With all the changes in 2.0: what's the highest performance routable tunnel?



  • Two questions:

    1. What's the highest performance tunnel between two sites that's transparent to all network traffic and fully routable?

    2. What's the highest performance tunnel between two sites that's transparent to all network traffic and fully routable AND capable of encryption?

    I guess the routable part excludes plain IPSec.

    There must be a half dozen ways of creating a network tunnel by now, but frankly I'm perplexed how to choose one over the other…

    Note: both sides of the tunnel will have a pfSense box, so as long as they are compatible with each other (which they should be), vendor compatibility shouldn't be an issue. Only difference: one of the boxes might end up running the nanoBSD version.

    If there is anything I overlooked in the questions above, e.g. a certain type of tunnel might be more performant, but is more likely to be spoofed or attacked in some way, then that would of course also be a consideration.
    Privacy is not a major concern, interference robustness however is something to consider, because with all the debate about net neutrality I have no intention of having my traffic "managed" by intermediate ISPs.



  • openvpn seems to be the preferred/recommended choice around here these days.

    In terms of encrypted throughput, you'll probably want to look at hardware crypto acceleration. soekris sells the hifn hardware, but I'm curious what support for the newer Intel CPU crypto hardware exists in pfsense.



  • OpenVPN requires encryption, correct? Or is there the possibility of using a "NULL" encryption algorithm, or a simple XOR with a shared secret?

    I'm not concerned with encryption, since all I'm doing is bypassing an ISP who's unwilling to provide routing to my class-C network, so the entry point has to be with a colocation provider who is willing to do so.
    All (in the worst case) I need to do is prevent the ISP from interfering with the process.

    The HiFn card is not an option. I use one of these neat boxes http://www.lannerinc.com/PV/FW-7535 and so unless they come out with a card that is in miniPCIe format, it's out of the question.
    But since I'll have 20mbit/s max. and have a dual-core 1.6GHz D510 64-bit Atom CPU, I hope that should be sufficient.



  • Yes, you should be able to disable encryption in openvpn tunnels.


  • Rebel Alliance Developer Netgate

    2.0 does support the null cipher for OpenVPN so that might be possible for your use.

    That siad, if you don't want encryption, on 2.0 you can also use another tunnel type such as GIF or GRE that may have even less overhead than OpenVPN.



  • @jimp:

    2.0 does support the null cipher for OpenVPN so that might be possible for your use.

    That siad, if you don't want encryption, on 2.0 you can also use another tunnel type such as GIF or GRE that may have even less overhead than OpenVPN.

    Thanks.

    Now what's the practical difference between GIF and GRE tunnels? Or, for that matter, is there any readable source that answers that type of networking questions? All I can find are network programing books, or RFCs, but no decent overview that compares different approaches, capabilities, overhead, pros and cons, etc.

    The world really could use a book that looks at all these things and compares them in a systematic way, because there's sure a ton of different ways to achieve the same thing, but very little in terms of things that help decide what to use for a given scenario, because abstractly speaking, they all seem to do more or less the same thing.


  • Rebel Alliance Developer Netgate


Log in to reply