Should I Enabled QAT on Netgate 1541?
-
Been digging on this for a bit now but can't seem to find a solid answer. I know the 1541 supports the add in card to do high speed QAT, but I can't figure out if it's natively supported at all. Out of the box settings are just set to "AES-NI and BSD Crypto Device (aesni, cryptodev)"
Really just trying to figure out the best option to use here as we have a lot of established IPSec VPNs and the faster the better (some are transferring 100+GB per day).
I did some digging but Intel's ARK doesn't show the D-1541 supporting QAT but doesn't list it as not supported either, so can't really tell for sure.
I guess this brings up a few questions:
-
What crypto setting should I really be using on most pfSense boxes?
-
Does the drop down list crypto settings in Systems > Advanced > Misc that are NOT supported on the given hardware? If so, what happens when you select the wrong one?
-
Is there any reason changing the crypto accel settings would cause an issue with a high availability environment that already has many established VPNs?
-
-
@planedrop You need a CPIC card for Quick-Assist on the 1541.
In my personal experience, if Intel ARK doesn't list something as supported, it is not supported.
If you select something that is not supported somehow it should be harmless.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@derelict OK good to know, yeah I assumed that about ARK but then I also found this which lists Xeon D-1500 series processes have QAT built in?
https://www.intel.in/content/dam/www/public/us/en/documents/product-briefs/xeon-processor-d-brief.pdf
So wasn't entirely sure what to believe.
Thanks for all the info here!
One last question, IF QAT is supported, it should in general be used instead of AES-NI right? Most of what I am seeing online seems to indicate that. I also saw some rumors/hints at Wireguard being QAT accelerated, not sure if that's actually hit pfSense yet or not though.
-
@derelict Also, one additional question then, are the IPsec benchmarks on the 1541 page actually with the QAT card? The specs say "w/QAT" but those performance numbers seem pretty low if the actual QAT add in card is being used. Maybe someone copy pasted the spec sheet from something with QAT and only updated the numbers?
-
@derelict Just pinging about the above 2 questions once more, I'm sure you are busy so no biggy, just trying to get this all clear in my head.
-
Yes, QAT gives superior throughput in pretty much every situation.
Yes those figures for the 1541 are with the CPIC card installed in order to use QAT.
Steve
-
@stephenw10 OK awesome, thanks a ton for the info here.
Any idea what the AES-NI throughput for IPSec would look like without the CPIC? Gigabit+?
Just curious here since there may be some interest from our org on obtaining the CPIC cards for our units if it'll help speed things up much (2 gigabit WAN link).
-
There are many variables but QAT gives of the order of 30% improvement in throughput in IMIX tests so Gigabit+ is possible. However many tunnels are limited by the available bandwidth between the sites outside the tunnel before that. You should test that first to be sure. Just because each site has a 2Gbps WAN does not mean that can actually see 2Gbps between them.
Steve
-
@stephenw10 Perfect, thanks for all the info, helps a ton.
We aren't really having issues with performance per-se, just was seeing if I could find anything that would speed it up, but sounds like a CPIC card probably wouldn't make a huge difference since we aren't even close to saturating the full 2 gigabits in the first place.
Thanks again!
