Why does Gigabit throughput require such high end hardware?
-
In MO… We have 10/1 MB ($40/m) now and cable co start to offer 100/20 MB ($110/m)...and here you guys talking GB!!$$$$
-
Current offerings here in Denmark is 1Gbit/1Gbit for around 349DKK which is the equivalent of 49USD with current exchange rates….
-
In MO… We have 10/1 MB ($40/m) now and cable co start to offer 100/20 MB ($110/m)...and here you guys talking GB!!$$$$
You are talking about the WAN speed! And we where talking about the LAN speed!
This is quite different from each other, and the ConnectX 2 Series from Mellanox is supported
so it was only in my mind to find out if the new series will be perhaps also be supported, not
more and not less. And if we are talking about 40 GBit/s adapters this is more for the LAN
connection and not the WAN connection..and here you guys talking GB!!$$$$
pfSense is not only used in home networks and in corporate networks you have to deal
also with other throughput for the entire company to deliver a moderate speed to all
the clients, servers and SANs and there fore it would even be great, to be able not
to create a so called bottleneck inside your LAN. -
Current offerings here in Denmark is 1Gbit/1Gbit for around 349DKK which is the equivalent of 49USD with current exchange rates….
In HK 1G up/down is less than 30 USD/month, and there is vendor planning to work out a 10G residential plan.
-
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
-
Why do governments act like children on the internet?
-
In Hungary we have 1G/300M for about 15USD/month including 110 DVB TV channels and landline phone.
-
In Manila we have 5/1 coax connection for about $30 per month and TV is another $15 extra… And the picture is shit... (-:
-
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
-
I know. Do you use VPN to overcome that?
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
-
In Hungary we have 1G/300M for about 15USD/month including 110 DVB TV channels and landline phone.
I guess everything is relative but still. :o
Steve
-
I know. Do you use VPN to overcome that?
Thats freaking crazy! :D
Sponsored by Chinese INtelligence??? ;)
I already consider this expensive, there exist cheaper 1G/1G options (and previous 2 yrs I was paying USD 15 for 500M/500M)
And of course we want to separate with mainland China (GFW is blocking lots of stuff)…...
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself…. -
@gonzopancho:
IPsec does profit from AES-NI, it's AES-CBC + HMAC-SHA1 that suffers. We're not done, either. For now, using AES-GCM with AES-NI will provide the largest gains. Again, we're not done here, but the current project is QAT.
At my last place, they used a patch from a consulting company that implemented AES-CBC with HMAC-SHA-xx with AES-NI acceleration. I have since moved on. If I can get more info / link on that, I will share.
-
You can't accelerate SHA with AES-NI.
Very modern Intel CPUs have instructions that will accelerate SHA/SHA2, but there is no support for that in FreeBSD or pfSense yet.
-
@jwt:
You can't accelerate SHA with AES-NI.
Very modern Intel CPUs have instructions that will accelerate SHA/SHA2, but there is no support for that in FreeBSD or pfSense yet.
I still don't have all the details. So can't comment in depth. I have sent a query to my ex-colleagues. SHA-xx is not supported by AES-NI. Whereas CBC is indeed accelerated. But the combo AES-CBC with SHA-xx is the problem. So if this combo is offered during negotiations, it is rejected…until 'net.inet.ipsec.crypto_support' is disabled. I see this all the time in ipsec vpn, And also specially when L2TP / IPSec from Windows 7 and 10 clients.
VhPham
-
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself….Actually, it doesn't 'know' OVPN traffic. per se.
It scans traffic in waves and explicitly blocks the common IPSEC/ GRE/ L2TP ports etc.What it can't inspect (implying encrypted traffic or VPN traffic on non-common protocols or ports) when it catches during these waves of scanning, it logs, when the second or third wave picks up the same traffic pattern, it will assume it's VPN traffic and blocks it - that's how they catch on to OVPN and the likes of.
To bypass this, some VPN providers basically provide a tunnel within tunnel kind of configuration. It transfers the outer tunnel to roll between different endpoints to avoid being caught between waves and hopefully, the timing is just enough to let the GFW ignore it.
-
Staying in HK, I don't need to do anything, GFW is only within mainland China border.
If people need to go to China, they definitely need VPN, but it's still not that easy because GFW apparently knows the OpenVPN traffic, that's why I'm going to construct an OVPN obfuscation proxy to my OVPN server for hiding myself….Actually, it doesn't 'know' OVPN traffic. per se.
It scans traffic in waves and explicitly blocks the common IPSEC/ GRE/ L2TP ports etc.What it can't inspect (implying encrypted traffic or VPN traffic on non-common protocols or ports) when it catches during these waves of scanning, it logs, when the second or third wave picks up the same traffic pattern, it will assume it's VPN traffic and blocks it - that's how they catch on to OVPN and the likes of.
To bypass this, some VPN providers basically provide a tunnel within tunnel kind of configuration. It transfers the outer tunnel to roll between different endpoints to avoid being caught between waves and hopefully, the timing is just enough to let the GFW ignore it.
In China there are also some good VPN ISPs that are offering to the non-chinese companies or citizens really
good performing VPN capable Internet account where such needed ports are open and not closed. So actually
a VPN tunnel or connection can be done with ease for foreign peoples ion china, only to them self or Chinese
citizens this Internet account are allowed. -
@BlueKobold:
In China there are also some good VPN ISPs that are offering to the non-chinese companies or citizens really
good performing VPN capable Internet account where such needed ports are open and not closed. So actually
a VPN tunnel or connection can be done with ease for foreign peoples ion china, only to them self or Chinese
citizens this Internet account are allowed.There are.. The GFW is more concerned about traffic to international endpoints than domestic endpoints.
What a lot of companies (from US and EU) do is to actually buy a MPLS from an ISP like AT&T who has a datacenter or PoP within China. Their traffic goes through the MPLS to the DC within China and transits through the private international lines after that.
-
So to bring the actual topic to a point… would a 2358 make a Gbit capable pfSense platform
