subject:"\"Re\\\: \\\[pfSense\\\] Configs or hardware\\\?\""

Re: [pfSense] Configs or hardware?

2018-02-19 Thread Eero Volotinen

Maybe. I think that hardware can still do full gigabit nat and firewalling.

--
Eero

On Mon, Feb 19, 2018 at 7:12 PM, Moshe Katz  wrote:

> On Mon, Feb 19, 2018 at 10:42 AM, Paul Mather 
> wrote:
>
> > On Feb 19, 2018, at 10:10 AM, Eero Volotinen 
> > wrote:
> >
> > > Well. Does it require so much power, that I cannot run it on intel
> core2
> > > quad Q9400, 2.66Ghz processor (4 cores) ?
> >
> >
> > What a curious question.  It does not require "so much power" but it does
> > require a minimum hardware spec, which that CPU will lack (no AESNI).
> >
> > I can understand why people would be unhappy that their hardware becomes
> > unsupported by a new release, but I also understand it's common in the
> > computing industry and makes a lot of sense for Netgate to do this
> (reduced
> > support costs; increased developer focus; etc.).  It's nice, also,
> they've
> > laid out a roadmap for doing this and telegraphed clearly how they plan
> to
> > support older hardware and for how long.  It's not like they just decided
> > yesterday over a couple of pints at the pub to throw everyone without
> > AESNI-capable CPUs under the bus right now.
> >
> > I still have a CF NanoBSD-based pfSense installation running on Netgate
> > hardware, and I appreciate they are still supporting 2.3, giving people
> > like me time to migrate off to something else.
> >
> > Cheers,
> >
> > Paul.
>
>
> It's also worth mentioning that the Q9400 is turning 10 years old this
> year.
>
> I am a very enthusiastic proponent of reusing old computer hardware instead
> of throwing it away, but there still comes a point in time at which it's
> time to move on, and ten years is a very long life for commodity computing
> hardware.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-19 Thread Moshe Katz

On Mon, Feb 19, 2018 at 10:42 AM, Paul Mather 
wrote:

> On Feb 19, 2018, at 10:10 AM, Eero Volotinen 
> wrote:
>
> > Well. Does it require so much power, that I cannot run it on intel core2
> > quad Q9400, 2.66Ghz processor (4 cores) ?
>
>
> What a curious question.  It does not require "so much power" but it does
> require a minimum hardware spec, which that CPU will lack (no AESNI).
>
> I can understand why people would be unhappy that their hardware becomes
> unsupported by a new release, but I also understand it's common in the
> computing industry and makes a lot of sense for Netgate to do this (reduced
> support costs; increased developer focus; etc.).  It's nice, also, they've
> laid out a roadmap for doing this and telegraphed clearly how they plan to
> support older hardware and for how long.  It's not like they just decided
> yesterday over a couple of pints at the pub to throw everyone without
> AESNI-capable CPUs under the bus right now.
>
> I still have a CF NanoBSD-based pfSense installation running on Netgate
> hardware, and I appreciate they are still supporting 2.3, giving people
> like me time to migrate off to something else.
>
> Cheers,
>
> Paul.


It's also worth mentioning that the Q9400 is turning 10 years old this year.

I am a very enthusiastic proponent of reusing old computer hardware instead
of throwing it away, but there still comes a point in time at which it's
time to move on, and ten years is a very long life for commodity computing
hardware.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-19 Thread Paul Mather

On Feb 19, 2018, at 10:10 AM, Eero Volotinen  wrote:

> Well. Does it require so much power, that I cannot run it on intel core2
> quad Q9400, 2.66Ghz processor (4 cores) ?

What a curious question.  It does not require "so much power" but it does 
require a minimum hardware spec, which that CPU will lack (no AESNI).

I can understand why people would be unhappy that their hardware becomes 
unsupported by a new release, but I also understand it's common in the 
computing industry and makes a lot of sense for Netgate to do this (reduced 
support costs; increased developer focus; etc.).  It's nice, also, they've laid 
out a roadmap for doing this and telegraphed clearly how they plan to support 
older hardware and for how long.  It's not like they just decided yesterday 
over a couple of pints at the pub to throw everyone without AESNI-capable CPUs 
under the bus right now.

I still have a CF NanoBSD-based pfSense installation running on Netgate 
hardware, and I appreciate they are still supporting 2.3, giving people like me 
time to migrate off to something else.

Cheers,

Paul.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-19 Thread Eero Volotinen

nning a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
> > includes support until, at least, 2020.
> > >
> > > This is acceptable. It just also just sucks, and I understand it must
> be
> > > faced.
> > >
> > > This is, however, beyond just replacing some networking equipment, as I
> > > have to replace my primary VM host due to CPU replacements supporting
> > > AES-NI not existing. Before knowing that the AES-NI requirement was to
> > > address the timing attack, I felt as if I have to pay for new hardware
> > > due to Netgate not "wanting" non-AES-NI AES implementations being
> > > utilized. Until this, I have not exactly had software support issues
> > > with even this aging hardware.
> >
> > Nor do you now.  It’s only (at least) a year after the release of 2.5
> that
> > we’ll stop supporting 2.4, and then it’s a matter of when a security
> issue
> > or other bug that is important enough to you switch gets addressed in 2.5
> > but not in 2.4 might occur (gosh that’s an awful sentence, Jim).
> >
> > > I understand that a lot of people are effectively threatening to switch
> > > to OpnSense due to this, but I fear that I will *have to* if I can't
> > > replace my hardware by the time support for software AES ends entirely.
> >
> > People should run what suits their purpose best.  Perhaps someone else
> > will fork pfSense and continue the 2.4 train on a different track.
> That’s
> > the beauty of open source software.
> >
> >
> > > See:
> > > https://ark.intel.com/Search/FeatureFilter?productType=
> > processors&SocketsSupported=LGA771&AESTech=true
> > >
> > > I thank you for addressing this with me. I appreciate your conduct with
> > > me despite my comment.
> >
> > Sure thing.  I also appreciate your response here.
> >
> > Thanks,
> >
> > Jim
> >
> > >
> > >> Jim
> > >>
> > >>> On Feb 15, 2018, at 2:11 PM, Kyle Marek  wrote:
> > >>>
> > >>> I think you're missing the point that software support exists;
> pfSense
> > >>> supports software AES *now*, and this is being removed. New
> technology
> > >>> is cool; things not working anymore is not.
> > >>>
> > >>> Anyway, what are are other projects such as the TLS libraries doing
> > >>> about this? Is hardware acceleration really the only solution?
> > >>>
> > >>> On 02/15/2018 01:39 PM, Walter Parker wrote:
> > >>>> Well, both Intel and AMD starting shipping the AES-NI instructions 8
> > years
> > >>>> ago...
> > >>>>
> > >>>> How long does a project need to wait before it can require a feature
> > found
> > >>>> on all major x64 processors? Waiting 8-9 years seems reasonable to
> me.
> > >>>>
> > >>>> Given the fact that the project is only supporting 64-bit and
> suggests
> > >>>> using a modern processor this requirement should be a non issue for
> > most
> > >>>> users.
> > >>>>
> > >>>> The only place where the AES-NI instructions are not found is in a
> > small
> > >>>> number of embedded/dev boards using older Celeron processors.
> > >>>>
> > >>>>
> > >>>> Walter
> > >>>>
> > >>>> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek 
> > wrote:
> > >>>>
> > >>>>> This is silly. I shouldn't have to replace my hardware to support a
> > >>>>> feature I will not use...
> > >>>>>
> > >>>>> I shame Netgate for such an artificial limitation...
> > >>>>>
> > >>>>> Thank you for the information.
> > >>>>>
> > >>>>> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> > >>>>>> Well:
> > >>>>>>
> > >>>>>> https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we
> are
> > >>>>> talking
> > >>>>>> about 2.5 not 3.x ?
> > >>>>>>
> > >>>>>> "While we’re not revealing the extent of our plans, we do want to
> > give
> > >>>>>> early notice that, in order to support the increased cryptographic
> > loads
> > >>>>>> that we see as part of pfSense verison 2.5, pfSense Community
> > Edition
> > >>>>>> version 2.5 will include a requirement that the CPU supports
> > AES-NI. On
> > >>>>>> ARM-based systems, the additional load from AES operations will be
> > >>>>>> offloaded to on-die cryptographic accelerators, such as the one
> > found on
> > >>>>>> our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM
> > v8 CPUs
> > >>>>>> include instructions like AES-NI
> > >>>>>> <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that
> > can be
> > >>>>>> used to increase performance of the AES algorithm on these
> > platforms."
> > >>>>>>
> > >>>>>>
> > >>>>>> Eero
> > >>>>>>
> > >>>>>> On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers 
> > wrote:
> > >>>>>>
> > >>>>>>> I believe I read somewhere that the new version that requires
> > aes-ni
> > >>>>> will
> > >>>>>>> be 3.x, and they plan to continue the 2.x line alongside it, as
> 3.x
> > >>>>> will be
> > >>>>>>> a major rewrite
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> -Ed
> > >>>>>>>
> > >>>>>>> -Original Message-
> > >>>>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> > Eero
> > >>>>>>> Volotinen
> > >>>>>>> Sent: Thursday, February 15, 2018 12:14 PM
> > >>>>>>> To: Kyle Marek 
> > >>>>>>> Cc: pfSense Support and Discussion Mailing List <
> > list@lists.pfsense.org
> > >>>>>>> Subject: Re: [pfSense] Configs or hardware?
> > >>>>>>>
> > >>>>>>> Well. Next version of pfsense (2.5) will not install into
> hardware
> > that
> > >>>>>>> does not support AES-NI, so buying such hardware is not wise ?
> > >>>>>>>
> > >>>>>>> Eero
> > >>>>>>>
> > >>>>>>>
> >
> >
>
> Well Said.
>
> Thank you for sharing the numbers.
>
>
> Walter
>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Walter Parker

https://ark.intel.com/Search/FeatureFilter?productType=
> processors&SocketsSupported=LGA771&AESTech=true
> >
> > I thank you for addressing this with me. I appreciate your conduct with
> > me despite my comment.
>
> Sure thing.  I also appreciate your response here.
>
> Thanks,
>
> Jim
>
> >
> >> Jim
> >>
> >>> On Feb 15, 2018, at 2:11 PM, Kyle Marek  wrote:
> >>>
> >>> I think you're missing the point that software support exists; pfSense
> >>> supports software AES *now*, and this is being removed. New technology
> >>> is cool; things not working anymore is not.
> >>>
> >>> Anyway, what are are other projects such as the TLS libraries doing
> >>> about this? Is hardware acceleration really the only solution?
> >>>
> >>> On 02/15/2018 01:39 PM, Walter Parker wrote:
> >>>> Well, both Intel and AMD starting shipping the AES-NI instructions 8
> years
> >>>> ago...
> >>>>
> >>>> How long does a project need to wait before it can require a feature
> found
> >>>> on all major x64 processors? Waiting 8-9 years seems reasonable to me.
> >>>>
> >>>> Given the fact that the project is only supporting 64-bit and suggests
> >>>> using a modern processor this requirement should be a non issue for
> most
> >>>> users.
> >>>>
> >>>> The only place where the AES-NI instructions are not found is in a
> small
> >>>> number of embedded/dev boards using older Celeron processors.
> >>>>
> >>>>
> >>>> Walter
> >>>>
> >>>> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek 
> wrote:
> >>>>
> >>>>> This is silly. I shouldn't have to replace my hardware to support a
> >>>>> feature I will not use...
> >>>>>
> >>>>> I shame Netgate for such an artificial limitation...
> >>>>>
> >>>>> Thank you for the information.
> >>>>>
> >>>>> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> >>>>>> Well:
> >>>>>>
> >>>>>> https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> >>>>> talking
> >>>>>> about 2.5 not 3.x ?
> >>>>>>
> >>>>>> "While we’re not revealing the extent of our plans, we do want to
> give
> >>>>>> early notice that, in order to support the increased cryptographic
> loads
> >>>>>> that we see as part of pfSense verison 2.5, pfSense Community
> Edition
> >>>>>> version 2.5 will include a requirement that the CPU supports
> AES-NI. On
> >>>>>> ARM-based systems, the additional load from AES operations will be
> >>>>>> offloaded to on-die cryptographic accelerators, such as the one
> found on
> >>>>>> our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM
> v8 CPUs
> >>>>>> include instructions like AES-NI
> >>>>>> <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that
> can be
> >>>>>> used to increase performance of the AES algorithm on these
> platforms."
> >>>>>>
> >>>>>>
> >>>>>> Eero
> >>>>>>
> >>>>>> On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers 
> wrote:
> >>>>>>
> >>>>>>> I believe I read somewhere that the new version that requires
> aes-ni
> >>>>> will
> >>>>>>> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
> >>>>> will be
> >>>>>>> a major rewrite
> >>>>>>>
> >>>>>>>
> >>>>>>> -Ed
> >>>>>>>
> >>>>>>> -Original Message-
> >>>>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> Eero
> >>>>>>> Volotinen
> >>>>>>> Sent: Thursday, February 15, 2018 12:14 PM
> >>>>>>> To: Kyle Marek 
> >>>>>>> Cc: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org
> >>>>>>> Subject: Re: [pfSense] Configs or hardware?
> >>>>>>>
> >>>>>>> Well. Next version of pfsense (2.5) will not install into hardware
> that
> >>>>>>> does not support AES-NI, so buying such hardware is not wise ?
> >>>>>>>
> >>>>>>> Eero
> >>>>>>>
> >>>>>>>
>
>

Well Said.

Thank you for sharing the numbers.


Walter



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Walter Parker

 in order to support the increased cryptographic
> loads
> >>>>> that we see as part of pfSense verison 2.5, pfSense Community Edition
> >>>>> version 2.5 will include a requirement that the CPU supports AES-NI.
> On
> >>>>> ARM-based systems, the additional load from AES operations will be
> >>>>> offloaded to on-die cryptographic accelerators, such as the one
> found on
> >>>>> our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8
> CPUs
> >>>>> include instructions like AES-NI
> >>>>> <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that
> can be
> >>>>> used to increase performance of the AES algorithm on these
> platforms."
> >>>>>
> >>>>>
> >>>>> Eero
> >>>>>
> >>>>> On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers 
> wrote:
> >>>>>
> >>>>>> I believe I read somewhere that the new version that requires aes-ni
> >>>> will
> >>>>>> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
> >>>> will be
> >>>>>> a major rewrite
> >>>>>>
> >>>>>>
> >>>>>> -Ed
> >>>>>>
> >>>>>> -Original Message-
> >>>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> Eero
> >>>>>> Volotinen
> >>>>>> Sent: Thursday, February 15, 2018 12:14 PM
> >>>>>> To: Kyle Marek 
> >>>>>> Cc: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org
> >>>>>> Subject: Re: [pfSense] Configs or hardware?
> >>>>>>
> >>>>>> Well. Next version of pfsense (2.5) will not install into hardware
> that
> >>>>>> does not support AES-NI, so buying such hardware is not wise ?
> >>>>>>
> >>>>>> Eero
> >>>>>>
> >>>>>>
> >>>>>> ___
> >>>>>> pfSense mailing list
> >>>>>> https://lists.pfsense.org/mailman/listinfo/list
> >>>>>> Support the project with Gold! https://pfsense.org/gold
> >>>>>>
> >>>>> ___
> >>>>> pfSense mailing list
> >>>>> https://lists.pfsense.org/mailman/listinfo/list
> >>>>> Support the project with Gold! https://pfsense.org/gold
> >>>> ___
> >>>> pfSense mailing list
> >>>> https://lists.pfsense.org/mailman/listinfo/list
> >>>> Support the project with Gold! https://pfsense.org/gold
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
>
>


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek

>>> early notice that, in order to support the increased cryptographic loads
>>>>> that we see as part of pfSense verison 2.5, pfSense Community Edition
>>>>> version 2.5 will include a requirement that the CPU supports AES-NI. On
>>>>> ARM-based systems, the additional load from AES operations will be
>>>>> offloaded to on-die cryptographic accelerators, such as the one found on
>>>>> our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
>>>>> include instructions like AES-NI
>>>>> <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
>>>>> used to increase performance of the AES algorithm on these platforms."
>>>>>
>>>>>
>>>>> Eero
>>>>>
>>>>> On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers  wrote:
>>>>>
>>>>>> I believe I read somewhere that the new version that requires aes-ni
>>>> will
>>>>>> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
>>>> will be
>>>>>> a major rewrite
>>>>>>
>>>>>>
>>>>>> -Ed
>>>>>>
>>>>>> -Original Message-
>>>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>>>>>> Volotinen
>>>>>> Sent: Thursday, February 15, 2018 12:14 PM
>>>>>> To: Kyle Marek 
>>>>>> Cc: pfSense Support and Discussion Mailing List >>>>> Subject: Re: [pfSense] Configs or hardware?
>>>>>>
>>>>>> Well. Next version of pfsense (2.5) will not install into hardware that
>>>>>> does not support AES-NI, so buying such hardware is not wise ?
>>>>>>
>>>>>> Eero
>>>>>>
>>>>>>
>>>>>> ___
>>>>>> pfSense mailing list
>>>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>>>> Support the project with Gold! https://pfsense.org/gold
>>>>>>
>>>>> ___
>>>>> pfSense mailing list
>>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>>> Support the project with Gold! https://pfsense.org/gold
>>>> ___
>>>> pfSense mailing list
>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Joseph L. Casale

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kyle Marek
Sent: Thursday, February 15, 2018 10:38 AM
To: pfSense Support and Discussion Mailing List ; Eero
Volotinen 
Subject: Re: [pfSense] Configs or hardware?

> This is silly. I shouldn't have to replace my hardware to support a
> feature I will not use...
> 
> I shame Netgate for such an artificial limitation...

Who pays the Netgate developers and employee wages? The commercial side, there
is nothing unreasonable about this or hard to comprehend. The fact we get the 
fruits
of the labor for free is remarkable.

So the question is, should Netgate pay their developers to maintain features 
that
commercial users would never desire, what would their ROI on that be. They may
be able to justify some, but obviously not this one.

I personally don't feel home owner grade hardware is worth their efforts and I 
certainly
don't fault them. However, that is only my opinion for what its worth...

jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek

I think you're missing the point that software support exists; pfSense
supports software AES *now*, and this is being removed. New technology
is cool; things not working anymore is not.

Anyway, what are are other projects such as the TLS libraries doing
about this? Is hardware acceleration really the only solution?

On 02/15/2018 01:39 PM, Walter Parker wrote:
> Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
> ago...
>
> How long does a project need to wait before it can require a feature found
> on all major x64 processors? Waiting 8-9 years seems reasonable to me.
>
> Given the fact that the project is only supporting 64-bit and suggests
> using a modern processor this requirement should be a non issue for most
> users.
>
> The only place where the AES-NI instructions are not found is in a small
> number of embedded/dev boards using older Celeron processors.
>
>
> Walter
>
> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek  wrote:
>
>> This is silly. I shouldn't have to replace my hardware to support a
>> feature I will not use...
>>
>> I shame Netgate for such an artificial limitation...
>>
>> Thank you for the information.
>>
>> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
>>> Well:
>>>
>>> https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
>> talking
>>> about 2.5 not 3.x ?
>>>
>>> "While we’re not revealing the extent of our plans, we do want to give
>>> early notice that, in order to support the increased cryptographic loads
>>> that we see as part of pfSense verison 2.5, pfSense Community Edition
>>> version 2.5 will include a requirement that the CPU supports AES-NI. On
>>> ARM-based systems, the additional load from AES operations will be
>>> offloaded to on-die cryptographic accelerators, such as the one found on
>>> our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
>>> include instructions like AES-NI
>>> <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
>>> used to increase performance of the AES algorithm on these platforms."
>>>
>>>
>>> Eero
>>>
>>> On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers  wrote:
>>>
>>>> I believe I read somewhere that the new version that requires aes-ni
>> will
>>>> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
>> will be
>>>> a major rewrite
>>>>
>>>>
>>>> -Ed
>>>>
>>>> -Original Message-
>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>>>> Volotinen
>>>> Sent: Thursday, February 15, 2018 12:14 PM
>>>> To: Kyle Marek 
>>>> Cc: pfSense Support and Discussion Mailing List >>> Subject: Re: [pfSense] Configs or hardware?
>>>>
>>>> Well. Next version of pfsense (2.5) will not install into hardware that
>>>> does not support AES-NI, so buying such hardware is not wise ?
>>>>
>>>> Eero
>>>>
>>>>
>>>> ___
>>>> pfSense mailing list
>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>> Support the project with Gold! https://pfsense.org/gold
>>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen

something like that. (very cheap) Celeron J1900 firewall devices are not
supporting aes-ni.

Eero

15.2.2018 20.40 "Walter Parker"  kirjoitti:

> Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
> ago...
>
> How long does a project need to wait before it can require a feature found
> on all major x64 processors? Waiting 8-9 years seems reasonable to me.
>
> Given the fact that the project is only supporting 64-bit and suggests
> using a modern processor this requirement should be a non issue for most
> users.
>
> The only place where the AES-NI instructions are not found is in a small
> number of embedded/dev boards using older Celeron processors.
>
>
> Walter
>
> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek  wrote:
>
> > This is silly. I shouldn't have to replace my hardware to support a
> > feature I will not use...
> >
> > I shame Netgate for such an artificial limitation...
> >
> > Thank you for the information.
> >
> > On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> > > Well:
> > >
> > > https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> > talking
> > > about 2.5 not 3.x ?
> > >
> > > "While we’re not revealing the extent of our plans, we do want to give
> > > early notice that, in order to support the increased cryptographic
> loads
> > > that we see as part of pfSense verison 2.5, pfSense Community Edition
> > > version 2.5 will include a requirement that the CPU supports AES-NI. On
> > > ARM-based systems, the additional load from AES operations will be
> > > offloaded to on-die cryptographic accelerators, such as the one found
> on
> > > our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8
> CPUs
> > > include instructions like AES-NI
> > > <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can
> be
> > > used to increase performance of the AES algorithm on these platforms."
> > >
> > >
> > > Eero
> > >
> > > On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers 
> wrote:
> > >
> > >> I believe I read somewhere that the new version that requires aes-ni
> > will
> > >> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
> > will be
> > >> a major rewrite
> > >>
> > >>
> > >> -Ed
> > >>
> > >> -Original Message-
> > >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> > >> Volotinen
> > >> Sent: Thursday, February 15, 2018 12:14 PM
> > >> To: Kyle Marek 
> > >> Cc: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org
> > >
> > >> Subject: Re: [pfSense] Configs or hardware?
> > >>
> > >> Well. Next version of pfsense (2.5) will not install into hardware
> that
> > >> does not support AES-NI, so buying such hardware is not wise ?
> > >>
> > >> Eero
> > >>
> > >>
> > >> ___
> > >> pfSense mailing list
> > >> https://lists.pfsense.org/mailman/listinfo/list
> > >> Support the project with Gold! https://pfsense.org/gold
> > >>
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Walter Parker

Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...

How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.

Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for most
users.

The only place where the AES-NI instructions are not found is in a small
number of embedded/dev boards using older Celeron processors.


Walter

On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek  wrote:

> This is silly. I shouldn't have to replace my hardware to support a
> feature I will not use...
>
> I shame Netgate for such an artificial limitation...
>
> Thank you for the information.
>
> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> > Well:
> >
> > https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> talking
> > about 2.5 not 3.x ?
> >
> > "While we’re not revealing the extent of our plans, we do want to give
> > early notice that, in order to support the increased cryptographic loads
> > that we see as part of pfSense verison 2.5, pfSense Community Edition
> > version 2.5 will include a requirement that the CPU supports AES-NI. On
> > ARM-based systems, the additional load from AES operations will be
> > offloaded to on-die cryptographic accelerators, such as the one found on
> > our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
> > include instructions like AES-NI
> > <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
> > used to increase performance of the AES algorithm on these platforms."
> >
> >
> > Eero
> >
> > On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers  wrote:
> >
> >> I believe I read somewhere that the new version that requires aes-ni
> will
> >> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
> will be
> >> a major rewrite
> >>
> >>
> >> -Ed
> >>
> >> -----Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Thursday, February 15, 2018 12:14 PM
> >> To: Kyle Marek 
> >> Cc: pfSense Support and Discussion Mailing List  >
> >> Subject: Re: [pfSense] Configs or hardware?
> >>
> >> Well. Next version of pfsense (2.5) will not install into hardware that
> >> does not support AES-NI, so buying such hardware is not wise ?
> >>
> >> Eero
> >>
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek

This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...

I shame Netgate for such an artificial limitation...

Thank you for the information.

On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> Well:
>
> https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are talking
> about 2.5 not 3.x ?
>
> "While we’re not revealing the extent of our plans, we do want to give
> early notice that, in order to support the increased cryptographic loads
> that we see as part of pfSense verison 2.5, pfSense Community Edition
> version 2.5 will include a requirement that the CPU supports AES-NI. On
> ARM-based systems, the additional load from AES operations will be
> offloaded to on-die cryptographic accelerators, such as the one found on
> our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
> include instructions like AES-NI
> <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
> used to increase performance of the AES algorithm on these platforms."
>
>
> Eero
>
> On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers  wrote:
>
>> I believe I read somewhere that the new version that requires aes-ni will
>> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x will be
>> a major rewrite
>>
>>
>> -Ed
>>
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>> Sent: Thursday, February 15, 2018 12:14 PM
>> To: Kyle Marek 
>> Cc: pfSense Support and Discussion Mailing List 
>> Subject: Re: [pfSense] Configs or hardware?
>>
>> Well. Next version of pfsense (2.5) will not install into hardware that
>> does not support AES-NI, so buying such hardware is not wise ?
>>
>> Eero
>>
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen

Well:

https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are talking
about 2.5 not 3.x ?

"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic loads
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found on
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
used to increase performance of the AES algorithm on these platforms."

Eero

On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers  wrote:

> I believe I read somewhere that the new version that requires aes-ni will
> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x will be
> a major rewrite
>
>
> -Ed
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Thursday, February 15, 2018 12:14 PM
> To: Kyle Marek 
> Cc: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] Configs or hardware?
>
> Well. Next version of pfsense (2.5) will not install into hardware that
> does not support AES-NI, so buying such hardware is not wise ?
>
> Eero
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Edwin Pers

I believe I read somewhere that the new version that requires aes-ni will be 
3.x, and they plan to continue the 2.x line alongside it, as 3.x will be a 
major rewrite


-Ed

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Thursday, February 15, 2018 12:14 PM
To: Kyle Marek 
Cc: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] Configs or hardware?

Well. Next version of pfsense (2.5) will not install into hardware that does 
not support AES-NI, so buying such hardware is not wise ?

Eero


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen

Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI,
so buying such hardware is not wise ?

Eero

On Thu, Feb 15, 2018 at 7:01 PM, Kyle Marek  wrote:

> I have not had such an issue. Using 2.4.2 with System Information widget
> saying "AES-NI CPU Crypto: No".
>
> On 02/15/2018 11:55 AM, Eero Volotinen wrote:
> > Please note that next pfsense will not install hardware that is not
> > supporting aes-ni?
> >
> > Eero
> >
> > On Thu, Feb 15, 2018 at 6:37 PM, Kyle Marek  wrote:
> >
> >> This board does round-up gigabit (something like 976 Mb/s) in both
> >> directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
> >>
> >> The key for me here was the interrupt coalescence of these particular
> >> Intel NICs. A very similar board with Broadcom NICs that lacked this
> >> feature maxed out the interrupt handler's CPU usage on Linux when
> >> surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
> >> interface; 1 Gb/s out on another).
> >>
> >> A potential downside is no AES-NI, which will affect any AES-utilizing
> >> VPNs that you need to operate at gigabit speeds. I have no benchmarks at
> >> the moment but can measure if this is necessary for you.
> >>
> >> On 02/15/2018 09:14 AM, Michael Munger wrote:
> >>> TL; DR.
> >>>
> >>> On 1Gbps downloads, our pfSense firewalls are performing poorly with
> >>> speed tests of ~400Mbps. It's either pfSense configs (not likely) or
> the
> >>> hardware (more likely). I do not want to buy a commercial box. For our
> >>> corporate network, we use HP DL360s, so zero problem there.I need
> >>> something that is the size of a router, but can do 1Gbps with pfSense.
> >>>
> >>> Who's got working configs / hardware combos that do 1Gbps easily?
> >>>
> >>> Background.
> >>>
> >>> I've been using Alix boards (APU1D4 as of late). The problem is: these
> >>> boards seem to top out at 400Mbps download. I have several clients who
> >>> have gigabit fiber connections, and they have been complaining to the
> >>> ISP that their service is slow. When they connect to the modem
> directly,
> >>> they get 1G download. When they go through the pfSense firewall we put
> >>> together using these Alix boards from PC engines, it drops to ~400Mbps.
> >>>
> >>> There are several competing "router boards" (Microtik and the like),
> but
> >>> I have zero experience with them, I don't know if they will run pfSense
> >>> or if they will do the speed. The Alix + pfSense combo has been GREAT
> >>> for many years. If I change to something else, I don't want to go
> >>> through growing pains since I figure this is a solved problem, and
> >>> someone on this list knows / has a recommendation.
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek

I have not had such an issue. Using 2.4.2 with System Information widget
saying "AES-NI CPU Crypto: No".

On 02/15/2018 11:55 AM, Eero Volotinen wrote:
> Please note that next pfsense will not install hardware that is not
> supporting aes-ni?
>
> Eero
>
> On Thu, Feb 15, 2018 at 6:37 PM, Kyle Marek  wrote:
>
>> This board does round-up gigabit (something like 976 Mb/s) in both
>> directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
>>
>> The key for me here was the interrupt coalescence of these particular
>> Intel NICs. A very similar board with Broadcom NICs that lacked this
>> feature maxed out the interrupt handler's CPU usage on Linux when
>> surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
>> interface; 1 Gb/s out on another).
>>
>> A potential downside is no AES-NI, which will affect any AES-utilizing
>> VPNs that you need to operate at gigabit speeds. I have no benchmarks at
>> the moment but can measure if this is necessary for you.
>>
>> On 02/15/2018 09:14 AM, Michael Munger wrote:
>>> TL; DR.
>>>
>>> On 1Gbps downloads, our pfSense firewalls are performing poorly with
>>> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
>>> hardware (more likely). I do not want to buy a commercial box. For our
>>> corporate network, we use HP DL360s, so zero problem there.I need
>>> something that is the size of a router, but can do 1Gbps with pfSense.
>>>
>>> Who's got working configs / hardware combos that do 1Gbps easily?
>>>
>>> Background.
>>>
>>> I've been using Alix boards (APU1D4 as of late). The problem is: these
>>> boards seem to top out at 400Mbps download. I have several clients who
>>> have gigabit fiber connections, and they have been complaining to the
>>> ISP that their service is slow. When they connect to the modem directly,
>>> they get 1G download. When they go through the pfSense firewall we put
>>> together using these Alix boards from PC engines, it drops to ~400Mbps.
>>>
>>> There are several competing "router boards" (Microtik and the like), but
>>> I have zero experience with them, I don't know if they will run pfSense
>>> or if they will do the speed. The Alix + pfSense combo has been GREAT
>>> for many years. If I change to something else, I don't want to go
>>> through growing pains since I figure this is a solved problem, and
>>> someone on this list knows / has a recommendation.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen

Please note that next pfsense will not install hardware that is not
supporting aes-ni?

Eero

On Thu, Feb 15, 2018 at 6:37 PM, Kyle Marek  wrote:

> This board does round-up gigabit (something like 976 Mb/s) in both
> directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
>
> The key for me here was the interrupt coalescence of these particular
> Intel NICs. A very similar board with Broadcom NICs that lacked this
> feature maxed out the interrupt handler's CPU usage on Linux when
> surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
> interface; 1 Gb/s out on another).
>
> A potential downside is no AES-NI, which will affect any AES-utilizing
> VPNs that you need to operate at gigabit speeds. I have no benchmarks at
> the moment but can measure if this is necessary for you.
>
> On 02/15/2018 09:14 AM, Michael Munger wrote:
> > TL; DR.
> >
> > On 1Gbps downloads, our pfSense firewalls are performing poorly with
> > speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
> > hardware (more likely). I do not want to buy a commercial box. For our
> > corporate network, we use HP DL360s, so zero problem there.I need
> > something that is the size of a router, but can do 1Gbps with pfSense.
> >
> > Who's got working configs / hardware combos that do 1Gbps easily?
> >
> > Background.
> >
> > I've been using Alix boards (APU1D4 as of late). The problem is: these
> > boards seem to top out at 400Mbps download. I have several clients who
> > have gigabit fiber connections, and they have been complaining to the
> > ISP that their service is slow. When they connect to the modem directly,
> > they get 1G download. When they go through the pfSense firewall we put
> > together using these Alix boards from PC engines, it drops to ~400Mbps.
> >
> > There are several competing "router boards" (Microtik and the like), but
> > I have zero experience with them, I don't know if they will run pfSense
> > or if they will do the speed. The Alix + pfSense combo has been GREAT
> > for many years. If I change to something else, I don't want to go
> > through growing pains since I figure this is a solved problem, and
> > someone on this list knows / has a recommendation.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek

This board does round-up gigabit (something like 976 Mb/s) in both
directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/

The key for me here was the interrupt coalescence of these particular
Intel NICs. A very similar board with Broadcom NICs that lacked this
feature maxed out the interrupt handler's CPU usage on Linux when
surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
interface; 1 Gb/s out on another).

A potential downside is no AES-NI, which will affect any AES-utilizing
VPNs that you need to operate at gigabit speeds. I have no benchmarks at
the moment but can measure if this is necessary for you.

On 02/15/2018 09:14 AM, Michael Munger wrote:
> TL; DR.
>
> On 1Gbps downloads, our pfSense firewalls are performing poorly with
> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
> hardware (more likely). I do not want to buy a commercial box. For our
> corporate network, we use HP DL360s, so zero problem there.I need
> something that is the size of a router, but can do 1Gbps with pfSense.
>
> Who's got working configs / hardware combos that do 1Gbps easily?
>
> Background.
>
> I've been using Alix boards (APU1D4 as of late). The problem is: these
> boards seem to top out at 400Mbps download. I have several clients who
> have gigabit fiber connections, and they have been complaining to the
> ISP that their service is slow. When they connect to the modem directly,
> they get 1G download. When they go through the pfSense firewall we put
> together using these Alix boards from PC engines, it drops to ~400Mbps.
>
> There are several competing "router boards" (Microtik and the like), but
> I have zero experience with them, I don't know if they will run pfSense
> or if they will do the speed. The Alix + pfSense combo has been GREAT
> for many years. If I change to something else, I don't want to go
> through growing pains since I figure this is a solved problem, and
> someone on this list knows / has a recommendation.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Ivo Tonev

Try increasing network buffers via "system tunables".

Em 15 de fev de 2018 12:14, "Michael Munger" 
escreveu:

> TL; DR.
>
> On 1Gbps downloads, our pfSense firewalls are performing poorly with
> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
> hardware (more likely). I do not want to buy a commercial box. For our
> corporate network, we use HP DL360s, so zero problem there.I need
> something that is the size of a router, but can do 1Gbps with pfSense.
>
> Who's got working configs / hardware combos that do 1Gbps easily?
>
> Background.
>
> I've been using Alix boards (APU1D4 as of late). The problem is: these
> boards seem to top out at 400Mbps download. I have several clients who
> have gigabit fiber connections, and they have been complaining to the
> ISP that their service is slow. When they connect to the modem directly,
> they get 1G download. When they go through the pfSense firewall we put
> together using these Alix boards from PC engines, it drops to ~400Mbps.
>
> There are several competing "router boards" (Microtik and the like), but
> I have zero experience with them, I don't know if they will run pfSense
> or if they will do the speed. The Alix + pfSense combo has been GREAT
> for many years. If I change to something else, I don't want to go
> through growing pains since I figure this is a solved problem, and
> someone on this list knows / has a recommendation.
>
> --
> Michael Munger, dCAP, MCPS, MCNPS, MBSS
> High Powered Help, Inc.
> Microsoft Certified Professional
> Microsoft Certified Small Business Specialist
> Digium Certified Asterisk Professional
> mich...@highpoweredhelp.com 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Joe Landman




On 02/15/2018 09:14 AM, Michael Munger wrote:

TL; DR.

On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.

Who's got working configs / hardware combos that do 1Gbps easily?


My home pfSense system is a 16GB ram, 4 core Intel E3-1220 with a quad 
port i350-t4 card.  I moved over to it yesterday from the VM I had been 
using.  Performance difference is striking.  Best effort out of the VM 
was about 44Mb/s for download on a 1Gb line.  Raw port was about 660 
Mb/s.  "New" (old from Ebay) unit is about 800 Mb/s +/- some.


As you get to higher bit rates, you need a) sufficient processor power, 
b) sufficiently powerful NIC hardware to offload the CPU for things the 
CPU doesn't do as well as the NIC.  I expect to keep this combo going 
until we get multi Gigabit service in our area.




Background.

I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.

There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.



This unit is a cheap version of the small 1U boxen I used at my previous 
$dayjob for compute cluster/file system clients.  They were testing 
boxes, not too powerful for the high end of compute/networking (40Gb 
Infiniband), but able to drive load.  Lower spec boxes can't generally 
hack high data rates for any number of reasons.


--
Joe Landman
t: @hpcjoe
g: https://github.com/joelandman

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eric W

Also, this is an incredibly common question on the pfSense forums. (Not trying 
to be condescending, just stating.) I racked my mind trying to figure something 
out when, like you said, it’s a solved problem. Basically, get a reasonably 
powered computer and put some real  Intel NICs in it and you’ll likely be fine. 
The processor you get will be decided based on what packages you’re running. My 
i7 is overkill, but it was also free. 

Sent from Der Isenphonen

> On Feb 15, 2018, at 9:28 AM, Eero Volotinen  wrote:
> 
> Hi,
> 
> This hardware can do gigabit (wirespeed) NAT/FW
> 
> https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using
> symmetric gigabit line...)
> 
> but, I we use NetGate SG-8860 on our main offices:
> 
> https://www.voleatech.de/en/product/sg-8860-1u/?gclid=EAIaIQobChMIlbTj5o-o2QIVBJ8bCh1phgmKEAAYASAAEgKuzPD_BwE
> 
> Eero
> 
> On Thu, Feb 15, 2018 at 4:14 PM, Michael Munger > wrote:
> 
>> TL; DR.
>> 
>> On 1Gbps downloads, our pfSense firewalls are performing poorly with
>> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
>> hardware (more likely). I do not want to buy a commercial box. For our
>> corporate network, we use HP DL360s, so zero problem there.I need
>> something that is the size of a router, but can do 1Gbps with pfSense.
>> 
>> Who's got working configs / hardware combos that do 1Gbps easily?
>> 
>> Background.
>> 
>> I've been using Alix boards (APU1D4 as of late). The problem is: these
>> boards seem to top out at 400Mbps download. I have several clients who
>> have gigabit fiber connections, and they have been complaining to the
>> ISP that their service is slow. When they connect to the modem directly,
>> they get 1G download. When they go through the pfSense firewall we put
>> together using these Alix boards from PC engines, it drops to ~400Mbps.
>> 
>> There are several competing "router boards" (Microtik and the like), but
>> I have zero experience with them, I don't know if they will run pfSense
>> or if they will do the speed. The Alix + pfSense combo has been GREAT
>> for many years. If I change to something else, I don't want to go
>> through growing pains since I figure this is a solved problem, and
>> someone on this list knows / has a recommendation.
>> 
>> --
>> Michael Munger, dCAP, MCPS, MCNPS, MBSS
>> High Powered Help, Inc.
>> Microsoft Certified Professional
>> Microsoft Certified Small Business Specialist
>> Digium Certified Asterisk Professional
>> mich...@highpoweredhelp.com 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eric W

I have an optiplex 970 (possibly 980, don’t recall) with 16GB RAM and a quad 
port Intel NIC that handles gigabit fiber with no issues at all. I managed to 
order a knockoff NIC (half the thing’s from eBay), so I’m surprised it’s 
performing this well, but it’s been rock solid. Granted it’s for home use, but 
my TV and phones are all handled via my network connection and I’ve had no 
issues and for things like that, it would be noticeable. 

Sent from Der Isenphonen

> On Feb 15, 2018, at 9:28 AM, Eero Volotinen  wrote:
> 
> Hi,
> 
> This hardware can do gigabit (wirespeed) NAT/FW
> 
> https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using
> symmetric gigabit line...)
> 
> but, I we use NetGate SG-8860 on our main offices:
> 
> https://www.voleatech.de/en/product/sg-8860-1u/?gclid=EAIaIQobChMIlbTj5o-o2QIVBJ8bCh1phgmKEAAYASAAEgKuzPD_BwE
> 
> Eero
> 
> On Thu, Feb 15, 2018 at 4:14 PM, Michael Munger > wrote:
> 
>> TL; DR.
>> 
>> On 1Gbps downloads, our pfSense firewalls are performing poorly with
>> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
>> hardware (more likely). I do not want to buy a commercial box. For our
>> corporate network, we use HP DL360s, so zero problem there.I need
>> something that is the size of a router, but can do 1Gbps with pfSense.
>> 
>> Who's got working configs / hardware combos that do 1Gbps easily?
>> 
>> Background.
>> 
>> I've been using Alix boards (APU1D4 as of late). The problem is: these
>> boards seem to top out at 400Mbps download. I have several clients who
>> have gigabit fiber connections, and they have been complaining to the
>> ISP that their service is slow. When they connect to the modem directly,
>> they get 1G download. When they go through the pfSense firewall we put
>> together using these Alix boards from PC engines, it drops to ~400Mbps.
>> 
>> There are several competing "router boards" (Microtik and the like), but
>> I have zero experience with them, I don't know if they will run pfSense
>> or if they will do the speed. The Alix + pfSense combo has been GREAT
>> for many years. If I change to something else, I don't want to go
>> through growing pains since I figure this is a solved problem, and
>> someone on this list knows / has a recommendation.
>> 
>> --
>> Michael Munger, dCAP, MCPS, MCNPS, MBSS
>> High Powered Help, Inc.
>> Microsoft Certified Professional
>> Microsoft Certified Small Business Specialist
>> Digium Certified Asterisk Professional
>> mich...@highpoweredhelp.com 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen

Hi,

This hardware can do gigabit (wirespeed) NAT/FW

https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using
symmetric gigabit line...)

but, I we use NetGate SG-8860 on our main offices:

https://www.voleatech.de/en/product/sg-8860-1u/?gclid=EAIaIQobChMIlbTj5o-o2QIVBJ8bCh1phgmKEAAYASAAEgKuzPD_BwE

Eero

On Thu, Feb 15, 2018 at 4:14 PM, Michael Munger  wrote:

> TL; DR.
>
> On 1Gbps downloads, our pfSense firewalls are performing poorly with
> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
> hardware (more likely). I do not want to buy a commercial box. For our
> corporate network, we use HP DL360s, so zero problem there.I need
> something that is the size of a router, but can do 1Gbps with pfSense.
>
> Who's got working configs / hardware combos that do 1Gbps easily?
>
> Background.
>
> I've been using Alix boards (APU1D4 as of late). The problem is: these
> boards seem to top out at 400Mbps download. I have several clients who
> have gigabit fiber connections, and they have been complaining to the
> ISP that their service is slow. When they connect to the modem directly,
> they get 1G download. When they go through the pfSense firewall we put
> together using these Alix boards from PC engines, it drops to ~400Mbps.
>
> There are several competing "router boards" (Microtik and the like), but
> I have zero experience with them, I don't know if they will run pfSense
> or if they will do the speed. The Alix + pfSense combo has been GREAT
> for many years. If I change to something else, I don't want to go
> through growing pains since I figure this is a solved problem, and
> someone on this list knows / has a recommendation.
>
> --
> Michael Munger, dCAP, MCPS, MCNPS, MBSS
> High Powered Help, Inc.
> Microsoft Certified Professional
> Microsoft Certified Small Business Specialist
> Digium Certified Asterisk Professional
> mich...@highpoweredhelp.com 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

Re: [pfSense] Configs or hardware?

23 matches

Site Navigation

Mail list logo

Footer information