PC Engines apu2 experiences



  • Your CPU has 4 cores, can you test with "-multi 4" option to run 4 threads together? Then we can see the actual speed for this CPU.

    @dugeem:

    With aesni kernel module loaded:

    
    openssl speed -elapsed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc       1527.90k     5867.93k    21607.17k    65414.14k   162611.20k
    
    openssl speed -elapsed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc       1512.18k     5761.15k    20833.28k    58732.20k   127229.95k
    
    

    With aesni kernel module unloaded (i.e. use openssl internal AES-NI support):

    
    openssl speed -elapsed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc     125586.59k   174393.26k   213315.07k   226097.49k   230883.33k
    
    openssl speed -elapsed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc     100216.39k   136148.85k   157464.49k   162677.42k   165601.28k
    
    


  • Here is what I got trying the same command with -multi 4

    openssl speed -elapsed -evp aes-128-cbc -multi 4
    evp              5582.70k    22238.25k    81301.33k  244524.47k  593181.72k

    openssl speed -elapsed -evp aes-256-cbc -multi 4
    evp              5615.02k    21855.49k    77674.24k  220074.67k  465368.41k

    Then after setting "Cryptographic Hardware" in the GUI back to none (not sure if this does the right thing)

    openssl speed -elapsed -evp aes-128-cbc -multi 4
    evp              5645.37k    19885.66k    70725.03k  217378.47k  524483.65k

    openssl speed -elapsed -evp aes-256-cbc -multi 4
    evp              5586.90k    21842.43k    77226.75k  219488.40k  455090.18k

    @edwardwong:

    Your CPU has 4 cores, can you test with "-multi 4" option to run 4 threads together? Then we can see the actual speed for this CPU.

    @dugeem:

    With aesni kernel module loaded:

    
    openssl speed -elapsed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc       1527.90k     5867.93k    21607.17k    65414.14k   162611.20k
    
    openssl speed -elapsed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc       1512.18k     5761.15k    20833.28k    58732.20k   127229.95k
    
    

    With aesni kernel module unloaded (i.e. use openssl internal AES-NI support):

    
    openssl speed -elapsed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc     125586.59k   174393.26k   213315.07k   226097.49k   230883.33k
    
    openssl speed -elapsed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc     100216.39k   136148.85k   157464.49k   162677.42k   165601.28k
    
    


  • Just started to configure APU2C4 as a replacement for my old Alix 2D13.
    I'm wandering if it is possible to see the current CPU frequency in a dashboard?



  • Impressive result.
    BTW, using "-evp" will force using crypto hardware, so whatever you set in GUI doesn't really matter, maybe you should try to skip this option to see the difference.

    @Zebibyte:

    Here is what I got trying the same command with -multi 4

    openssl speed -elapsed -evp aes-128-cbc -multi 4
    evp              5582.70k    22238.25k    81301.33k  244524.47k  593181.72k

    openssl speed -elapsed -evp aes-256-cbc -multi 4
    evp              5615.02k    21855.49k    77674.24k  220074.67k  465368.41k

    Then after setting "Cryptographic Hardware" in the GUI back to none (not sure if this does the right thing)

    openssl speed -elapsed -evp aes-128-cbc -multi 4
    evp              5645.37k    19885.66k    70725.03k  217378.47k  524483.65k

    openssl speed -elapsed -evp aes-256-cbc -multi 4
    evp              5586.90k    21842.43k    77226.75k  219488.40k  455090.18k

    @edwardwong:

    Your CPU has 4 cores, can you test with "-multi 4" option to run 4 threads together? Then we can see the actual speed for this CPU.

    @dugeem:

    With aesni kernel module loaded:

    
    openssl speed -elapsed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc       1527.90k     5867.93k    21607.17k    65414.14k   162611.20k
    
    openssl speed -elapsed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc       1512.18k     5761.15k    20833.28k    58732.20k   127229.95k
    
    

    With aesni kernel module unloaded (i.e. use openssl internal AES-NI support):

    
    openssl speed -elapsed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc     125586.59k   174393.26k   213315.07k   226097.49k   230883.33k
    
    openssl speed -elapsed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc     100216.39k   136148.85k   157464.49k   162677.42k   165601.28k
    
    


  • @AndrewZ:

    Just started to configure APU2C4 as a replacement for my old Alix 2D13.
    I'm wandering if it is possible to see the current CPU frequency in a dashboard?

    See my previous post in this thread (post #17).

    after following the details from here https://forum.pfsense.org/index.php?topic=108262.0 the dashboard temperature readout works perfectly.



  • @apollo17:

    after following the details from here https://forum.pfsense.org/index.php?topic=108262.0 the dashboard temperature readout works perfectly.

    Indeed, I've noticed that post earlier and already implemented the workaround described on my system.
    My question was about frequency, not temperature.
    For some reasons I was able to see the current and the maximum frequency (600 and 1000 as I recall) very briefly only 2 times during the page reload. All other time I see only the following:

    CPU Type AMD GX-412TC SOC
    4 CPUs: 1 package(s) x 4 core(s)



  • @AndrewZ:

    @apollo17:

    after following the details from here https://forum.pfsense.org/index.php?topic=108262.0 the dashboard temperature readout works perfectly.

    Indeed, I've noticed that post earlier and already implemented the workaround described on my system.
    My question was about frequency, not temperature.
    For some reasons I was able to see the current and the maximum frequency (600 and 1000 as I recall) very briefly only 2 times during the page reload. All other time I see only the following:

    CPU Type AMD GX-412TC SOC
    4 CPUs: 1 package(s) x 4 core(s)

    Sorry, my mistake i misread your post. I know what you mean mine does that aswell, i'm not sure if you can change it. If you have powerd enabled you can get a realtime frequency read out using the shell command powerd -v.

    I don't think the dashboard freqency readout is just amd related, it behaves the same on intel systems too.



  • @apollo17:

    I know what you mean mine does that aswell, i'm not sure if you can change it. If you have powerd enabled you can get a realtime frequency read out using the shell command powerd -v.

    I don't think the dashboard freqency readout is just amd related, it behaves the same on intel systems too.

    Thanks for that, good to know.



  • What transfer speed does the apu2 get from squid's local cache?



  • What transfer speed does the apu2 get from squid's local cache?

    This is mostly also owed to the circumstance what storage drive is used in that case!!



  • I'd like to add what I've found and compare the APU1D with the APU2C4.  Each test was run 5 times and the average is shown:

    
    _______________APU1D__________Without aes-ni Enabled in GUI_____AES-128
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-128-cbc
    aes-128-cbc      20,150.25	   21,593.45	 22,101.23	   55,892.72	 57,108.07
    openssl speed -elapsed -evp aes-128-cbc
    aes-128-cbc      20,879.17	   22,096.23	 22,604.51	   22,781.61	 22,756.18
    openssl speed -elapsed aes-128-cbc -multi 2
    aes-128-cbc      37,715.27	   42,234.96	 43,208.21	  108,581.00	108,638.48
    openssl speed -elapsed -evp aes-128-cbc -multi 2
    evp              41,202.15	   43,115.07	 43,609.43	   42,840.60	 44,048.14
    
    _______________APU1D__________Without aes-ni Enabled in GUI_____AES-256
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-256-cbc
    aes-256 cbc      14,700.73	   15,444.83	 15,733.50	   41,247.34	 41,710.94
    openssl speed -elapsed -evp aes-256-cbc
    aes-256-cbc      15,243.62	   15,707.42	 15,961.70	   16,126.77	 15,934.53
    openssl speed -elapsed aes-256-cbc -multi 2
    aes-256 cbc      23,949.23	   26,988.24	 29,858.76	   65,845.54	 64,089.45
    openssl speed -elapsed -evp aes-256-cbc -multi 2
    evp              29,593.04	   26,244.35	 26,773.70	   28,397.03	 27,938.67
    
    _______________APU1D__________With aes-ni Enabled in GUI_____AES-128
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-128-cbc
    aes-128 cbc      19755.576	  21431.89	   21989.752	55771.576	 55630.234
    openssl speed -elapsed -evp aes-128-cbc
    aes-128-cbc      20863.098	  22093.112	   22559.898	22602.114	 22531.338
    openssl speed -elapsed aes-128-cbc -multi 2
    aes-128 cbc      37336.336	  38520.556	   42471.264   105237.468	99426.206
    openssl speed -elapsed -evp aes-128-cbc -multi 2
    evp              36558.862	  40986.052	   42027.06	    40009.182	 41684.274
    
    _______________APU1D__________With aes-ni Enabled in GUI_____AES-256
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-256-cbc
    aes-256 cbc      14591.166	  14837.534	   14614.882	39739.044	 40290.906
    openssl speed -elapsed -evp aes-256-cbc
    aes-256-cbc      14994.722	  15396.05	   16006.702	16093.2	     15921.974
    openssl speed -elapsed aes-256-cbc -multi 2
    aes-256 cbc      24330.116	  27610.256	   26142.88	    71589.386	 70645.116
    openssl speed -elapsed -evp aes-256-cbc -multi 2
    evp              25427.984	  27953.616	   26119.284	28292.242	 26312.212
    
    _______________APU2C4__________Without aes-ni Enabled in GUI_____AES-128
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-128-cbc
    aes-128-cbc       14,602.14 	 15,604.71 	 16,020.81 	 41,673.96 	 42,613.15 
    openssl speed -elapsed -evp aes-128-cbc
    aes-128-cbc      116,857.16 	 167,172.30 	 205,183.44 	 216,286.74 	 219,179.69 
    openssl speed -elapsed aes-128-cbc -multi 2
    aes-128-cbc       52,436.02 	 58,305.43 	 58,527.76 	 154,819.86 	 162,012.23 
    openssl speed -elapsed -evp aes-128-cbc -multi 2
    evp               5,339.28 	 20,562.37 	 75,235.53 	 230,458.68 	 567,333.62 
    
    _______________APU2C4__________Without aes-ni Enabled in GUI_____AES-256
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-256-cbc
    aes-256 cbc       10,657.51 	 11,205.91 	 11,310.90 	 30,765.00 	 31,377.54 
    openssl speed -elapsed -evp aes-256-cbc
    aes-256-cbc       96,810.10 	 129,034.06 	 150,190.10 	 156,638.07 	 158,143.28 
    openssl speed -elapsed aes-256-cbc -multi 2
    aes-256 cbc       39,620.04 	 40,461.33 	 40,217.14 	 120,696.35 	 117,217.43 
    openssl speed -elapsed -evp aes-256-cbc -multi 2
    evp               5,224.40 	 21,083.67 	 73,885.68 	 201,226.44 	 442,017.98 
    
    _______________APU2C4__________With aes-ni Enabled in GUI_____AES-128
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-128-cbc
    aes-128 cbc       14,547.43 	 15,599.68 	 16,005.85 	 41,691.67 	 42,459.34 
    openssl speed -elapsed -evp aes-128-cbc
    aes-128-cbc       1,455.86 	 5,778.35 	 21,179.49 	 64,385.85 	 158,815.65 
    openssl speed -elapsed aes-128-cbc -multi 2
    aes-128 cbc       53,114.91 	 57,221.27 	 58,445.19 	 159,149.88 	 158,859.67 
    openssl speed -elapsed -evp aes-128-cbc -multi 2
    evp               5,355.99 	 21,216.93 	 75,614.86 	 228,806.89 	 572,782.12 
    
    _______________APU2C4__________With aes-ni Enabled in GUI_____AES-256
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    openssl speed -elapsed aes-256-cbc
    aes-256 cbc       10,657.26 	 11,111.40 	 11,175.44 	 30,771.72 	 31,289.62 
    openssl speed -elapsed -evp aes-256-cbc
    aes-256-cbc       1,404.00 	 5,528.13 	 19,735.86 	 55,687.85 	 119,758.85 
    openssl speed -elapsed aes-256-cbc -multi 2
    aes-256 cbc       39,908.48 	 39,509.88 	 41,580.65 	 117,316.88 	 117,157.87 
    openssl speed -elapsed -evp aes-256-cbc -multi 2
    evp              5,456.64 	 20,749.14 	 70,953.42 	 207,225.20 	 456,061.90 
    
    

    Some things stand out fairly obvious but I'll need some help determining what is going on.
    First, it's obvious that enabling aes-ni in the Advanced-Misc section does something.  It seems to have a modest affect on the APU1D and a fairly detrimental affect on the APU2C4. 
    Second, the APU2C4 only has about 73% of the performance of the APU1D using a single core and no hardware acceleration.
    Third, the APU2D4 seems to excel in some circumstances and bomb in others.  I expected to see a fairly consistent trend, but the charts seem to say otherwise.

    Does anyone know which number is most representative of performance when running the openssl speed test?  From what I'm seeing it appears that on the APU1D with aes-ni disabled we should be able to get 108MB/s on aes-128 with an 8k block size and 65MB/s on aes-256 with an 8k block size.  It also appears that with the APU2D4 we should be able to get 567MB/s on aes-128 with an 8k block size and 442MB/s on aes-256 with an 8k block size.  Those don't seem right to me.  Can anyone care to elaborate?

    Also, I've attached a screenshot of the spreadsheet I've put together with basic heatmaps.  All values are the same and "are in 1000s of bytes per second processed".  I just dropped the "k" so I could run calculations.  Also, the commands that were run that include the multi switch were run as "multi 2" on the APU1D and as "multi 4" on the APU2C4.

    Edit:  I should note that these are all run with powerd on set to hiadpative.  Also, added APU2C4 numbers that were forgotten.




  • The average I get running iperf across the LAN interfaces is:
    APU1D    -> APU2C4    = 235Mb/s
    APU2C4  -> APU1D      = 218Mb/s
    APU1D    -> Core2Box = 121Mb/s
    APU2C4  -> Core2Box = 222Mb/s

    Services enabled on the APU1D and APU2C4 in case they affect things are:
    Squid
    SquidGuard
    AV Integrated in Squid
    Snort
    pfBlockerNG
    darkstat
    LightSquid



  • Are you guys using a full install or a nanobsd install on an msata 16gb ssd on an apu2c4?



  • I'm running a full install.



  • Without any modifications like using ramdisks for /tmp and /var? Fulll install as is?



  • Yes.  Using an msata ssd.



  • @Stewart:

    Second, the APU2C4 only has about 73% of the performance of the APU1D using a single core and no hardware acceleration.

    I saw similar results, back when I got my first APPU2. it seemed to be odd but then I re-ran the benchmark a few times and I always got more or less the same score each time…

    APU1 https://browser.primatelabs.com/geekbench3/4636493
    APU2 https://browser.primatelabs.com/geekbench3/4635680

    regards,
    michael



  • Are the APU2 developers already aware of this? This issue seems to be a major one that needs addressing, right?



  • I read there is a module for using the 3 front LEDs on the apu2 boards (http://pcengines.ch/howto.htm#gpio), has anyone using pfSense experience with this?

    Thanks in advance,

    Cheers Qinn



  • Hi,

    I just set up two APU2C4 boxes with pfSense 2.3.2. After a bit of fiddling with the USB stick for TinyCore, I managed to get it installed. On a 1Gbit connection, I had >800Mbit down and up through the firewall. No tuning what so ever.

    I am using pfSense-CE-2.3.2-RELEASE-4g-amd64-nanobsd.img.gz



  • Hey Guys, I wish I was getting maglub's performance out of the box.

    I just received a APU2C4 in the mail and loaded pfSense-CE-memstick-serial-2.3.2-RELEASE-amd64 on it.

    It manages to boot fine, and it's fully functional, the web interface moves much quicker and more fluid than the old ALIX2D3 it had replaced.

    However when I run iperf on the LAN interface from another host, I'm only getting 300Mbps or so.

    I found this thread about Intel I210AT nics and am attempting their suggestions:

    https://redmine.pfsense.org/issues/1221

    I see they're playing with the buffers and queues.

    My question is this, if I edit loader.conf.local after looking at some of the options some options have "Quotes" around them, and others don't.

    If I directly edit loader.conf.local when I specify variables in there, must they use " for the value? Or will just the value suffice?

    hw.igb.num_queues="4" or hw.igb.num_queues=4 ?

    Thanks



  • I always use the quotes. I have not tried it without.



  • Thanks for the insight, I managed to finally get close to 1Gbps on the lan interface.

    I had to uncheck Disable hardware large receive offload, and Disable hardware TCP segmentation offload

    Under System > Advanced > Networking

    Based on what I've read so far I know this unit won't route more than 500 Mbps or so but I wanted to at least understand why, the nic was so hobbled right off the bat.



  • I am looking for some opinions on downsizing my current pfSense system with an APU2C4.

    Currently I have:
    Supermicro A1SRI-2558
    8GB Ram
    120GB SSD
    Akasa Fanless Enclosure

    There are 6 people in my house and 30 or so devices.  I am the only person that ever uses OpenVPN and it is usually from a mobile device on LTE so OpenVPN performance is probably not a huge deal.  I run Squid and Squidguard to proxy the internet for my kids.  Our internet connection is FiOS 150/150 Mbps.

    It seems like I could build an apu2c4 and sell my current hardware.  I would probably have money left over and a smaller, slightly cooler running device for pfSense.

    Do you guys see any potential performance issues or reasons why this is a bad idea?



  • Does anyone know of a way to enable TRIM support on the SSD without having to boot of a recovery device?  Is there some sort of tunable where it can be enabled on the next reboot?



  • @acascianelli:

    Does anyone know of a way to enable TRIM support on the SSD without having to boot of a recovery device?

    https://forum.pfsense.org/index.php?topic=66622.0
    https://forum.pfsense.org/index.php?topic=113803.msg633795#msg633795



  • I switched from A1SRI-2758/8GB to apu2c4 as I need the 2758 for another server.

    Running iperf3 between two pcs connected by the apu (pfsense 2.3.2) I get
    600Mbit/s in one direction
    615Mbit/s in the other one.
    CPU runs at 25% load, e.g. one core is maxed out.

    I probably see different speeds because I already imported my old firewall rules and have three rules on one nic and around 20 on the other one.

    I observed the same speed & load when I installed debian and configured a few iptable rules.

    Adding more clients (iperf -P 8 ) gives me:
    940Mbit/s direction a
    690Mbit/s direction b
    880MBit/s duplex

    Enabling (disabling unchecked) segmentation offload gives me
    940Mbit/s direction a
    695Mbit/s direction b
    940Mbit/s duplex
    CPU runs at 85%

    Speedtest (init7) shows me 930down/940up. Initially I got 720/920 & 670/920 but that was because of my slow laptop (sigh). Restarting firefox gave me consistent speeds around 940.

    So I can route a single TCP connection at 600Mbit/s per core. One could probably achieve higher speeds by tuning ISR related configs but as I can saturate my gigabit line with multiple connections I won't change settings.

    I set igb_numqueue to 4 and mbuf to 1mio. Unknown if it had an effect.
    Somebody suggested to set a rx/tx level (or queue? dont remeber) to 8k. That did not have an effect.
    powerD disabled/enabled (hiadaptive) did not make a difference



  • @AndrewZ:

    @acascianelli:

    Does anyone know of a way to enable TRIM support on the SSD without having to boot of a recovery device?

    https://forum.pfsense.org/index.php?topic=66622.0
    https://forum.pfsense.org/index.php?topic=113803.msg633795#msg633795

    Is there no way to set it so that it's enabled on the next reboot without going into single user mode?



  • Is there no way to set it so that it's enabled on the next reboot without going into single user mode?

    Actually is there no way or workaround, as I am informed right.



  • @j4k3:

    Thanks for the insight, I managed to finally get close to 1Gbps on the lan interface.

    I had to uncheck Disable hardware large receive offload, and Disable hardware TCP segmentation offload

    Under System > Advanced > Networking

    Based on what I've read so far I know this unit won't route more than 500 Mbps or so but I wanted to at least understand why, the nic was so hobbled right off the bat.

    Does that mean these two should be unchecked to get the full potential of the NIC's of the APU2C4? Any disadvantages of keeping them unchecked (enabled)?



  • @kevindd992002:

    … Any disadvantages of keeping them unchecked (enabled)?

    Possibly, like no or a snappy WAN-PPPoE connection.



  • @acascianelli:

    …Is there no way to set it so that it's enabled on the next reboot without going into single user mode?

    https://forum.pfsense.org/index.php?topic=121515.msg673176#msg673176 / pfSense 2.4



  • @hda:

    @kevindd992002:

    … Any disadvantages of keeping them unchecked (enabled)?

    Possibly, like no or a snappy WAN-PPPoE connection.

    But why is the NIC performance hampered with these settings disabled anyway?

    @hda:

    @acascianelli:

    …Is there no way to set it so that it's enabled on the next reboot without going into single user mode?

    https://forum.pfsense.org/index.php?topic=121515.msg673176#msg673176 / pfSense 2.4

    So if I understand this correctly, a fresh install of 2.4 will already enabled TRIM automatically with no user intervention? And same goes with older versions of pfsense that upgrade 2.4, TRIM will be enabled?


  • Banned

    @kevindd992002:

    But why is the NIC performance hampered with these settings disabled anyway?

    You clearly are confused. When you check them, you DISable the HW offloading features.



  • I don't think I am. Clearly, unchecking the boxes = ENABLES these features. checking the boxes=DISABLES these features. It's very easy to distinguish between the two.

    j4k3 said in his post: "I had to uncheck Disable hardware large receive offload, and Disable hardware TCP segmentation offload". Which means that enabling (very different from "checking") them improves performance.

    So then I asked: "But why is the NIC performance hampered with these settings disabled anyway?". Or in other words: "why is the NIC performance hampered with the boxes CHECKED anyway?"

    Does that make sense? Again, disable=checked and enabled=unchecked. Please check the terminologies that I used in my posts.



  • Does that mean these two should be unchecked to get the full potential of the NIC's of the APU2C4?

    Here under this link you will be able to read what is really needed for getting 1 GBit/s at the
    WAN interface, there is told something likes, Server grade hardware and ~2,0GHz CPU speed.
    And as I see it right the APU1D4 and APU2C4 are only sorted with something around ~1,1GHz
    or 1,2GHz CPU power, that's it in short. Please read under under CPU selection

    Any disadvantages of keeping them unchecked (enabled)?

    Tunings and pimps can be done on each machine for sure to high up the
    throughput but in that case, you should be followed to that guidance
    from above at first.



  • @cwagz:

    I am looking for some opinions on downsizing my current pfSense system with an APU2C4.

    Currently I have:
    Supermicro A1SRI-2558
    8GB Ram
    120GB SSD
    Akasa Fanless Enclosure

    There are 6 people in my house and 30 or so devices.  I am the only person that ever uses OpenVPN and it is usually from a mobile device on LTE so OpenVPN performance is probably not a huge deal.  I run Squid and Squidguard to proxy the internet for my kids.  Our internet connection is FiOS 150/150 Mbps.

    It seems like I could build an apu2c4 and sell my current hardware.  I would probably have money left over and a smaller, slightly cooler running device for pfSense.

    Do you guys see any potential performance issues or reasons why this is a bad idea?

    I went ahead and built the apu2c4 and am very happy with the outcome.  The performance seems to be the same for our usage.  Also, the overall footprint and heat output into my small network cabinet is improved.



  • Hey,

    I recently took delivery of an APU2C4. It is certainly a decent performer for the size of it!

    I am wondering, has anyone got the AES-NI to work with the OpenVPN? The reason I ask is that I don't appear to see any acceleration happening with AES-128-CBC / AES-256-CBC. The rough maximum I have achieved is 30Mbps.

    I have tried enabling the AES-NI within Advanced Options, and then enabling the cryptodev within OpenVPN. As well as disabling AES-NI and leaving Cryptodev enabled vice-versa.

    However, I see no changes whatsoever.

    I am on the latest PFSense 2.3.x release

    Kindest Regards
    HC



  • I am wondering, has anyone got the AES-NI to work with the OpenVPN? The reason I ask is that I don't appear to see any acceleration happening with AES-128-CBC / AES-256-CBC. The rough maximum I have achieved is 30Mbps.

    From what total line speed you archived the 30Mbps? And how strong was the other VPN Peer end?

    I have tried enabling the AES-NI within Advanced Options, and then enabling the cryptodev within OpenVPN. As well as disabling AES-NI and leaving Cryptodev enabled vice-versa.

    At the moment only IPsec is really benefitting from the AES-NI, so you might be having
    perhaps more luck if the OpenVPN version 2.4 is out there.



  • From what total line speed you archived the 30Mbps? And how strong was the other VPN pear end?

    Connecting from a 317Mbps line, the other end is serviced by a 10Gbit (SFP) line @ Rackspace

    At the moment only IPsec is really benefitting from the AES-NI, so you might be having
    perhaps more luck if the OpenVPN version 2.4 is out there.

    I'll hold out, I'm not too fussed - I didn't expect a lot. But I expected a tad better as my old equipment was a dual core 800Mhz MiPS. I had tried the "fix" here:

    http://1101entrails.blogspot.co.uk/2016/05/getting-aes-ni-to-work-using-pfsense-on.html