Re: [pfSense] Hardware requirements for gigabit wirespead

Hi there, 2013/11/7 Thinker Rix > Hi Michael, > > > On 2013-11-06 11:37, Michael Schuh wrote: > >> i have serval different Systems running, >> including an old 3GHz Intel Pentium D-CPU with 2GBytes ECC Memory: >> 4 Nic, throughput max (so far): 115 MBytes/s at 20k irqs (no polling >> enabled, n

Re: [pfSense] Traffic Graph: Not reflecting reality?

So I realized that I am capturing the traffic via SNMP so I looked -- it shows the same ~200% use on my DMZ vs the WAN it's using. I was a bit surprised by this because the pfSense RRD graphs do not appear to have the same discrepancy - they show nearly mirror images for the 2 interfaces. Mike McL

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On 11/7/2013 10:30 AM, Vick Khera wrote: > On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle > wrote: > > The sheet could really use some more data, so anyone who has an AES-NI > capable system, feel free to run through the tests and help fill out the > sheet. :-) >

Re: [pfSense] Motherboard compatibility

On 2013-11-07 17:38, Vick Khera wrote: On Thu, Nov 7, 2013 at 10:05 AM, Thinker Rix > wrote: So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / Haswell

Re: [pfSense] Motherboard compatibility

On Thu, Nov 7, 2013 at 10:05 AM, Thinker Rix wrote: > So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a > motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / > Haswell) it should work, eventhough FreeBSD 8.3 is older than those > technologies and migh

Re: [pfSense] Motherboard compatibility

> So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) >on a motherboard with a brand new chipset (Intel C222) and CPU >(e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is >older than those technologies and might not fully support the chipset >yet (e.g. due t

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle wrote: > The sheet could really use some more data, so anyone who has an AES-NI > capable system, feel free to run through the tests and help fill out the > sheet. :-) > /usr/bin/openssl speed -evp aes-128-cbc -elapsed The 'numbers' are in 1000s of byt

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On 11/7/2013 9:58 AM, Vick Khera wrote: > > On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle > wrote: > > Also see the "How To Test" tab and other data here: > > https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdE15eHB4dndHTXZYcU1mQm9Dc3V2elE&usp=sharing > >

Re: [pfSense] Motherboard compatibility

Hi Vick, On 2013-11-07 15:40, Vick Khera wrote: On Wed, Nov 6, 2013 at 9:24 AM, Paul Mather > wrote: > If those figures that the hardware producer provided are correct, it would mean that I could run pfSense 2.1 only on the C204 board, since pfSense

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle wrote: > Also see the "How To Test" tab and other data here: > > https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdE15eHB4dndHTXZYcU1mQm9Dc3V2elE&usp=sharing > > The sheet could really use some more data, so anyone who has an AES-NI > capable sys

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On 11/7/2013 8:51 AM, Vick Khera wrote: > On Wed, Nov 6, 2013 at 8:29 AM, Jim Thompson > wrote: > > There are reports that FreeBSD doesn't support AES-NI very well. > > > I'm thinking it is either zero gain, or negative gain. On pfSense > 2.1-RELEASE (aka FreeBSD 8

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 9:44 AM, Vick Khera wrote: > CLEARLY it is killer fast for larger blocks. I just pondered this for a few minutes... I think openssl's summary numbers are misleading. They give you the time per CPU seconds used. So while the CPU is not doing the computations, the number of

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 8:51 AM, Vick Khera wrote: > I'm thinking it is either zero gain, or negative gain. On pfSense > 2.1-RELEASE (aka FreeBSD 8.3 with OpenSSL 1.0.1e) we see: > Hm. So reading more, I learn that AES-NI will only be used with -evp on openssl, and openvpn uses evp by default. S

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thursday, November 07, 2013 04:44:54 PM Vick Khera wrote: > I think I will see about configuring my openvpn tunnels > to use larger MSS and not fragment internally... Forwarding engines always prefer larger MSS's and MTU's. Increases throughput. Mark. signature.asc Description: This is a d

Re: [pfSense] Hardware requirements for gigabit wirespead

Hi Michael, On 2013-11-06 11:37, Michael Schuh wrote: i have serval different Systems running, including an old 3GHz Intel Pentium D-CPU with 2GBytes ECC Memory: 4 Nic, throughput max (so far): 115 MBytes/s at 20k irqs (no polling enabled, no special tweaking) 1 Nic is Broadcom, 1 Nic is Inte

Re: [pfSense] Hardware requirements for gigabit wirespead

Hi Chris, On 2013-11-06 12:31, Chris Bagnall wrote: On 6/11/13 7:11 am, Thinker Rix wrote: Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. - Pentium - 4th generation core i3 - Xeon E3-1200 v3 If your board supports a Core i3, it is *very* unlikely that it

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Wed, Nov 6, 2013 at 11:04 AM, Thinker Rix wrote: > What do you think is the reason for your VPN traffic maxing out at 20Mpbs > (I assume that your connection is not the traffic bottle neck, right?), > although your CPUs are almost idle? > I'm fairly sure it is the office Comcast connection. Ev

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Wed, Nov 6, 2013 at 8:29 AM, Jim Thompson wrote: > There are reports that FreeBSD doesn't support AES-NI very well. > I'm thinking it is either zero gain, or negative gain. On pfSense 2.1-RELEASE (aka FreeBSD 8.3 with OpenSSL 1.0.1e) we see: % /usr/local/bin/openssl speed aes-256-cbc Doing

Re: [pfSense] Hardware requirements for gigabit wirespead

On 7/11/13 1:42 pm, Vick Khera wrote: Broadcom chips work pretty well with FreeBSD. I have four HP 1U servers in the G5 generation which I find to be extremely fast and reliable. +1 (well, G6s in my case). Not had a problem with Intel or Broadcom under either Linux or FreeBSD. I generally tr

Re: [pfSense] Hardware requirements for gigabit wirespead

On Wed, Nov 6, 2013 at 11:27 AM, Eugen Leitl wrote: > > Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10) > > Are these borderline reliable with FreeBSD/pfSense? I've had a > Broadcom chips work pretty well with FreeBSD. Intel chips are still first choice, as Intel themselves

Re: [pfSense] Motherboard compatibility

On Wed, Nov 6, 2013 at 9:24 AM, Paul Mather wrote: > > If those figures that the hardware producer provided are correct, it > would mean that I could run pfSense 2.1 only on the C204 board, since > pfSense 2.1 is based on FreeBSD 8.3, and the C222 board is only compatible > from FreeBSD 9.1 and u

Re: [pfSense] 6rd Routing Issue

Am 05.11.2013 21:17, schrieb İhsan Doğan: My ISP has deployed IPv6 via 6rd, which worked fine in the beginning. I have now the issue, that the default route is set on the LAN interface and I'm not able to ping anything. The routing table: default 2a02:1203:ecb7:c20::c105:1d01 UGS em0 ::1 ::1 U

Re: [pfSense] Traffic Graph: Not reflecting reality?

We recently relocated and are waiting to get our primary connection installed, so in the mean time we're on a 3Mb/0.75Mb DSL line. However, pfSense often shows 6Mb/s coming out of the LAN during a download. Same problem here. I am not seeing incorrect traffic graphs in 2.1, and I am using VLANs