VPN Acceleration

  • Hi!

    I am running pfSense 2.0.1 x64.  I currently have one 100mbps tunnel running between floors in a building to encrypt the traffic.  I'm using Blowfish 256bit.  When doing a speedtest using a NDT server running locally, I average about 70 meg down and 30 meg up.  There's also barely any processor load on either server, but one server is running on VirtualBox.  It seems like when downloading large files, as time goes on, the slower it gets.

    I'm thinking about adding an encryption card to the boxes, but don't know if this will solve the problem since there's no processor load.  Should a dedicated P4 3.2Ghz box be able to adequately handle a 100Mbps single tunnel?  I'm also thinking about moving the other pfSense instance from a VM to a dedicated machine.

    The other question I had is that many of the new chips support AES-NI.  Does pfSense currently support this?  Are there plans?

    Overall, the performance is good but not great.  I also don't have to be super secure, and was wondering if lowering the encryption bits from 256 to 128 would help.  I know encryption slows it down, but it would be great to get the best performance with what I have.


  • Rebel Alliance Developer Netgate

    Just committed support for AES-NI to 2.1 this week.

    Not sure why the performance is low there (mtu/mss maybe?) but if the CPU load is low, accelerator chips won't help since that doesn't seem to be your bottleneck.

    Tweaking the cipher would only help if your CPU was maxed out on one end during the testing.

  • That's good news about AES-NI being built into 2.1.  When you say committed, do you mean it's already in the repo, or do you mean you committed to doing it?  :D  Do you also know when the ISO will be built against the latest source?

    I'm interested in upgrading to 2.1 since this really isn't a production net and 2.1 also has support built in for virtio.  So, this might be more of a reason to upgrade.

    I ran a few speed tests comparing AH and ESP.  Surprisingly, the numbers were about the same.  I'm thinking the bottleneck might be on the company's network between floors.  Their switches don't even do auto duplex correctly yet!

    Thanks for the info!

  • Rebel Alliance Developer Netgate

Log in to reply