OpenVPN benchmarks for 7551?



  • Looking for some real-world benchmarks for OpenVPN on FW-7551 with large keys.

    Need real-world throughput in excess of 400 mbps.

    Actually it would be really neat to see overall benchmarks on this hardware, seeing how it's a sponsored product.  I can find none so far, won't buy it until I see the benchmarks.


  • Rebel Alliance Developer Netgate

    We're building up a test lab to determine these numbers for hardware we sell, but we don't want to publish any until the entire process is completely documented, reliable, repeatable, etc. We want to have hard data we can stand behind and not some quick run-off numbers like we had previously or like others have posted.

    Without the facts to back up the data, the numbers are fairly meaningless.

    I have a 7551 at my house, but I don't have enough upstream bandwidth to make it sweat. :-)



  • That's good to know.  We're fairly jumpy after the Sony Pictures hack, but I want real numbers before jumping into it.  Did that before on other hardware, got burned.

    I also have been trying to get numbers on Mikrotik hardware, it seems they're really evasive on any sort of support issue but most of all on VPN-related info.  I heard rumors from web searches that their vpn performance sucks, that's a huge problem for us.

    If I'm not mistaken the QuickAssist hardware built in gets much more than AES acceleration right?  Much more than the normal Intel CPU features?

    Thanks.


  • Rebel Alliance Developer Netgate

    VPN performance is an issue on lots of gear because it can be very expensive, CPU-wise.

    The hardware does have QuickAssist support but support for same is not yet in pfSense. It is in progress but not there yet. It doesn't automatically do anything unless the OS supports it as well.

    AES-NI is present on that hardware and should work for OpenVPN and also for IPsec, provided AES-GCM is used.



  • So is somebody working on QuickAssist?  Is there an approximate ETA on that?

    Thanks.



  • Hi Jimp:

    I have two FW-7551 devices set up, with an Ethernet cable directly connecting the WAN ports. They came pre-loaded with PFSense 2.2 and AES-NI is enabled in the BIOS on both devices. AES hardware support is also enabled in the System>Advanced>Miscellaneous section.

    I successfully built an OpenVPN tunnel through the devices using AES-128-CBC, SHA1 and the BSD Cryptodev engine. Oddly, the maximum transfer rate I can achieve with an encrypted tunnel is 100 Mb/s. The AES-NI support makes no difference in throughput. If I turn encryption off, the rate increases to 200 Mb/s.

    I changed many parameters in the Open VPN setup and turned AES-NI support in PFSense on and off, but the peak transfer rate stayed at 100 Mb/s. I do not have any explicit traffic shaping defined.

    I used two Windows laptops (one at each end of the tunnel) to exercise the link. When the computers were connected directly to the Ethernet switch, I saw transfer rates approaching wire speed (800-850 Mb/s). When connected via the tunnel, the rate was the previously mentioned 100 Mb/s.

    At this point I'm a little mystified, since I would have expected the transfer rate to be a little higher, especially with encryption turned off.

    Cheers,
    Ed


Log in to reply