Difference between these two appliances?


  • Netgate RCC-VE 2440 System
    http://store.netgate.com/ADI/RCC-VE-2440.aspx

    vs.

    SG-2440 pfSense Security Appliance
    http://store.pfsense.org/SG2440/

    Is it just that the SG-2440 comes with pfSense pre-installed and also with support?  Is the hardware basically identical?

    And on a related note, will these handle 150Mbps site-to-site VPN (I have 75Mbps now but will upgrade to 150 in a year) or will I need a device with the C2558 in it?


  • @JimPhreak:

    Is it just that the SG-2440 comes with pfSense pre-installed and also with support?  Is the hardware basically identical?

    Yes, it's the same hardware (different color case), but the Netgate one is only a CentOS install. But there's more to it than just doing the install yourself as usual. You will have difficulties installing pfSense on the one that isn't pre-installed, as a basic load will not work on that hardware. Beyond getting it to work, there is tuning that should be done (and potentially changed in future versions) specific to the hardware.

    If you want to run Linux, get it from Netgate. If you want pfSense on it, buy it from store.pfsense.org. Unless your time is worth nothing at all, it's much cheaper to pay the bit extra not even including the benefit of having support.

    The C2358 will do multi-hundred Mbps IPsec with AES-GCM modes (to take full advantage of AES-NI), so as long as GCM is an option, that should be fine.


  • @cmb:

    @JimPhreak:

    Is it just that the SG-2440 comes with pfSense pre-installed and also with support?  Is the hardware basically identical?

    Yes, it's the same hardware (different color case), but the Netgate one is only a CentOS install. But there's more to it than just doing the install yourself as usual. You will have difficulties installing pfSense on the one that isn't pre-installed, as a basic load will not work on that hardware. Beyond getting it to work, there is tuning that should be done (and potentially changed in future versions) specific to the hardware.

    If you want to run Linux, get it from Netgate. If you want pfSense on it, buy it from store.pfsense.org. Unless your time is worth nothing at all, it's much cheaper to pay the bit extra not even including the benefit of having support.

    The C2358 will do multi-hundred Mbps IPsec with AES-GCM modes (to take full advantage of AES-NI), so as long as GCM is an option, that should be fine.

    Thanks for lending your opinion, I will certainly take it into consideration.

    You say the C2358 will do multi-hundred Mbps over an IPsec connection, but what about OpenVPN?


  • OpenVPN currently uses AES-CBC as opposed to AES-GCM. It still uses AES-NI but doesn't get quite as much of a speed boost as IPSec does in AES-GCM mode. TLS is also a heavier protocol with more overhead than IPSec. However OpenVPN will eventually support AES-GCM and quick assist will eventually provide a speed boost of unknown size to both VPN types.


  • @antillie:

    OpenVPN currently uses AES-CBC as opposed to AES-GCM. It still uses AES-NI but doesn't get quite as much of a speed boost as IPSec does in AES-GCM mode. TLS is also a heavier protocol with more overhead than IPSec. However OpenVPN will eventually support AES-GCM and quick assist will eventually provide a speed boost of unknown size to both VPN types.

    I realize OpenVPN is more CPU intensive right now than IPsec.  The question is though, would the C2358 be fast enough to handle a 75-150Mbps OpenVPN connection?


  • @cmb:

    You will have difficulties installing pfSense on the one that isn't pre-installed, as a basic load will not work on that hardware. Beyond getting it to work, there is tuning that should be done (and potentially changed in future versions) specific to the hardware.

    I have an SG-2440 on order, but reading this gave me a small bit of pause…

    What are the implications of "a basic load will not work"? Is it a custom build? If I need to re-install the unit, will I need to get a new custom build?

    Can you say a bit more about the tuning? Is the tuning part of the initial install (like TRIM), or is it something more complex following the base install? Splitting file systems on the flash and SSD?

    Also, does the tuning affect the actual pfSense config? In particular, will there be a problem restoring a configuration from a prior (full) installation?

    I appreciate any information you can share regarding this. Thanks.


  • @JimPhreak:

    @antillie:

    OpenVPN currently uses AES-CBC as opposed to AES-GCM. It still uses AES-NI but doesn't get quite as much of a speed boost as IPSec does in AES-GCM mode. TLS is also a heavier protocol with more overhead than IPSec. However OpenVPN will eventually support AES-GCM and quick assist will eventually provide a speed boost of unknown size to both VPN types.

    I realize OpenVPN is more CPU intensive right now than IPsec.  The question is though, would the C2358 be fast enough to handle a 75-150Mbps OpenVPN connection?

    Did you ever get an answer to your question, JimPhreak?


  • @stewie2016:

    @JimPhreak:

    @antillie:

    OpenVPN currently uses AES-CBC as opposed to AES-GCM. It still uses AES-NI but doesn't get quite as much of a speed boost as IPSec does in AES-GCM mode. TLS is also a heavier protocol with more overhead than IPSec. However OpenVPN will eventually support AES-GCM and quick assist will eventually provide a speed boost of unknown size to both VPN types.

    I realize OpenVPN is more CPU intensive right now than IPsec.  The question is though, would the C2358 be fast enough to handle a 75-150Mbps OpenVPN connection?

    Did you ever get an answer to your question, JimPhreak?

    I wound up building my own box with a C2558 motherboard.  Handles my VPN without the CPU going above 10-15% so I've got plenty of headroom.


  • I wound up building my own box with a C2558 motherboard.  Handles my VPN without the CPU going above 10-15% so I've got plenty of headroom.

    Then please go with a C2758 SoC based board or go with an Intel Xeon E3-12xxv3, this might be better
    regarding to the CPU usage. It can also be a smaller miniITX board with low power but much power.


  • @BlueKobold:

    I wound up building my own box with a C2558 motherboard.  Handles my VPN without the CPU going above 10-15% so I've got plenty of headroom.

    Then please go with a C2758 SoC based board or go with an Intel Xeon E3-12xxv3, this might be better
    regarding to the CPU usage. It can also be a smaller miniITX board with low power but much power.

    Huh?  Confused as to what you are responding to.  I'm not having any issue with my setup.


  • @JimPhreak - may I PM you?


  • @stewie2016:

    @JimPhreak - may I PM you?

    Of course.  I'll be home in 45 min and will answer then.