Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | (show all)   Print Thread
Standard User kwillers
(newbie) Thu 10-Aug-17 18:41:23
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: choppersrock] [link to this post]
 
In reply to a post by choppersrock:
One of my friends replied with this.He is a member here too but cant answer himself right now but I am sure he will when its possible.

Tell them I'm using pfsense ap2u on a FTTP 100/100 connection with Vlans and VPN had no problems at all.

I will ask him to respond when he can.


A am that friend smile

I'm using pfSense running on a pcengines AP2U system at my house in France. Its Orange Fibre to the Premises (FTTP) on a 100/100 connection. I use various media players and VPN in to the box often. Never had any issues.
The AP2U copes with all I have thrown at it and I get full 100/100 speeds connecting via a Google wifi AP connected to the LAN pot of the pfSense box.

Orange needs the DHCP6c (Yes I run IPv6) and DHCP requests for IP address to be issued over a VAN with a priority of 6. That requires a patched version of the firmware but if you need that capability I can share the patch

Shout if you need more info.

in short you wont go wrong with pfSense and and AP2U.

Plus both choppersrock and I have another friend who is a rather excellent pfSense coder and has tweaked pfSense a few times to make it work with ISP specific authentication requirements !!!
Standard User ianfuture
(learned) Thu 10-Aug-17 21:11:54
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: kwillers] [link to this post]
 
Thanks for the extra info.

Just to clarify do you use an outbound VPN, ie one that encrypts and masks what your ISP would see and get 100/100 without any bottleneck ? That's great if you do smile
Standard User kwillers
(learned) Fri 11-Aug-17 07:22:09
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
No I don't use an outbound VPN

I just run a VPN server on pfsense to allow me to access the network remotly

I'm back in France in a couple of weeks so will test it and see. I'm sure it will still give 100/100 provided the VPN server service is not swamped

Any particular VPN service you'd like me to test


Register (or login) on our website and you will not see this ad.

Standard User prlzx
(experienced) Fri 11-Aug-17 22:36:43
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
OpenVPN is great and no criticism of its open-ness, but it's main advantage is having the option of being able to work using port 443/tcp (like HTTPS) even when the client end is behind a restrictive firewall.

This does not apply in your case where your router is the firewall, and OpenVPN will perform better using its native UDP transport.

Also performance will be slow until and unless the OpenVPN code actually gets to benefit from crypto acceleration.

But the notion that it is "more open" than IPsec? No, IPsec is an open standard, you don't require a licence / patents or or have to pay anyone to use it. Indeed, it's part of the IPv6 spec having been added to IPv4 only because it came after IPv4 was already established.

And most open-source implementations are using some version of StrongSwan which you can read for yourself.

On any given hardware, it will be as fast or the fastest because hardware offload / crypto offload has had longer to be developed for it. Have a look at the pfSense blogs on the topic to see where they are going.

That said, to be clear. it's not the NICs that do the encryption e.g. AES , even when using the Intel ones - rather they are recommended because the NIC drivers are better quality, and more packet processing (e.g. headers) can be done by dedicated hardware in the NIC than by a software routine in the driver.

Encryption is still done by the CPU, what matters is whether the firewall software can use dedicated CPU instructions to improve the performance of that, which can mean checking CPU, motherboard support it and also that such features not turned off by BIOS / UEFI .



prlzx on iDNET: VDSL / 21CN at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Standard User summat
(member) Sat 12-Aug-17 14:54:35
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
The CPU on the board (Gigabyte GA-J3455N-D3H) is a current gen 'Apollo Lake' Celeron J3455 (quad core 1.5ghz, turbo to 2.3, 10W TDP, passively cooled, released late last year), has AES-NI instructions (for help accelerating VPN's and is also a requirement for pfSense from version 2.5 onwards), and two Realteak 8168 gigabit NICs.

Right now mines sitting using at 0.03-0.05 load average on a mostly idle 80/20 connection (pfSense is handling PPPoE via an HG612 Opereach modem). I have 4GB of RAM but it's currently only utilising around 5% of that. I have a of site-to-site OpenVPN tunnel running and I can easily get 50mbit over it without trouble - and I've not yet reconfigured that to use ciphers that take advantage of the AES-NI instructions either.

Under heavy traffic loads it'll occasionally hit around 0.4 load - it's really not an issue for it. A friend had the previous version of this board with the same NICs I have on his 330/30 FTTP connection and it did fine.

Regarding the NICs being Realtek and not Intel - I honestly don't think you will notice any issues with them. You CAN get boards with two Intel NICs but they are pretty uncommon and certainly significantly more expensive. I looked for them when I was shopping and the extra expense wasn't worth it for me personally. The Realtek's support VLANs and I've had zero issues with them. As far as I am aware the encryption is all handled before the network adapters are touched so I don't see how they can help with it. I'd be interested to see where you read that if you could link?

My previous pfSense machine was a first-gen atom (single core) with two ultra-cheap Realtek 8139 cards (fast ethernet only) and that handled the full 80/20 connection I have without an issue too, along with the same OpenVPN tunnel running on it I have now.

Ubiquiti AP's require software to configure them, and allows for ongoing management and monitoring. Without the software (once configured) the AP's will operate with the configs you give them, there is simply nothing in the way of interface on them directly aside for SSH and command line. You can keep the software on your PC and just start it up to make config changes, it doesn't need to be running all the time.

There are also retailers in the UK that supply them with 3-years of cloud-based control as part of the sale.
Standard User ianfuture
(learned) Fri 18-Aug-17 18:52:08
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: summat] [link to this post]
 
Thanks for all the info. Very helpful in determining which way I go smile
Pages in this thread: 1 | [2] | (show all)   Print Thread

Jump to