Steve

        1 Reply Last reply Reply Quote 2
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jun 3, 2020, 7:45 PM

          If you are coming from ALIX there is nothing to lose whatsoever.

          Coming from APU is may depend on the age/specs of the APU if the bits mentioned by @stephenw10 are relevant or not, but your only real concern is performance.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • B
            bcruze @bigsy
            last edited by Jun 5, 2020, 3:38 PM

            @bigsy said in ARM Cortex vs Intel?:

            Crypto hardware support.

            It never appeared for the SG-1000.
            Appears to be "in development" for the SG-1100 but currently AES-128-CBC only.
            Available on the SG-3100 which, AFAIK, supports AES-256-CBC but not AES-GCM.

            So I have the 3100 and my openvpn tunnels list :

            Jun 5 07:20:47 openvpn 50515 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

            What am I missing?

            B 1 Reply Last reply Jun 6, 2020, 5:57 AM Reply Quote 0
            • B
              bigsy @bcruze
              last edited by bigsy Jun 6, 2020, 10:19 AM Jun 6, 2020, 5:57 AM

              @bcruze Crypto algorithms not supported by the hardware crypto (Marvell CESA in the case of the SG-3100) will not be offloaded but will still be performed on the CPU. Whether you're "missing" anything or not will depend on your individual setup, connection speed etc. This Netgate document helps explain. It refers to now obsolete equipment but it's the same principles.

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Jun 6, 2020, 2:21 PM

                Indeed, CESA does not support AES-GCM. If you want your OpenVPN tunnels to use it you must choose AES-CBC and select the BSD crypto hardware in the config.
                https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_4_5/sys/dev/cesa/cesa.c#L1224

                Steve

                B 1 Reply Last reply Jun 6, 2020, 2:27 PM Reply Quote 0
                • B
                  bcruze @stephenw10
                  last edited by Jun 6, 2020, 2:27 PM

                  @stephenw10 said in ARM Cortex vs Intel?:

                  Indeed, CESA does not support AES-GCM. If you want your OpenVPN tunnels to use it you must choose AES-CBC and select the BSD crypto hardware in the config.
                  https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_4_5/sys/dev/cesa/cesa.c#L1224

                  Steve

                  nice!

                  that is exactly what i am doing

                  1 Reply Last reply Reply Quote 0
                  • V
                    valnar
                    last edited by Jun 6, 2020, 4:03 PM

                    I'm going back to the drawing board. I think at this point I should stick with something Intel based. Thanks for all the replies.

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received