VPN throughput VIA C7 1200 Mhz. Upgrade to 1500 MHz worth?
-
I´m using since some months pfsense with my own homemade router. Inside is working a VIA C7 Eden with 1200 MHz (fanless), 4 GB CF-Card and 1 GB-RAM.
When I´m using a payed VPN provider and my pfSense router as client I got approx. 35 Mbit/s throughput with AES-256bit or CBC-128 bit connections. My CPU usage in this moment is not more than 50% (process is open_vpn).
What is now throttling the throughput? My PC is able to download with approx. 44 Mbit.So would be an upgrade to a 1500 MHz CPU be able to reach the 44 Mbit? Its seems not to be an CPU issue. Thx
-
If you're not seeing more than 50% cpu then upgrading the cpu will not help. How are you measuring that? Try using 'top -SH' at the command line to see everything.
This could be a restriction at the provider end, many cheaper VPN options are not fast.Steve
-
Yeah agree with above.
I know someone who has a 100meg line and with a 3ghz Quad Xeon CPU with AES instructions supported @ 27% cpu load hits 70-80meg, he looses a good 20 meg just due to the VPN itself.
If your getting 35meg out of a 44meg max connection while under the VPN that is pretty good performance.
As for the cpu load @ 50%, only a cpu with AES instructions would drop it down to 20-30% roughly use when maxed out.
-
In fact the VIA C7 performs far better than it's clock frequency and age would suggest because it has an on-board encryption engine (that supports AES), VIA Padlock.
http://en.wikipedia.org/wiki/AES_instruction_set#Supporting_CPUs_2Steve
-
Thanks for the answers. The provider I can exclude.
My PC -> 48 Mbit
My PC with OpenVPN installed -> 44 Mbit (lose 4 Mbit)
My PC -> Pfsense VIA C7 1200 MHz router with build-in hardware encryption -> 35 Mbit max. / CPU Load 50% max.I measured the load only with "top" command but I will try "top -SH" today. Anyway, you´r right. Increasing the CPU would not help, it seems that only a hardware vpn accelerator could gain more throughput.
From Hacom.net (1 GHZ VIA C7)
High network throughput:
85 Mbps raw/cleartext (600 Mbps with Gigabit Ethernet option)
34 Mbps Blowfish IPSec VPN
55 Mbps AES-256 IPSec VPN (77 Mbps with Soekris VPN1411)
15 Mbps 3DES IPSec VPN (77 Mbps with Soekris VPN1411)Edit: I found close to my home a shop who is selling soekris vpn adapter.
soekris vpn 1401 (76€)
soekris vpn 1411 (69€)My issue is now (but thats an another story) that those adapters need an PCI port but this one is used now for the "fpsense-nano-bsd-image" on a CF card.
I have to check if the CF card and soekris adapter would cause an issue while connected both on one PCI adapter. I´m using a mini itx mainboard with the M-350 mini itx enclosure.
Edit: Thats my mainboard
-
I'm not sure I understand. Is your CF card in a seperate PCI card (with on board IDE)?
Usually the CF crad would be in a CF-IDE adapter completely separate from the PCI slot.Make sure you are using the padlock engine correctly. Look for it being detected as <crypto>in dmesg. Make sure you have selected it as the hardware crypto device in the OpenVPN cryptographic settings.
There are a number of other threads here detailing openvpn setups on VIA cpus, probably worth reading through them to find some numbers.
Steve</crypto>
-
does almost sound like a bit of a bottle neck somewhere, could be your setup have you got a chance to try pfsense installation on a fast flash drive or hdd ?
Still sounds strange you would hit 44meg with openvpn software and then using the pfsense openvpn software 35 only…
Possible configuration settings within pfsense, have yet to go there myself am still getting the hardware right.
Also is it possible you can test it on another pc for a test run and see if you hit 44meg could give you a better idea or clue as to what is sucking up that bandwith, also hopefully the next pfsense build will be much improved and better performance!
-
I'm not sure I understand. Is your CF card in a seperate PCI card (with on board IDE)?
Usually the CF crad would be in a CF-IDE adapter completely separate from the PCI slot.Make sure you are using the padlock engine correctly. Look for it being detected as <crypto>in dmesg. Make sure you have selected it as the hardware crypto device in the OpenVPN cryptographic settings.
There are a number of other threads here detailing openvpn setups on VIA cpus, probably worth reading through them to find some numbers.
Steve</crypto>
I´m using an extention cable with adapter for the CF card. The cable is connected to the IDE port. There is now one empty ide connector on the cable where I would attach the VPN adapter as well (If I would decide to buy it).
Sorry, I forgot to copy the log files, now I´m on work. In the openvpn config padlock is activated and in dmesg I can see the encryptions as well. During start up of openvpn the engine padlock is loaded.
What I recognized is less throughput if monitoring the cpu load with top command. "top -sh" is terrible :( throughput drops to 25-30 Mbps). But closing putty gives me now a throughput ~38 Mbps which is enough for this small hardware build.
does almost sound like a bit of a bottle neck somewhere, could be your setup have you got a chance to try pfsense installation on a fast flash drive or hdd ?
Still sounds strange you would hit 44meg with openvpn software and then using the pfsense openvpn software 35 only…
Possible configuration settings within pfsense, have yet to go there myself am still getting the hardware right.
Also is it possible you can test it on another pc for a test run and see if you hit 44meg could give you a better idea or clue as to what is sucking up that bandwith, also hopefully the next pfsense build will be much improved and better performance!
The only external hdd I have is a 2 TB. But I found a Jetway NC-73 mainboard with dual lan as well which is for me mandatory, for less than 100€. I will try this one instead buying the vpn accelerator.
-
There is now one empty ide connector on the cable where I would attach the VPN adapter as well (If I would decide to buy it).
The VPN accelerator is not an IDE device it's a PCI device (or mini-PCI).
If running top is slowing your box considerably I would say you are at the limits of the hardware. What % was the idle process showing at that point? I would expect it was 0.
If you're running Nano the speed of the drive should not be causing a problem.
Steve
-
Yes, its the IDE port… :o My fault.
top -sh process raised up until 20% and openvpn to 60% max. Nothing else was visible with more than 0,x %.
Nevertheless,I´m honestly thinking about to switch to a newer Intel or AMD CPU. In case using an Intel CPU which is using AES-NI i have read to unload the module.
http://forum.pfsense.org/index.php/topic,69079.msg378029.html?PHPSESSID=ee935d285a7f4859dd5a6cb36d5b42ce#msg378029
In the next months I will got a new 100 Mbit connection and then mmy actual hardware will not meet the expectations.
-
So did the speed go up to 44meg?
since your via kit already has AES support you may want to hold off on better hardware, you may hit 100meg bb speeds with it or close.
Finding the right kit I found a challenge only since most low end intel cpus and even the latest ones do not support AES, some of the newer haswell intel core i3 range have it but not the sandy or ivys, seems a mixed bag. Core i5/7+ have it even the old ones.
All AMD cpus always have it they don't cripple their cpus with features.
The new baytrail or atom 2 desktops and cpus are coming out in the next month or 2 however I checked some of them and while they are meant to have AES support a quick check on intel cpu database and cpu world database revealed no AES support on most of them only the business edition/server baytrail systems seemed to have AES, maybe worth waiting till they are out and fully reviewed.
-
[2.1-RELEASE][admin@pfsense.localdomain]/root(28): /usr/bin/openssl engine -t -c
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
(padlock) VIA PadLock (no-RNG, ACE)
[AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.1-RELEASE][admin@pfsense.localdomain]/root(29):Deactivating padlock or cryptodev in OpenVPn config is raising up my speed to constant 42 Mbit with my 1.2 GHz VIA C7 CPU. Thats really enough. Activating padlock or cryptodev, so I have read it here in the forum, is routing the traffic through one of these engines as well. But for me it was useless… omg :(
As you said I was looking yesterday for a Intel Core i3-4130T with AES-NI. But now I have found the root cause for the massive speed drop. If I´m changing my ISP by middle of next year ans getting the 100Mps connection I will consider to buy new equipment.
I have ordered 2 days ago a miniITX Celeron 1037U Mainboard but I will send it back.
-
Well that is great news to hear your hitting your fuller speeds :)
Its easy to get the upgrade itch but just like many folk around here I have seen they get very high end or mid range pcs worth $300-400, some even get xeon servers worth that much with AES just to get the fuller speeds, but since speaking to the the guys on this forum they know there stuff much better then me btw and even they said even a 2ghz cpu is enough and should hit 100meg+ VPN speeds.
I think you should at least give it a test when you get your 100meg connection, your 1.2ghz kit with its encryption support is currently the sweet spot.
I have a 1.5ghz quadcore AMD A4-5000 cpu which has full AES support and max 15watts, my full broadband speed is hitting 5% cpu usage while its only 10meg, I assume I too should hit 100meg…. AES should hopefully counter the cpu overhead and if hopefully by then pfsense + openvpn from a release or 2 down the road should use multi core support, so in theory 200meg and beyond perhaps with very little cpu usage !
-
Hello Fevan
I switched to the the new miniITX Board. GA-C1037UN from Gigabyte with a Dual Core Celeron and I´m very surprised about the speed and CPU usage.
Full Load with 46-47 Mbit/sec with BC-CBC 128bit and only 23% CPU usage max. and the board doesn´t need more than 18 Watt. Although this board has no AES support it´s performing very well. I was waiting 2 days until opening the box :) I was considering to send the package back.
OpenSSL speed output with a Celeron 1037 and 4 GB-DDR3 RAM on 4 GB Compact flash Card using a nano 1 GB BSD pfsense image
OpenSSL 0.9.8y 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 1241.57k 2552.09k 3472.24k 3818.55k 3931.13k mdc2 5346.57k 5945.15k 6129.67k 6172.98k 6183.11k md4 19196.19k 67705.08k 192389.60k 356384.95k 474610.29k md5 15945.12k 53220.77k 138644.88k 231744.27k 288054.50k hmac(md5) 14870.23k 50112.77k 133322.27k 227841.23k 287173.17k sha1 13830.15k 40594.85k 88396.69k 125721.51k 143524.52k rmd160 12413.46k 34547.47k 71410.74k 97639.00k 109350.36k rc4 202493.90k 260635.34k 281057.26k 286650.32k 288200.93k des cbc 39580.38k 40175.55k 40285.53k 40345.08k 40373.25k des ede3 14582.03k 14654.89k 14671.10k 14683.93k 14687.32k idea cbc 0.00 0.00 0.00 0.00 0.00 seed cbc 0.00 0.00 0.00 0.00 0.00 rc2 cbc 25060.83k 25652.16k 25898.75k 25977.97k 26010.01k rc5-32/12 cbc 149821.90k 159312.46k 161424.27k 162496.46k 162752.66k blowfish cbc 63492.72k 65346.24k 65712.62k 65893.69k 65964.04k cast cbc 57077.81k 58958.91k 59433.33k 59549.42k 59604.14k aes-128 cbc 58083.47k 61622.53k 62368.54k 62753.44k 62801.41k aes-192 cbc 50243.05k 53332.33k 53843.72k 54121.31k 54174.94k aes-256 cbc 44877.39k 46854.56k 47324.47k 47553.83k 47591.69k camellia-128 cbc 48180.17k 50060.06k 50540.53k 50593.58k 50673.91k camellia-192 cbc 37211.27k 38231.78k 38512.42k 38565.91k 38611.84k camellia-256 cbc 37196.30k 38267.35k 38498.71k 38589.80k 38630.21k sha256 10559.61k 25759.62k 47170.62k 59592.90k 64581.36k sha512 3977.06k 15926.76k 24211.83k 33853.36k 38368.47k aes-128 ige 60019.16k 63932.09k 64938.94k 65320.54k 65388.44k aes-192 ige 52073.85k 54983.36k 55743.33k 56059.38k 56100.04k aes-256 ige 46046.86k 48259.69k 48851.10k 49093.04k 49114.49k sign verify sign/s verify/s rsa 512 bits 0.000583s 0.000057s 1716.1 17557.2 rsa 1024 bits 0.002683s 0.000130s 372.8 7704.4 rsa 2048 bits 0.013994s 0.000385s 71.5 2599.3 rsa 4096 bits 0.085500s 0.001272s 11.7 786.2 sign verify sign/s verify/s dsa 512 bits 0.000449s 0.000506s 2227.8 1976.0 dsa 1024 bits 0.001139s 0.001352s 877.8 739.9 dsa 2048 bits 0.003478s 0.004212s 287.5 237.4 [2.1-RELEASE][root@pfsense.localdomain]/root(3):
-
Hello Fevan
I switched to the the new miniITX Board. GA-C1037UN from Gigabyte with a Dual Core Celeron and I´m very surprised about the speed and CPU usage.
Full Load with 46-47 Mbit/sec (my ISP connection is 50 Mbit)with BC-CBC 128bit and only 23% CPU usage max. and the board doesn´t need more than 18 Watt. Although this board has no AES support it´s performing very well. I was waiting 2 days until opening the box :) I was considering to send the package back.
OpenSSL speed output with a Celeron 1037 and 4 GB-DDR3 RAM on 4 GB Compact flash Card using a nano 1 GB BSD pfsense image
OpenSSL 0.9.8y 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 1241.57k 2552.09k 3472.24k 3818.55k 3931.13k mdc2 5346.57k 5945.15k 6129.67k 6172.98k 6183.11k md4 19196.19k 67705.08k 192389.60k 356384.95k 474610.29k md5 15945.12k 53220.77k 138644.88k 231744.27k 288054.50k hmac(md5) 14870.23k 50112.77k 133322.27k 227841.23k 287173.17k sha1 13830.15k 40594.85k 88396.69k 125721.51k 143524.52k rmd160 12413.46k 34547.47k 71410.74k 97639.00k 109350.36k rc4 202493.90k 260635.34k 281057.26k 286650.32k 288200.93k des cbc 39580.38k 40175.55k 40285.53k 40345.08k 40373.25k des ede3 14582.03k 14654.89k 14671.10k 14683.93k 14687.32k idea cbc 0.00 0.00 0.00 0.00 0.00 seed cbc 0.00 0.00 0.00 0.00 0.00 rc2 cbc 25060.83k 25652.16k 25898.75k 25977.97k 26010.01k rc5-32/12 cbc 149821.90k 159312.46k 161424.27k 162496.46k 162752.66k blowfish cbc 63492.72k 65346.24k 65712.62k 65893.69k 65964.04k cast cbc 57077.81k 58958.91k 59433.33k 59549.42k 59604.14k aes-128 cbc 58083.47k 61622.53k 62368.54k 62753.44k 62801.41k aes-192 cbc 50243.05k 53332.33k 53843.72k 54121.31k 54174.94k aes-256 cbc 44877.39k 46854.56k 47324.47k 47553.83k 47591.69k camellia-128 cbc 48180.17k 50060.06k 50540.53k 50593.58k 50673.91k camellia-192 cbc 37211.27k 38231.78k 38512.42k 38565.91k 38611.84k camellia-256 cbc 37196.30k 38267.35k 38498.71k 38589.80k 38630.21k sha256 10559.61k 25759.62k 47170.62k 59592.90k 64581.36k sha512 3977.06k 15926.76k 24211.83k 33853.36k 38368.47k aes-128 ige 60019.16k 63932.09k 64938.94k 65320.54k 65388.44k aes-192 ige 52073.85k 54983.36k 55743.33k 56059.38k 56100.04k aes-256 ige 46046.86k 48259.69k 48851.10k 49093.04k 49114.49k sign verify sign/s verify/s rsa 512 bits 0.000583s 0.000057s 1716.1 17557.2 rsa 1024 bits 0.002683s 0.000130s 372.8 7704.4 rsa 2048 bits 0.013994s 0.000385s 71.5 2599.3 rsa 4096 bits 0.085500s 0.001272s 11.7 786.2 sign verify sign/s verify/s dsa 512 bits 0.000449s 0.000506s 2227.8 1976.0 dsa 1024 bits 0.001139s 0.001352s 877.8 739.9 dsa 2048 bits 0.003478s 0.004212s 287.5 237.4 [2.1-RELEASE][root@pfsense.localdomain]/root(3):
-
Very impressive and at least your set for 100meg and greater speeds now :)
-
Hardware AES decryption is nice to have but modern CPUs are so fast that it's probably not necessary. As we've seen here it may even be slower than using software if it's not implemented properly/completely.
Steve
-
You know you're wrong here, … right? :)
The AES-NI support in 8.3 (pfSense 2.1) doesn't support a mode that can be effectively pipelined.
This is changing. I fully expect AES-NI in pfSense 2.2 to blow the doors off any software-only implementation you can find on x86/amd64 hardware.
We're talking 750-850Mbps throughput in IPSEC tunnel mode, maybe more. AES-NI is, in theory, good for 2Gbps per core.
(And inexpensive multi-core hardware that supports AES-NI is coming.)And Intel's QuickAssist engine will run at 50Gbps (throughput) if you have the right hardware installed. No, I did not stutter. 8)
-
@gonzopancho:
You know you're wrong here, … right? :)
Me?
I think (I hope) I was pretty much in agreement with what you said. Perhaps I was unclear.With most home internet connections still <100Mbps it's unnecessary to have AES hardware support since many current entry level CPUs can sustain that encrypted throughput in software.
How's that? ;)
Of course if you're discussing a much larger pipe then sure the advantages become much more apparent.
Steve
-
Hello Fevan
I switched to the the new miniITX Board. GA-C1037UN from Gigabyte with a Dual Core Celeron and I´m very surprised about the speed and CPU usage.
Full Load with 46-47 Mbit/sec (my ISP connection is 50 Mbit)with BC-CBC 128bit and only 23% CPU usage max. and the board doesn´t need more than 18 Watt. Although this board has no AES support it´s performing very well. I was waiting 2 days until opening the box :) I was considering to send the package back.
OpenSSL speed output with a Celeron 1037 and 4 GB-DDR3 RAM on 4 GB Compact flash Card using a nano 1 GB BSD pfsense image
OpenSSL 0.9.8y 5 Feb 2013 built on: date not available options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 1241.57k 2552.09k 3472.24k 3818.55k 3931.13k mdc2 5346.57k 5945.15k 6129.67k 6172.98k 6183.11k md4 19196.19k 67705.08k 192389.60k 356384.95k 474610.29k md5 15945.12k 53220.77k 138644.88k 231744.27k 288054.50k hmac(md5) 14870.23k 50112.77k 133322.27k 227841.23k 287173.17k sha1 13830.15k 40594.85k 88396.69k 125721.51k 143524.52k rmd160 12413.46k 34547.47k 71410.74k 97639.00k 109350.36k rc4 202493.90k 260635.34k 281057.26k 286650.32k 288200.93k des cbc 39580.38k 40175.55k 40285.53k 40345.08k 40373.25k des ede3 14582.03k 14654.89k 14671.10k 14683.93k 14687.32k idea cbc 0.00 0.00 0.00 0.00 0.00 seed cbc 0.00 0.00 0.00 0.00 0.00 rc2 cbc 25060.83k 25652.16k 25898.75k 25977.97k 26010.01k rc5-32/12 cbc 149821.90k 159312.46k 161424.27k 162496.46k 162752.66k blowfish cbc 63492.72k 65346.24k 65712.62k 65893.69k 65964.04k cast cbc 57077.81k 58958.91k 59433.33k 59549.42k 59604.14k aes-128 cbc 58083.47k 61622.53k 62368.54k 62753.44k 62801.41k aes-192 cbc 50243.05k 53332.33k 53843.72k 54121.31k 54174.94k aes-256 cbc 44877.39k 46854.56k 47324.47k 47553.83k 47591.69k camellia-128 cbc 48180.17k 50060.06k 50540.53k 50593.58k 50673.91k camellia-192 cbc 37211.27k 38231.78k 38512.42k 38565.91k 38611.84k camellia-256 cbc 37196.30k 38267.35k 38498.71k 38589.80k 38630.21k sha256 10559.61k 25759.62k 47170.62k 59592.90k 64581.36k sha512 3977.06k 15926.76k 24211.83k 33853.36k 38368.47k aes-128 ige 60019.16k 63932.09k 64938.94k 65320.54k 65388.44k aes-192 ige 52073.85k 54983.36k 55743.33k 56059.38k 56100.04k aes-256 ige 46046.86k 48259.69k 48851.10k 49093.04k 49114.49k sign verify sign/s verify/s rsa 512 bits 0.000583s 0.000057s 1716.1 17557.2 rsa 1024 bits 0.002683s 0.000130s 372.8 7704.4 rsa 2048 bits 0.013994s 0.000385s 71.5 2599.3 rsa 4096 bits 0.085500s 0.001272s 11.7 786.2 sign verify sign/s verify/s dsa 512 bits 0.000449s 0.000506s 2227.8 1976.0 dsa 1024 bits 0.001139s 0.001352s 877.8 739.9 dsa 2048 bits 0.003478s 0.004212s 287.5 237.4 [2.1-RELEASE][root@pfsense.localdomain]/root(3):
This is very good to hear. I am actually looking at purchasing the same motherboard and was wondering about pf sense compatibility and VPN performance. I currently have a 100Mbps connection so it looks as this will work well.