Build (or buy) VPN 100Mbps appliance?



  • Hi,

    I found recently pfsense and I would like to substitute my actual router (Asus Rt-N16) with a pfsense router/firewall: I have following needs:

    1. 4 gigabit ports (or more), 1 WAN and 3 LAN
    2. 100Mbps VPN (with Openvpn or L2TP/IPSEC)
    3. 50 users
    4. 1Gbit/s total throughput
    5. 2 USB ports
    6. wireless b/g/n
    7. Under $500/$600

    Most restrictive it's VPN throughput (my actual router give me near 10Mbps with openvpn); my questions is:

    It's betters to buy an OEM appliance or build it from myself?

    In first scenario I found very few router (under $600), for example Hacom Mars Openbricks-M, in second scenario I have found only few articles about VPN thoughput (theoretical) but none real experience about CPU, RAM, NIC card, crypto card need and so on.

    DO you have some advice about first and second scenario (obviously for cheapest solution)?

    Thanks in advance

    Alex



  • You won't get 1Gbit/s firewall throughput or 100Mbit/s of VPN out of that Atom D525.  I'm not sure that this is possible for $500.

    Do you really need that level of performance?  I find it hard to believe that your current Asus router could come anywhere near those numbers.



  • On your budget, it's probably more feasible if you build it yourself with one caveat - No Wifi-N on pfSense.  
    On the latter, you can re-use the RT-N16 as an overpowered access point (disable DHCP, hook up LAN port to pfSense LAN).

    1Gb/s of throughput is quite a lot with NAT turned on.  The Mars openbrick won't cut it.  Period.  And that's assuming 1Gb/s total throughput (i.e. inclusive of LAN to LAN routing both directions).  When you throw 100Mb/s of VPN in, just forget it.  The D525 simply won't make it.

    Considering that the Hacom Jupiter with C2D @ 2GHz only pushes about 70+Mb/s of VPN without the accelerator card…

    You're probably looking at 2.4GHz and faster Core 2 Duo as a minimum or add a VPN accelerator if you want to push that kind of throughput together with VPN at 100Mb/s (worst case scenario).



  • Thanks for your suggestions.

    My actual router (Asus RT-N16) it's fast but not so fast to get 1Gbps total throughput (including LAN to LAN) nor 100Mbps vpn.

    If I understand it's possible to reach 100Mbps vpn only adding crypto card (for example soekris vpn1401/vpn1411) but with Atom 525 it's adequate? (Hacom Mars openbricks-m with Atom D525 1,8GHZ with soekris vpn card it's $620).

    TIA



  • Unless you have a reason to filter your LAN traffic, if you want to do 1Gbit/s LAN-LAN then buy a switch, don't use multiple NICs in your firewall.  As to the 100Mbit/s VPN requirement, the Atom alone won't do it, though a high-end C2D can (something like a E8400 would be adequate).  I'm not sure about the D525 Atom+hifn, though my suspicion would be that it will fall short, probably in the 80Mbit/s area.

    EDIT: AES-NI support in FreeBSD 8.2 is going to make all these threads go away.  A chip like the Xeon W3680 in my desktop is capable of doing about 80Gbit/s of AES256 with AES-NI.  A newer "low-end" $200 chip like the i5-2300 can still do around half that.



  • @jasonlitka:

    Unless you have a reason to filter your LAN traffic, if you want to do 1Gbit/s LAN-LAN then buy a switch, don't use multiple NICs in your firewall.  As to the 100Mbit/s VPN requirement, the Atom alone won't do it, though a high-end C2D can (something like a E8400 would be adequate).  I'm not sure about the D525 Atom+hifn, though my suspicion would be that it will fall short, probably in the 80Mbit/s area.

    EDIT: AES-NI support in FreeBSD 8.2 is going to make all these threads go away.  A chip like the Xeon W3680 in my desktop is capable of doing about 80Gbit/s of AES256 with AES-NI.  A newer "low-end" $200 chip like the i5-2300 can still do around half that.

    Thanks,

    AES-NI seems a good solution, perhaps better than crypt card.

    Good CPU seems i5-2390T, low power (35W and perharps fanless) and good performance for $210 (but this CPU isn't avalaible at this moment).

    Sorry for my ignorance but AES-NI is supported with pfsense?

    Thanks



  • No, it isn't supported.  Support is included in FreeBSD 8.2, so it might make it into pfSense 2.1.


Log in to reply