Hardware Opinion? 1U Rackmount

spower66

I'm looking at 2 pfSense firewalls with an IPsec Site-to-Site VPN, and also Mobile users (probably using OpenVPN).
I have had VPN performance issues with some small units before, specifically when multiple OpenVPN users connect in at the same time - so I'm wondering which of the following processors would be best suited to allow up to 6 users connect on the Site-to-Site and up to a maximum of 5 users connect on the OpenVPN:

• Intel Core i5-2430M - similar to https://tinyurl.com/yc4w57hr
• Intel Celeron J4125 - similar to https://tinyurl.com/y98965w5

The J4125 is newer (2019) than the 2430M (2011), and has more cores.
Both support AES-IN.

Both types of units that I have available to me have 4GB RAM, 32GB SSD, and 4 x 1GB cards.

I guess at this stage my question would be, which would be the preferred device, and are they sufficient to support this level of activity over the VPN?

I’m thinking that the J4125 would be the better option, but would like to get advice on this before landing in client site with new devices for them.

Cheers

stephenw10

The number of users is not usually significant it's the total bandwidth over the VPN that counts What do you expect that to be? What is the WAN bandwidth there?

OpenVPN is single threaded and whilst the single core performance of that i5 is slightly greater than the Celeron it's hard to recommend deploying anything >10 old today.

Steve

spower66

@stephenw10 thanks for this

The WAN connection on both sides is 500MB - with 2 users using an old IPsec VPN, to the original location, the are using about 50MB or the bandwidth.

The original firewall that was in one of the premises was a SOHO 250 which had a Marvell CN7020 800MHz processor ... running SonicOS, so I'm hoping that a J4125 running pfSense would be a much better performer on the VPN side of things

stephenw10

Is that 500Mbps up and down at both ends?

It will do much better than 50Mbps. Depending on latency it could fill that WAN.

Steve

spower66

@stephenw10 yep, 500Mbps down - 50Mbps up - latency circa. 12ms according to fast.com ...

I'm more worried about the Site-to-Site VPN performance on this ....

stephenw10

Ah, if it's 50Mbps up at both ends then that is the limiting value, you can never pass more than 50Mbps between the sites. Neither of those CPUs would have any trouble passing 50Mbps across any VPN type.

Steve

spower66

@stephenw10 cheers for this

Quick clarification:

If the speeds were to go to 1Gb down 500Mbps up, would these processors still be OK?

Is the dependent factor (beyond the limitations of bandwidth) the processor supporting AES-IN, as I took on a client that has a pfSense box with an Intel Atom D525, and while I could connect on the VPN, and re-configure firewall, RDP, etc. the performance of other applications was really poor ...

Would there be any performance hit running an OpenVPN user connection, as well as an OpenVPN site-to-site? Or would an IPsec VPN be better for the site-to-site?

stephenw10

Either will pass 500Mbps no problem but probably not over OpenVPN. IPSec will be faster for a site-to-site tunnel but might not reach 500Mbps. There are a lot of variables.
OpenVPN is single threaded but each instance is a different thread so if you had both a remote access server and a site-to-site OpenVPN tunnel they would use different CPU cores.

Steve

spower66

@stephenw10 thanks again ...

Performance will be my biggest concern, but once it is within bandwidth there shouldn't be a problem

Thanks