Braswell N3150 with Intel NICs

Guest

Oh, those CPUs are looking nice!. Do you think that it would be a good idea to mix into one of these a NAS and pfSense using ESXI 6.0?

Installing a firewall inside of a VM might be discussed by two different camps, one vote for it and the other not.
But, if you are installing it at home, I think it could be a win for you, with a closer view on the electric power
usage within. And there was an interesting article about one of these SoCs at www.servethehome.com and
they where trying out this construct pfSense and a NAS in different VMs on the Xeon D-1500 platform.
But I was not finding it now in the minute, sorry for that.

I read the integrated LANs like i350 have virtualisation capabilities so it will be the same as running it native (or almost, I guess… for the pfSense setup I mean)

This should be answered by peoples who are running hyper-visors and VMs.

I'm not too keen on having pfsense virtualised, but maybe is an interesting option as I also have a NAS running.

As told above it might be interesting for home user pending on the electric power usage
to have a NAS and pfSense running in VMs, but perhaps there will be soon or nearly another
way be opened owed to this point. comment on that by @jwt

EDIT: how do you find out if a CPU has the QuickAssist? it's not listed in the ark.intel.com database

Not that we are talking here about two different things, there is an existing D-1500 platform and now
an upgrade to existing platform and one is Storage accelerated and the other one is network accelerated
not likes before one SKU for all! And the newer platform that is network accelerated, ending with an eight
likes Xeon D-15x8, only is coming together with; Servethehome article

It appears as though the next-generation Intel Xeon D-15×8 networking parts will have a similar impact on performance,
if not even greater with their support for DPDK and QuickAssist.

• AES-NI (likes before)
  Is actual used at the moment by pfSense
• Intel QuickAssist (new)
  pfSense team is working on, to insert it in the pfSense code
• Intel DPDK (for enabled software) (new)
  Is on the road map together with netmap as I am right informed
  As an example, it can be speeding up Layer3 routing and such things as i know, if the DPDK was
  used to write code or the API from this DPDK was used to write code, but this should be answered
  by an code writer and not by me. I don´t know writing code and programming.

Xeon D-15x1 = storage accelerated SKUs using the SPDK
Xeon D-15x8 = network accelerated SKus using the DPDK
Servethehome article

Very interesting and useful comments.

Surely, it was done by @cmb in another thread about VPN and AES-NI. AES-NI inoperative on pfSense 2.2?

Still I don't understand this one about OpenVPN not faster with AES-NI.
From OpenVPN.net figures are quite different.

This might be pending on the point that we are not talking about the same thing as I would imagine
for now, but let me try to explain it that it comes more clear to understand. There are two points here
we are talking about; OpenVPN & IPSec VPN and the usage and benefit from using AES-NI
So one time the usage of AES-NI and one time the benefits from using AES-NI would be the
both points to discuss here as I see it right. Please correct me if not so.

• OpenSSL is using AES-NI if it is present in the CPU or SoC and OpenSSL is used by OpenVPN
  but OpenVPN is only AES-CBC at this time and this might be not getting any benefit from the AES-NI

• IPSec is using AES-GCM and this is using AES-NI and will also benefiting from this.

Or if you need it more sliced and cut;

• OpenSSL is using AES-NI if it is present in the CPU or SoC
• OpenSSL is used by OpenVPN and this uses AES-CBC
• But AES-CBC is not getting no till only a very tiny benefit from AES-NI
• IPSec is using AES-GCM
• And AES-GCM is using the AES-NI instructions and getting also a huge benefit from that

Thats all, please don´t mix it up to hard or read something other out from this.

Or in shorter version:
IPSec is using AES-GCM and this will benefits from the AES-NI and let growing
up the entire throughput from normal 1x up to 4x or 5x.

OpenVPN is using AES-CBC but this is not benefiting from the AES-NI and there fore
there is no till only some benefit from the AES-NI usage.

This said, I've no idea about Quickassist impact which may help even more.

Ok but what should pump up both IPSec and OpenVPN? There are two ways to realize this.
OpenVPN also gets AES-GCM that is using the AES-NI instructions as said by @cmb in the
other thread and OpenVPN is also benefiting from them, or if not so, or not so fast
the Intel QuickAssist technology is ready to use in pfSense for compression and decompression
that might be speeding up also the OpenVPN without using AES-NI or without AES-GCM.

I was here reacting only to the "OpenVPN with vs. without AES-NI", more with question mark that strong statement BTW.

If only IPSec with AES-GCM is using AES-NI and speeding up VPNs by the AES-NI instruction set of
the CPU or Soc, but OpenSSL in or used by OpenVPN is only using AES-CBC and based on this there
will be only a little bit or no benefit from AES-NI there for. Please what was strong now from this statement?

That means we may not be able to run pfsense on 2 core C2338 (SG2220 and SG2440) in the future.

Can be but I think the comment was more related to the Intel i2xx LAN Ports and the NIC queues that will be
produced and must be handled by pfSense.

The change may come when Netgate replaces C2338 for the Denverton Atoms.

Why should they do so? If the intel Atom C2000 (Rangeley) SoCs become older they are cheaper
to buy and if they are sufficient enough to handle 1 GBit/s on the WAN and ~500 MBit/s (SG-4860)
VPN throughput it could be a really cheaper then now entry level, home usage or SOHO platform for
the pfSense store. And the Xeon D-15x8 SoCs are definitely more enterprise related, so the "Denverton"
platform might be a good chance to set up a Pro series between them, or am I wrong with this?

Sekrit

@BlueKobold:

The change may come when Netgate replaces C2338 for the Denverton Atoms.

Why should they do so? If the intel Atom C2000 (Rangeley) SoCs become older they are cheaper
to buy and if they are sufficient enough to handle 1 GBit/s on the WAN and ~500 MBit/s (SG-4860)
VPN throughput it could be a really cheaper then now entry level, home usage or SOHO platform for
the pfSense store. And the Xeon D-15x8 SoCs are definitely more enterprise related, so the "Denverton"
platform might be a good chance to set up a Pro series between them, or am I wrong with this?

Rangeley was manufactured 2 years ago on 22nm wafers and it is history for Intel. It's time for another tock. You may not be able to source it anymore.

BrunoSmi

Well, I've got Windows Server 2012 R2 running with Hyper-V on my CI323 nano after thinkering a bit.

The solution that I've used is to download all the Windows 8/8.1 drivers from the zotac site + the Intel chipset driver from JetWay site for NP591 board ( the newest inf driver on the JetWay site is dated 02.june 2016.) and integrated the divers into the install and boot wim files using dism.

After installing the Windows Server 2012 R2 did all the possible updates, and only then I've added the Hyper-v role to the Windows. I'm running a virtualized firewall on my CI323.
The next step is getting ESXI running on my CI323 or Hyper-v Server, the later could be a problem since the system crashes as soon as it's installed on first boot, so there is no possibility to update the server ( could try updating the server with VT turned off in BIOS).

ATM. I've installed Hyper-V Server 2012 R2, with VT disabled and updating Hyper-V, will post results if someone is interested.

Kind regards,
Bruno

Sekrit

I tried Jetway but decided to return it.  Instead, I changed my server to XeonE3-1245 and supermicro X11 motherboard with a 4 port intel LAN and running pfsense on Vmware under Windows 10.  Addons are snort, pfblocker and Squid proxy. It has been very stable and fast for 6 months.

netghost

Bruno
I have been trying to install ESXi 6.0 on the ci323 nano but with no luck. Everything I have tried so far ends up halting at" Relocating modules and starting up the kernel". Would like to know if you are able to install ESXi on it and how you went about it.

khorton

@Sekrit:

I tried Jetway but decided to return it.  Instead, I changed my server to XeonE3-1245 and supermicro X11 motherboard with a 4 port intel LAN and running pfsense on Vmware under Windows 10.  Addons are snort, pfblocker and Squid proxy. It has been very stable and fast for 6 months.

Which Jetway board did you have, and why did you decide to return it?

Sekrit

@khorton:

@Sekrit:

I tried Jetway but decided to return it.  Instead, I changed my server to XeonE3-1245 and supermicro X11 motherboard with a 4 port intel LAN and running pfsense on Vmware under Windows 10.  Addons are snort, pfblocker and Squid proxy. It has been very stable and fast for 6 months.

Which Jetway board did you have, and why did you decide to return it?

I had a Jetway JC320U93W-2930-B Intel Celeron N2930 Dual Intel LAN Fanless NUC

It generated too much heat. SO-DIMM was defective or the motherboard was causing memtest errors. SSD I received was DOA. The USB drive that I was using temporarily eventually failed too.  I had enough problems.  I wanted to give it a shot to vmware installation and never looked back.