Box for high speed IPsec site to site tunnel (streaming, normal web traffic)



  • Looking to build my first pfSense box!

    The most important requirement would be the ability to setup an IPsec site to site connection between a 200 mbit/s link and a 1 gbit/s link in a data center. I guess this means the box will need some CPU power? I also have to keep in mind that the 200 mbit/s pipe is going to be upgraded to a 500 mbit/s connection in a year or so.

    Wireless will be handled by an access point. Besides that I'm not looking for anything fancy. The most important is speed over VPN. Casing a small as possible. Does not need to be rack mount.

    Any recommendations for at least a board and CPU? I guess it might be a good idea to invest in an Intel CPU with AES-NI support in case I'm making the switch to OpenVPN in the future. Not planned but you'll never know.

    Just to clarify, this box will be routing all of my home traffic encrypted to a data center. This means streaming (Netflix, Spotify, Plex) and normal web traffic.



  • I was not really able to find out how many boxes you really will need and what is the other end
    of the IPSec VPN based on? More interesting it will be that on both ends hardware will be capable
    to handle IPSec traffic smooth and liquid.

    At this days I really think nothing beats a Intel Xeon E3-12xxv3 really out.
    Great performance, able to insert new PCIe cards if needed and powerful
    enough to handle this links now and the futures ones. But this is not cheap
    and not a power saving platform, as it is for your home usage.

    Big:
    Supermicro A1SRM-2758F
    Comtech AHA AHA363PCIE
    INTEL-I210T1-Server-Adapter
    FlexATX case with 250 Watt PSU
    Small:
    Supermicro A1SRi-2758F
    Comtech AHA AHA363PCIE
    Supermicro SC101i

    From the pfSense store:
    SG-2240
    SG-4860
    SG-8860



  • @BlueKobold:

    I was not really able to find out how many boxes you really will need and what is the other end
    of the IPSec VPN based on? More interesting it will be that on both ends hardware will be capable
    to handle IPSec traffic smooth and liquid.

    At this days I really think nothing beats a Intel Xeon E3-12xxv3 really out.
    Great performance, able to insert new PCIe cards if needed and powerful
    enough to handle this links now and the futures ones. But this is not cheap
    and not a power saving platform, as it is for your home usage.

    Big:
    Supermicro A1SRM-2758F
    Comtech AHA AHA363PCIE
    INTEL-I210T1-Server-Adapter
    FlexATX case with 250 Watt PSU
    Small:
    Supermicro A1SRi-2758F
    Comtech AHA AHA363PCIE
    Supermicro SC101i

    From the pfSense store:
    SG-2240
    SG-4860
    SG-8860

    The data center box is a powerful Linux server. The other end will be my box at home. My LAN has about 25 clients. Most of them wireless except for a couple of servers. For wireless networking, I will keep my current Netgear R7000 router.

    That SG-4860 pfSense box does look interesting I must say. I checked the https://www.pfsense.org/hardware/#requirements page and it states I'll be needing "Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters." for 501+ Mbps. The SG-4860 seems to match those requirements.

    Do you think the Supermicro A1SRi-2758F will suffice?



  • Do you think the Supermicro A1SRi-2758F will suffice?

    Both Supermicro boards are coming with 8 CPU cores and 2,4 GHz + support 64 GB of ECC RAM
    and they offers a PCIe slot. The PCIe slot is able to hold either a Intel i210-t1 server grade adapter
    and/or a Comtech AHA AHA363PCIE compression card and this card would be really interesting if
    you have on the other side a chance to insert a second one!!! VPN accelerators are rarely to get
    hands on and often to high pricing, this card is available "used" at eBay for ~$30 - $50 so it
    would be a real cheap and suffer solution.

    The data center box is a powerful Linux server. The other end will be my box at home.

    OK are able to insert in this Linux Server a card such as the Comtech AHA AHA363PCIe?

    That SG-4860 pfSense box does look interesting I must say.

    4 Cores and 8 GB RAM but no extra PCIe slots.

    I checked the https://www.pfsense.org/hardware/#requirements page and it states I'll be needing "Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters." for 501+ Mbps.

    So what I was telling first: "Nothing is beating a Intel Xeon E3-12xxv3 at this time!"

    The SG-4860 seems to match those requirements.

    I really thing more the SG-8860 will do so, all the appliances from the entire SG-xxxx series are
    coming with AES-NI and Intel QuickAssist, but at this time there are not really many effects coming
    from this tech. specs. as I see it right.



  • I think I'm going for a Dell T20 with an Intel Xeon E3-1225 v3, 4GB RAM and a separate Intel network interface (dual port) card. That should be enough to process a 200 mbit/s (in the future 500 mbit/s) site to site IPsec tunnel right?



  • I think I'm going for a Dell T20 with an Intel Xeon E3-1225 v3, 4GB RAM and a separate Intel network interface (dual port) card.

    I really don´t know if the Dell T20 will be able to hold pfSense, I mean that you are able to
    install pfSense on this, I would perhaps before getting more informations on this try out.

    That should be enough to process a 200 mbit/s (in the future 500 mbit/s) site to site IPsec tunnel right?

    Yes I think so really enough.



  • Yes, the Dell T20 seem to have full support on FreeBSD. I also decided on the NIC; Intel I350-T2.

    Now I'm only wondering if 4GB RAM is enough but that must be I guess…?



  • Now I'm only wondering if 4GB RAM is enough but that must be I guess…?

    This must be find out from each user it selfs, but this is even also based on the usage of pfSense
    with Squid + SquidGuard + Snort + AV Scan,….....

    I really think 4 GB for normal usage will be enormous and 8 GB for the named above services
    will be really enough, but this attends also even on the connections, users, and throughput that
    is needed and/or in the entire LAN.



  • Just FYI, I've received the server and been playing around with pfSense. Liking it so far!

    Next up: IPsec to my data center box ::)



  • Perhaps the comtech would work with Linux, but it won't work with pfsense afaik