Build (or buy) VPN 100Mbps appliance?

Reply to Build (or buy) VPN 100Mbps appliance? on Fri, 08 Apr 2011 14:53:37 GMT

jasonlitka — Fri, 08 Apr 2011 14:53:37 GMT

No, it isn't supported. Support is included in FreeBSD 8.2, so it might make it into pfSense 2.1.

Reply to Build (or buy) VPN 100Mbps appliance? on Fri, 08 Apr 2011 14:19:44 GMT

ciccio — Fri, 08 Apr 2011 14:19:44 GMT

Unless you have a reason to filter your LAN traffic, if you want to do 1Gbit/s LAN-LAN then buy a switch, don't use multiple NICs in your firewall. As to the 100Mbit/s VPN requirement, the Atom alone won't do it, though a high-end C2D can (something like a E8400 would be adequate). I'm not sure about the D525 Atom+hifn, though my suspicion would be that it will fall short, probably in the 80Mbit/s area.

EDIT: AES-NI support in FreeBSD 8.2 is going to make all these threads go away. A chip like the Xeon W3680 in my desktop is capable of doing about 80Gbit/s of AES256 with AES-NI. A newer "low-end" $200 chip like the i5-2300 can still do around half that.

Thanks,

AES-NI seems a good solution, perhaps better than crypt card.

Good CPU seems i5-2390T, low power (35W and perharps fanless) and good performance for $210 (but this CPU isn't avalaible at this moment).

Sorry for my ignorance but AES-NI is supported with pfsense?

Thanks

Reply to Build (or buy) VPN 100Mbps appliance? on Thu, 07 Apr 2011 20:20:43 GMT

jasonlitka — Thu, 07 Apr 2011 20:20:43 GMT

Unless you have a reason to filter your LAN traffic, if you want to do 1Gbit/s LAN-LAN then buy a switch, don't use multiple NICs in your firewall. As to the 100Mbit/s VPN requirement, the Atom alone won't do it, though a high-end C2D can (something like a E8400 would be adequate). I'm not sure about the D525 Atom+hifn, though my suspicion would be that it will fall short, probably in the 80Mbit/s area.

EDIT: AES-NI support in FreeBSD 8.2 is going to make all these threads go away. A chip like the Xeon W3680 in my desktop is capable of doing about 80Gbit/s of AES256 with AES-NI. A newer "low-end" $200 chip like the i5-2300 can still do around half that.

Reply to Build (or buy) VPN 100Mbps appliance? on Thu, 07 Apr 2011 19:13:19 GMT

ciccio — Thu, 07 Apr 2011 19:13:19 GMT

Thanks for your suggestions.

My actual router (Asus RT-N16) it's fast but not so fast to get 1Gbps total throughput (including LAN to LAN) nor 100Mbps vpn.

If I understand it's possible to reach 100Mbps vpn only adding crypto card (for example soekris vpn1401/vpn1411) but with Atom 525 it's adequate? (Hacom Mars openbricks-m with Atom D525 1,8GHZ with soekris vpn card it's $620).

TIA

Reply to Build (or buy) VPN 100Mbps appliance? on Thu, 07 Apr 2011 15:04:16 GMT

dreamslacker — Thu, 07 Apr 2011 15:04:16 GMT

On your budget, it's probably more feasible if you build it yourself with one caveat - No Wifi-N on pfSense.
On the latter, you can re-use the RT-N16 as an overpowered access point (disable DHCP, hook up LAN port to pfSense LAN).

1Gb/s of throughput is quite a lot with NAT turned on. The Mars openbrick won't cut it. Period. And that's assuming 1Gb/s total throughput (i.e. inclusive of LAN to LAN routing both directions). When you throw 100Mb/s of VPN in, just forget it. The D525 simply won't make it.

Considering that the Hacom Jupiter with C2D @ 2GHz only pushes about 70+Mb/s of VPN without the accelerator card…

You're probably looking at 2.4GHz and faster Core 2 Duo as a minimum or add a VPN accelerator if you want to push that kind of throughput together with VPN at 100Mb/s (worst case scenario).

Reply to Build (or buy) VPN 100Mbps appliance? on Thu, 07 Apr 2011 14:57:59 GMT

jasonlitka — Thu, 07 Apr 2011 14:57:59 GMT

You won't get 1Gbit/s firewall throughput or 100Mbit/s of VPN out of that Atom D525. I'm not sure that this is possible for $500.

Do you really need that level of performance? I find it hard to believe that your current Asus router could come anywhere near those numbers.