Will net4801+Hifn7955 do the job?

  • Hi all!

    I know there is no "true" answer to a question like this.
    I just want a hint about what kind of workload a net4801+Hifn7955+pfSense can handle.

    This is my basic conditions:

    • A 10 Mbit/s symmetric Internet connection.
    • 5 "permanent" IPsec tunnels, mostly Terminal Service traffic, 0.5 Mbit/s in the other ends.
    • 6 "occasionally" PPTP connections, mostly Terminal Service traffic.
    • ~30 LAN users, mostly Internet browsing.
    • Exchange server (400 emails per day)
    • Web server (400 unique visitors, 200 Mb per day)

    Today we are using a Watchguard Firebox II.
    Is Soekris 4801 a realistic substitute? (I cannot find the hardware spec for FBII)


  • The question is how fast do you need the IPSEC to be. Besides the IPSEC throughput there is no problem at all for a soekris 4801 handling that load. I don't have an IPSEC hardware encryption card but I would assume that you should get near the 10 mbit/s encryption throughput with it depending on the codec that is used (I have read something like that at the m0n0 list but don't know how comparable that is if it is used with pfSense). The card however won't help you with PPTP traffic. If somebody has such a card I would like to see some benchmark results with and without the card.

  • Thanks for the answer.
    Is throughput noticeable affected with e.g. 1 x 10 Mbit/s IPsec compared to 5 x 2 Mbit/s ?


    If somebody has such a card I would like to see some benchmark results with and without the card.

    I have access to a net4801 with Hifn7955 and would gladly do some benchmarking if you give me some instructions on how to do it.

  • The raw throughput inside the tunnels will be a bit less due to the overhead that is generated by the ipsec encapsulation but I would guess besides that there should be no big differnce.

    If you want to bench the device make sure you have a device at the other end that can do more IPSEC throughput than the soekris, if not you are benching the opposite end rather than the soekris. Build an IPSEC tunnel between the two devices and send traffic through between two clients at each end. You can use a tool like netio for that ( http://www.ars.de/ars/ars.nsf/docs/netio ).

  • I'll do the test next week if I can get my hands on a device with higher throughput than the soekris.
    Thanks for the help.