OpenVPN performance
-
Hi!
I am planning on substituting 3 Cisco ASA installations (datacenter (2 devices in HA), company HQ (2 devices in HA) and remote office) with pfSense boxes. I can't stand their TAC! I am paying for support and when I find a bug in a supported firmware they suggest I upgrade to a more recent version! (This bug I found crashes both ASAs in a failover cluster!!!)
HQ is connected to the datacenter through an IPsec tunnel (v2). HQ has 2 bandwidth providers: fiber connection at 100/20 Mbps and cable connection at 100/10 Mbps.
The remote office is connected to the HQ through an IPsec tunnel. Traffic on this tunnel is quite low.
I was thinking about buying two Jetway JNF99-525 motherboards for the datacenter and HQ. The remote office might be served by an ALIX board.
With the switch to pfSense I will switch entirely to OpenVPN and stop using IPsec.
Does anyone have any benchmark data for an OpenVPN tunnel using this Atom D525 at 1.8 GHz? Will the CPU be powerful enough to saturate the 100 Mbps link?
TIA,
Miguel -
Generally for this type of rollout I'd recommend the PFsense sold hardware. (eg the Lanner 7551) as it is for a company.
That said, if you are going to roll your own, what is stopping you getting a cheap haswell board and dropping in a pentium chip? You'll likely be able to handle 700-800mbit or more VPN traffic over it through sheer brute force, and you can upgrade it if you need more in future (unlike with the proposed atom) - the cost would be about the same, and the power consumption for the most part will also be the same.
-
Hi!
I am planning on substituting 3 Cisco ASA installations (datacenter (2 devices in HA), company HQ (2 devices in HA) and remote office) with pfSense boxes. I can't stand their TAC! I am paying for support and when I find a bug in a supported firmware they suggest I upgrade to a more recent version! (This bug I found crashes both ASAs in a failover cluster!!!)
If that is your complaint, just know that ESF/pfSense will tell you exactly the same thing. Not quite sure what you expect. If they say "That was fixed in 9.0.4, here's where you download it, here's how you upgrade your failover pair with zero downtime" I don't know what your problem is.
-
Hi!
I am planning on substituting 3 Cisco ASA installations (datacenter (2 devices in HA), company HQ (2 devices in HA) and remote office) with pfSense boxes. I can't stand their TAC! I am paying for support and when I find a bug in a supported firmware they suggest I upgrade to a more recent version! (This bug I found crashes both ASAs in a failover cluster!!!)
If that is your complaint, just know that ESF/pfSense will tell you exactly the same thing. Not quite sure what you expect. If they say "That was fixed in 9.0.4, here's where you download it, here's how you upgrade your failover pair with zero downtime" I don't know what your problem is.
No… It is more along the lines... You say the cluster is crashing. Let me capture the core dump. ONE hour wait on the phone and several forced crashes after the "engineer" can't make the ASA dump the coredump on the flash card! Then... ANOTHER "engineer" comes along and says "perhaps we should update your ASA to 9.1(5) to see if this fixes the problem".
My problem is paying huge support rates for lousy support by incompetent people. After allocating 65 MB of space in the CF for the coredump they could not reclaim this space and did not know how to!
My problem is paying a US company a huge SMARTnet contract and have a guy calling me from India with an incompreensible accent trying to solve a problem. Telling me times in PDT when he's in India and I am in Europe!!
My problem is that I did not authorize the major update, I complained about this situation to the supervisors on Friday and until today no one came back to me!
-
You will get much better support than that from ESF. They will be able to tell you if a bug has been fixed before recommending an upgrade… But of course, as I see you realise, if the bug has been fixed then the ay to get the fix is to upgrade - no magic there.
If the hardware is to be physically in Europe then it might not be economic to buy from NetGate or pfSense store in the USA - but that is up to you.
Pretty much anything you buy is going to do 10's of Mbps of OpenVPN. You wouldn't buy an Alix now, you would buy an APU anyway and that will do a few 100Mbps raw and plenty of OpenVPN for what you say. -
If the hardware is to be physically in Europe then it might not be economic to buy from NetGate or pfSense store in the USA - but that is up to you.
Pretty much anything you buy is going to do 10's of Mbps of OpenVPN. You wouldn't buy an Alix now, you would buy an APU anyway and that will do a few 100Mbps raw and plenty of OpenVPN for what you say.That is why I wanted to roll my own or perhaps buy from www.applianceshop.eu. Anyone got positive experiences with them?
I really wanted a CPU that could saturate a 100 Mbps OpenVPN site-to-site link and have some spare CPU cycles…
-
I would take a look to: http://store.pfsense.org/FW-7551/
-
I would take a look to: http://store.pfsense.org/FW-7551/
That's a bit pricey since NetGate sells the same box for $679 and the 1U 2758 for $999…
http://store.netgate.com/FW-7551.aspx
http://store.netgate.com/Firewall/C2758.aspx -
What about in Europe?
-
What about in Europe?
I live in Italy, my personal choice has been building the appliace by myself. You should be able to stay under 500-600€ using atom rangely board with no-ECC RAM support.
If you don't mind to pay extra for import duties from USA I would look to Netgate products, as advised by Jason, or to pfSense products with their support in bundle.