Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Client

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jimmybob
      last edited by

      Hey :)

      I want to build a router/firewall to replace the current commercial router I have because it does not support VPN very well.
      I currently have an Asus N16 router with DD-WRT. I can use OpenVPN and PPTP, but the speeds are VERY slow indeed.
      After looking around at various commercial router options I have discovered that the only real way to get what I need which is a
      software router/firewall that I'm hoping will offer a good alternative to a commercial router and full VPN client support.

      WHAT I WANT TO ACHIEVE:

      • Basic router/firewall set up just like any ready avail router for the home user

      • Full VPN client support with OpenVPN, PPTP, L2TP options if possible or at least one of them that I can set up at the router end using a 3rd party VPN service like IPVanish and have ALL PCs and devices connected to the router go through the VPN.

      I have been told on another forum that software routers/firewalls don't cut the mustard when it comes to comparing them to commercial hardware routers like the Asus N16 for example.

      I would be using something like an Atom and a Mini ITX board that would have 2 x on board 1GB LAN and I have optionally add on a further 4 1GB LAN ports to the motherboard as a daughter card.

      I know when it comes to bandwidth through put that I need to consider the CPU. I would typically be passing 100mb of bandwidth across the whole network at any one time. But when taking into consideration the extra resource that a VPN connection will add, I guess extra overhead is the way to go.
      So I'm not even sure that an Atom processor will do it.

      I plan to link up my current Asus N16 router to the PC router for wireless capabilities for mobile devices etc.

      So, what I'd love to hear are peoples recommendations.

      The main focus here is the VPN part.
      I'm not sure exactly when it comes to the router what the differences are between VPN server and VPN client.
      I know in the DD-WRT it's refered to as Client. And for PPTP for example I just pop in the VPN server address, username and password and change a few other settings and that's pretty much it.

      The router connects to the VPN server and allows me to send all the traffic through it.
      But I was only seeing a maximum of 1mb running the VPN at the router. Where as on a VPN client on my PC… it would be around 10mb (I have 100mb braodband)

      thanks

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        Hi Jimmybob:

        First off to refute anything you heard about "software" firewalls-  http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

        I have a company with a couple of remote locations. I have the primary data-center here attached to my residence. (great commercial ISP here)

        I have the remote locations including a couple of my customers VPN'd back here via OpenVPN. All using pfSense.  Company locations can see here as well as each other. I can see customers locations but they can not see me.

        So very doable!  Id suggest using OpenVPN myself as that and several solutions are natively supported.

        Start out by reading the forums including the VPN section below and ask away.

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • J
          jimmybob
          last edited by

          hi,

          thanks for your reply.

          I'd like to start with hardware specs. Is here a good place to ask?
          Like what kind of CPU power is advised to never hit bottle necks of the set up caused by lack of CPU power
          on an average home PC setup.

          1 Reply Last reply Reply Quote 0
          • J
            jasonlitka
            last edited by

            @jimmybob:

            hi,

            thanks for your reply.

            I'd like to start with hardware specs. Is here a good place to ask?
            Like what kind of CPU power is advised to never hit bottle necks of the set up caused by lack of CPU power
            on an average home PC setup.

            How much bandwidth do you have and what do you want to do other than VPN?

            I can break anything.

            1 Reply Last reply Reply Quote 0
            • J
              jimmybob
              last edited by

              @Jason:

              @jimmybob:

              hi,

              thanks for your reply.

              I'd like to start with hardware specs. Is here a good place to ask?
              Like what kind of CPU power is advised to never hit bottle necks of the set up caused by lack of CPU power
              on an average home PC setup.

              How much bandwidth do you have and what do you want to do other than VPN?

              Internet: 100mb (soon to be 120mb)
              Network: 100mb

              All I want to be able to do is set up static IPs using NIC MAC addresses.
              Use general port forwarding.

              I think that is about it other than the important VPN.
              I will be hooking up my existing router to the PC firewall/router.

              Am I correct in thinking that if I run one cable feed from the PC firewall/router to a switch, the DHCP will allocate IPs
              to all connected devices?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                @jimmybob:

                Am I correct in thinking that if I run one cable feed from the PC firewall/router to a switch, the DHCP will allocate IPs
                to all connected devices?

                Yes.

                Do you need to get 100/120Mbps of VPN traffic?

                Steve

                1 Reply Last reply Reply Quote 0
                • J
                  jimmybob
                  last edited by

                  @stephenw10:

                  @jimmybob:

                  Am I correct in thinking that if I run one cable feed from the PC firewall/router to a switch, the DHCP will allocate IPs
                  to all connected devices?

                  Yes.

                  Do you need to get 100/120Mbps of VPN traffic?

                  Steve

                  Hi,

                  Yes, in fact the better buffer over head the better so that I never experience any throttling would be cool.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Ok, well that rules out any Atom based board at least without an encryption accelerator card. That would max out at ~60Mbps in OpenVPN.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimmybob
                      last edited by

                      @stephenw10:

                      Ok, well that rules out any Atom based board at least without an encryption accelerator card. That would max out at ~60Mbps in OpenVPN.

                      Steve

                      I see.
                      So this is not going to be as easy as I thought.

                      How do they achieve it on this…..?
                      http://www.sabaitechnology.com/VPN-Accelerator-for-fast-VPN-routing-p/acc1st.htm

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        I can't see what bandwidth they are claiming for that box. The video shows 38Mbps, well within the capabilities of an Atom.
                        There are a number of things that could be in their favour. They aren't doing any routing or firewalling with that, its purely a VPN box. There are a number of cheap vpn encryption chips they could be using which are only supported via Linux binaries, no support in FreeBSD.

                        Steve

                        Edit: Typo

                        1 Reply Last reply Reply Quote 0
                        • J
                          jimmybob
                          last edited by

                          @stephenw10:

                          I can't see what bandwidth they are claiming for that box. The video shows 38Mbps, well within the capabilities of an Atom.
                          There are a number of things that could be in their favour. They aren't doing any routing or firewalling with that, its purely a Von box. There are a number of cheap vpn encryption chips they could be using which are only supported via Linux binaries, no support in freebsd.

                          Steve

                          So does anyone have any idea what kind of approach I should take to resolving this issue?

                          What kind of hardware specs I'm looking at?

                          1 Reply Last reply Reply Quote 0
                          • chpalmerC
                            chpalmer
                            last edited by

                            Truthfully Im hoping as the week starts some with more experience in this arena will see this and also respond.

                            But- http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

                            looks like the Core i7 970 has been discontinued. Im not sure about the others out there..      spendy!   :o

                            Triggering snowflakes one by one..
                            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                            1 Reply Last reply Reply Quote 0
                            • T
                              tim.mcmanus
                              last edited by

                              Don't know if this will help, but I built my pfSense box with:

                              Motherboard - Intel BOXDQ77MK LGA 1155
                              http://www.newegg.com/Product/Product.aspx?Item=N82E16813121623

                              Processor - Intel Core i3-2100 Sandy Bridge 3.1GHz LGA 1155 65W
                              http://www.newegg.com/Product/Product.aspx?Item=N82E16819115078

                              I have a persistent IPSec tunnel up and occasionally have OpenVPN connections come up.  There are 4 NICs on the box with two WANs (60/8 each) and two LANs (both switched Gbit).  4GB of RAM.  CPU never goes over 20%.

                              I went with the LGA 1155 motherboard in the event I need to scale.  I can pop out the CPU and replace it with something more powerful (I have a Intel Core i7-2600K Sandy Bridge 3.4GHz on my shelf, new in the box "just in case").  The Q77 chipset has some nice features if you decided to go with an Ivy Bridge CPU.

                              For what my pfSense installation does it's probably overkill, but it came in handy the other day when I launched a vulnerability test from behind it.  The state table size peaked out around 280K states.  It was fun to watch!

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                If you are looking at building a new box it's hard to recommend anything other than a low-end Sandybridge/Ivybridge based board. As Tim suggests above, using an socket 1155 board gives you lots of upgrade options. This board:
                                http://www.newegg.com/Product/Product.aspx?Item=N82E16813121622
                                Is slightly more but gives you a smaller footprint and DC power for greater efficiency.
                                Even a low-end Celeron will firewall/NAT at Gigabit wire speed so should be good for 120Mb of OpenVPN (I have no test results to confirm this). http://www.newegg.com/Product/Product.aspx?Item=N82E16819116889
                                If you want less building then maybe something like the Shuttle DS61: http://forum.pfsense.org/index.php/topic,56950.0.html

                                To be honest you could probably get 120Mb VPN with a far less powerful system but it's probably easier and cheaper to go with something such as the systems above.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.