Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Jim Thompson 

The Xeon CPUs are "almost idle". 

The "old Intel 32-bit Pentium 4 2.4GHz dual core server", however is the other 
end of that IPSEC tunnel. It's unlikely to be as idle as the Xeon. 

-- Jim

> On Nov 6, 2013, at 8:04, Thinker Rix  wrote:
> 
>> On 2013-11-06 15:22, Vick Khera wrote:
>> 
>> On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix  
>> wrote:
>>> Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all 
>>> VPN traffic (openVPN)?
>>> Woud pfSense benefit from this in any other way, too?
>> 
>> 
>> pfSense lists the AES-NI as a supported option for crypto acceleration.  
>> pfSense will use it for OpenVPN and IPsec if you tell it to. There's a 
>> config setting for it.
>> 
>> As to your question of is it worth the cost, that depends on how much VPN 
>> traffic you have. The Xeon will handle a damn lot of traffic all on its own. 
>> If you are pushing more than 40Mbps on the VPN, then perhaps consider the 
>> extra cost. If it is low, like under 5 or 10Mbps, then I'd probably suggest 
>> that it is not worth the cost.
>> 
>> As a reference, between my data center and my primary office, I have an 
>> IPsec tunnel.  The office runs on an old Intel 32-bit Pentium 4 2.4GHz dual 
>> core server.  The data center runs on Intel Xeon E31220L @ 2.20GHz 
>> quad-core. Neither one has any built-in cryptodev supported devices. The 
>> IPsec tunnel maxes out at about 20Mbps during large file backups. I don't 
>> think it would go any faster with hardware acceleration, and the load on 
>> these boxes hovers around 0 still. The data center firewall is also busy 
>> pushing over 100Mpbs of regular traffic to hundreds of clients as well.
> 
> Hi Vick,
> 
> Thank you for your reference, it is very valuable for me!
> I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU.
> 
> What do you think is the reason for your VPN traffic maxing out at 20Mpbs (I 
> assume that your connection is not the traffic bottle neck, right?), although 
> your CPUs are almost idle?
> 
> Best regards
> Thinker Rix
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Jim Thompson 
The issue may not be that easy to fix. 
Current theory is that it's is a structural issue in cryptdev. 

-- Jim

> On Nov 6, 2013, at 20:59, Chris Buechler  wrote:
> 
> I have done some brief testing of AES-NI a few months back, though I
> can't seem to find the results at the moment and that test environment
> isn't online currently. It doesn't give the performance benefit that
> it should at this time. So the immediate benefit is minimal (except
> for the fact the Xeon proc would be faster than the Pentium), but it
> will be properly supported in the future, hopefully in 2.2 with its
> FreeBSD 10 base, but we haven't done any testing there yet.
> 
>> On Tue, Nov 5, 2013 at 11:53 PM, Thinker Rix  
>> wrote:
>> Hello all,
>> 
>> as I am planning to buy new hardware for pfSense, I was wondering if it is
>> worthy to buy a CPU that supports "AES new instructions", i.e.
>> hardware-support for AES encyption.
>> 
>> Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all
>> VPN traffic (openVPN)?
>> Woud pfSense benefit from this in any other way, too?
>> 
>> The motherboards that I want to buy unfortunately support AES-NI only with
>> Xeons that currently start from approx 170 €. If I would take a CPU without
>> AES-IN, I could go with a dual-Pentium for 40€. What impact would you expect
>> from AES-IN, in regards to the fact tht I will be having traffic from VPN
>> secured WLAN with approx 300-450 Mpbs and VPN to/from the internet, 1-2
>> users at a time max. Do you think the AES-IN would be worthy the price
>> premium of the Xeon for my case, e.g. because it would reduce VPN latency,
>> etc., or is it just a pure waste of money in my case?
>> 
>> Best regards
>> Thinker Rix
>> 
>> 
>> 
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Chris Buechler 
I have done some brief testing of AES-NI a few months back, though I
can't seem to find the results at the moment and that test environment
isn't online currently. It doesn't give the performance benefit that
it should at this time. So the immediate benefit is minimal (except
for the fact the Xeon proc would be faster than the Pentium), but it
will be properly supported in the future, hopefully in 2.2 with its
FreeBSD 10 base, but we haven't done any testing there yet.

On Tue, Nov 5, 2013 at 11:53 PM, Thinker Rix  wrote:
> Hello all,
>
> as I am planning to buy new hardware for pfSense, I was wondering if it is
> worthy to buy a CPU that supports "AES new instructions", i.e.
> hardware-support for AES encyption.
>
> Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all
> VPN traffic (openVPN)?
> Woud pfSense benefit from this in any other way, too?
>
> The motherboards that I want to buy unfortunately support AES-NI only with
> Xeons that currently start from approx 170 €. If I would take a CPU without
> AES-IN, I could go with a dual-Pentium for 40€. What impact would you expect
> from AES-IN, in regards to the fact tht I will be having traffic from VPN
> secured WLAN with approx 300-450 Mpbs and VPN to/from the internet, 1-2
> users at a time max. Do you think the AES-IN would be worthy the price
> premium of the Xeon for my case, e.g. because it would reduce VPN latency,
> etc., or is it just a pure waste of money in my case?
>
> Best regards
> Thinker Rix
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread Mike McLaughlin 
Agreed, could be VLAN related. My DMZ is a VLAN on the same switch all my
WAN's are on - All use VLANs and only the one interface has the issue. For
the record I have several WANs and Several DMZs on the same PHY, and as far
as I have noticed so far only the one exhibits the issue, but I haven't
thoroughly tested all of the other interfaces.

Mike McLaughlin


On Wed, Nov 6, 2013 at 4:40 PM, David Burgess  wrote:

>
> On Nov 6, 2013 4:32 PM, "Dave Warren"  wrote:
> >
> > Last I looked, it happened on all of my interfaces, but I'm 100% VLAN'd
> here, my entire box runs on one single port.
>
> Same here, except I don't see it on my WAN. My WAN is MLPPP over vlans. On
> 2.0 I saw this double traffic on the WAN only.
>
> db
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread David Burgess 
On Nov 6, 2013 4:32 PM, "Dave Warren"  wrote:
>
> Last I looked, it happened on all of my interfaces, but I'm 100% VLAN'd
here, my entire box runs on one single port.

Same here, except I don't see it on my WAN. My WAN is MLPPP over vlans. On
2.0 I saw this double traffic on the WAN only.

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread Jeppe Øland 
Dave Warren  wrote:
> Is there any pattern? Could it be happening only on VLAN interfaces?

Possible ... my box only has 2 NICs and I have 2 WANs.
LAN is its own interface.
2 WANs are VLANd onto the other interface.

Regards,
-Jeppe
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread Dave Warren 

On 2013-11-06 15:14, Mike McLaughlin wrote:
I see the same thing on my DMZ (local) interface. My LAN and all my 
WAN circuits show what I'd expect and the DMZ shows roughly double 
what is *actually* going in/out. I did a bunch of pcaps and tried to 
track down a bad setting with my VLANs or something and didn't come up 
with anything. I also have another pfSense box in the DMZ (in front of 
a large wireless network) and it shows correct information while the 
DMZ interface shows double.





Is there any pattern? Could it be happening only on VLAN interfaces? 
Last I looked, it happened on all of my interfaces, but I'm 100% VLAN'd 
here, my entire box runs on one single port.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Captive Portal: IPv6

2013-11-06 Thread Paulo Roberto 
Hi,
When I turn on the captive portal, the computers on the internal network
ipv6 stops working.


is there any way to make it work?


version pfsense 2.1
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread Mike McLaughlin 
I see the same thing on my DMZ (local) interface. My LAN and all my WAN
circuits show what I'd expect and the DMZ shows roughly double what is
*actually* going in/out. I did a bunch of pcaps and tried to track down a
bad setting with my VLANs or something and didn't come up with anything. I
also have another pfSense box in the DMZ (in front of a large wireless
network) and it shows correct information while the DMZ interface shows
double.

Mike McLaughlin


On Wed, Nov 6, 2013 at 1:38 PM, Dave Warren  wrote:

> On 2013-11-06 13:20, David Burgess wrote:
>
>> I don't use a proxy server any my internal interface graphs usually
>> report double traffic. Only the real time graphs though, as rrd looks
>> correct.
>>
>
> Actually I think I eliminated the proxy anyway, the proxy is optional here
> (except the transparent proxy on port 80) and it happens with NNTP
> connections which are not proxied.
>
> RRD graphs look closer to being possible, and the WAN and LAN seem to
> match roughly what I'd expect.
>
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread Dave Warren 

On 2013-11-06 13:20, David Burgess wrote:
I don't use a proxy server any my internal interface graphs usually 
report double traffic. Only the real time graphs though, as rrd looks 
correct.


Actually I think I eliminated the proxy anyway, the proxy is optional 
here (except the transparent proxy on port 80) and it happens with NNTP 
connections which are not proxied.


RRD graphs look closer to being possible, and the WAN and LAN seem to 
match roughly what I'd expect.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread Jeppe Øland 
Dave Warren  wrote:
> We recently relocated and are waiting to get our primary connection
> installed, so in the mean time we're on a 3Mb/0.75Mb DSL line. However,
> pfSense often shows 6Mb/s coming out of the LAN during a download.

Same problem here.

Look at my mail from Oct 1.
Subject: Traffic Graph discrepancy in 2.1
http://lists.pfsense.org/pipermail/list/2013-October/004735.html

Given the lack of replies, it seems only you and I care :-)

Regards,
-Jeppe
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread David Burgess 
On Nov 6, 2013 2:17 PM, "Dave Warren"  wrote:
>
> I'm wondering if it's possible that data in the Traffic Graph is not
showing up correctly?
>
>

I don't use a proxy server any my internal interface graphs usually report
double traffic. Only the real time graphs though, as rrd looks correct.

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Traffic Graph: Not reflecting reality?

2013-11-06 Thread Dave Warren 
I'm wondering if it's possible that data in the Traffic Graph is not 
showing up correctly?


We recently relocated and are waiting to get our primary connection 
installed, so in the mean time we're on a 3Mb/0.75Mb DSL line. However, 
pfSense often shows 6Mb/s coming out of the LAN during a download.


Is it possible that the proxy server (transparent proxy enabled) or 
something else is causing data to be displayed incorrectly?


Both the modem itself and download speed tests confirm our 3Mb speed, 
yet pfSense regularly shows a flat line at 6Mb/s in the traffic graph 
when we're under load.



--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Paul Mather 
On Nov 6, 2013, at 1:43 PM, Jim Thompson  wrote:

> 
> On Nov 6, 2013, at 8:06 AM, Thinker Rix  wrote:
> 
>> On 2013-11-06 15:29, Jim Thompson wrote:
 On Nov 6, 2013, at 7:22, Vick Khera  wrote:
 
 pfSense lists the AES-NI as a supported option for crypto acceleration.  
 pfSense will use it for OpenVPN and IPsec if you tell it to. There's a 
 config setting for it.
>>> I'm not aware if any performance testing for AES-NI on pfSense.
>>> 
>>> There are reports that FreeBSD doesn't support AES-NI very well.
>> 
>> Thank you for this information, Jim. So I figure, that buying the Xeon just 
>> for it's AES functions would (currently) be a waste of money.
> 
> I can’t answer this, because I’ve not tested it.
> 
> I know that the linux kernel, and openbsd both take full advantage of AES-NI 
> instructions.
> 
> http://ibatanov.blogspot.com/2012/04/ipsec-performance-benchmarking-is-end.html
> http://comments.gmane.org/gmane.os.openbsd.misc/199639
> 
> I know there is an implementation of AES-NI for cryptdev, but **I HAVE NOT 
> TESTED IT (nor has anyone else on the pfSense team, AFAIK).
> 
> There seems to be an issue:
> http://forum.pfsense.org/index.php/topic,54008.30.html
> http://lists.freebsd.org/pipermail/freebsd-hackers/2012-May/038762.html
> 
> In the meantime, it might be possible to use OpenVPN with a patched openssl 
> library to achieve the results you desire (but now you’re off into DIY land.) 
>  https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
> 
> That all said, we will find and fix the issue at some point.   (I’m actually 
> in San Jose for the FreeBSD Vendor Summit, and plan to bring it up as a 
> potential issue.)


Well, there's this thread from late August this year about improving AES-NI 
support that eventually kicked off into an epic kerfuffle and bike shed about 
the status of gcc in FreeBSD 10: 
http://lists.freebsd.org/pipermail/freebsd-toolchain/2013-August/000920.html

Cheers,

Paul.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Jim Thompson 

On Nov 6, 2013, at 8:06 AM, Thinker Rix  wrote:

> On 2013-11-06 15:29, Jim Thompson wrote:
>>> On Nov 6, 2013, at 7:22, Vick Khera  wrote:
>>> 
>>> pfSense lists the AES-NI as a supported option for crypto acceleration.  
>>> pfSense will use it for OpenVPN and IPsec if you tell it to. There's a 
>>> config setting for it.
>> I'm not aware if any performance testing for AES-NI on pfSense.
>> 
>> There are reports that FreeBSD doesn't support AES-NI very well.
> 
> Thank you for this information, Jim. So I figure, that buying the Xeon just 
> for it's AES functions would (currently) be a waste of money.

I can’t answer this, because I’ve not tested it.

I know that the linux kernel, and openbsd both take full advantage of AES-NI 
instructions.

http://ibatanov.blogspot.com/2012/04/ipsec-performance-benchmarking-is-end.html
http://comments.gmane.org/gmane.os.openbsd.misc/199639

I know there is an implementation of AES-NI for cryptdev, but **I HAVE NOT 
TESTED IT (nor has anyone else on the pfSense team, AFAIK).

There seems to be an issue:
http://forum.pfsense.org/index.php/topic,54008.30.html
http://lists.freebsd.org/pipermail/freebsd-hackers/2012-May/038762.html

In the meantime, it might be possible to use OpenVPN with a patched openssl 
library to achieve the results you desire (but now you’re off into DIY land.)  
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

That all said, we will find and fix the issue at some point.   (I’m actually in 
San Jose for the FreeBSD Vendor Summit, and plan to bring it up as a potential 
issue.)

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Reg: Lightsquid Report

2013-11-06 Thread divya 
 

Dear Team,

  I’m using pfsense, I have checked the light squid report (by statusàProxy
ReportàLight squid) ,its not listing  for some Ip address. What I want to do
for getting squid report for all machines. Please do the needful as soon as
possible.

 

 

Regards,

Dhivya.S  

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

2013-11-06 Thread Eugen Leitl 
On Wed, Nov 06, 2013 at 04:12:09PM +, Chris Bagnall wrote:
> On 6/11/13 12:30 pm, Eugen Leitl wrote:
> >Anyone running pfSense on a HP Microserver G8?
> 
> I have - in the past - had it running on a G5 and a G6 if that's any help.
> 
> One of our clients is using it on a G7.
> 
> lspci on both mine show:
> Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10)

Are these borderline reliable with FreeBSD/pfSense? I've had a
some strange behavior with my old Supermicro Atom lately, when
I had to start using the onboard Realteks when my dual-port
Intel NIC started playing yoyo with my cable modem port -- 
I suspect it's partially fried. The Realteks have been doing it,
so far.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

2013-11-06 Thread Chris Bagnall 

On 6/11/13 12:30 pm, Eugen Leitl wrote:

Anyone running pfSense on a HP Microserver G8?


I have - in the past - had it running on a G5 and a G6 if that's any help.

One of our clients is using it on a G7.

lspci on both mine show:
Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10)

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Thinker Rix 

On 2013-11-06 15:29, Jim Thompson wrote:

On Nov 6, 2013, at 7:22, Vick Khera  wrote:

pfSense lists the AES-NI as a supported option for crypto acceleration.  
pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config 
setting for it.

I'm not aware if any performance testing for AES-NI on pfSense.

There are reports that FreeBSD doesn't support AES-NI very well.


Thank you for this information, Jim. So I figure, that buying the Xeon 
just for it's AES functions would (currently) be a waste of money.


Best regards
Thinker Rix
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Thinker Rix 

On 2013-11-06 15:22, Vick Khera wrote:


On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix > wrote:


Would pfSense use this CPU instructions so to
hardware-encrypt/decrypt all VPN traffic (openVPN)?
Woud pfSense benefit from this in any other way, too?


pfSense lists the AES-NI as a supported option for crypto 
acceleration.  pfSense will use it for OpenVPN and IPsec if you tell 
it to. There's a config setting for it.


As to your question of is it worth the cost, that depends on how much 
VPN traffic you have. The Xeon will handle a damn lot of traffic all 
on its own. If you are pushing more than 40Mbps on the VPN, then 
perhaps consider the extra cost. If it is low, like under 5 or 10Mbps, 
then I'd probably suggest that it is not worth the cost.


As a reference, between my data center and my primary office, I have 
an IPsec tunnel.  The office runs on an old Intel 32-bit Pentium 4 
2.4GHz dual core server.  The data center runs on Intel Xeon E31220L @ 
2.20GHz quad-core. Neither one has any built-in cryptodev supported 
devices. The IPsec tunnel maxes out at about 20Mbps during large file 
backups. I don't think it would go any faster with hardware 
acceleration, and the load on these boxes hovers around 0 still. The 
data center firewall is also busy pushing over 100Mpbs of regular 
traffic to hundreds of clients as well.




Hi Vick,

Thank you for your reference, it is very valuable for me!
I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU.

What do you think is the reason for your VPN traffic maxing out at 
20Mpbs (I assume that your connection is not the traffic bottle neck, 
right?), although your CPUs are almost idle?


Best regards
Thinker Rix
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Motherboard compatibility

2013-11-06 Thread Paul Mather 
On Nov 6, 2013, at 12:36 AM, Thinker Rix  wrote:

> Hi all!
> 
> I am planing to set up a new pfSense server with brand new hardware.
> The motherboards that I am thinking of have socket LGA1155 or LGA1150 and 
> come with Intel C204 and C222 chipsets, respectively.
> 
> The motherboard producer provides a compatibility list for his boards. He 
> states that the:
> - C204 board is compatible with FreeBSD 8.1
> - C222 board is compatible with FreeBSD 9.1
> 
> I know only very little about FreeBSD, but I think that hardware support is 
> quite similar with the Linux kernel: what once has been added to the kernel, 
> stays there "forever", istn't it? So if the vendor writes "compatible with 
> FreeBSD 8.1" it continues to be compatible with all following versions, such 
> as FreeBSD 8.3, correct?


That's largely accurate, but not a cast-iron guarantee.  Like all open-source 
projects, support depends upon volunteers and so how supported a piece of 
hardware is depends upon the availability of maintainers.  So, there's a 
possibility that support may erode over time.  Certain architectural milestones 
may also affect hardware support.  For example, when there was the big push to 
eliminate the GIANT lock, there was a "step up or get dropped" challenge issued 
against a lot of drivers in the tree.  Some that were bit-rotting and had 
nobody step up to make them GIANT-free got dropped and hence became unsupported.

There's also the law of diminishing returns.  Somewhere in the FreeBSD 4.x 
cycle support was dropped for an ancient and obscure CD-ROM device I was using. 
 Although it was personally inconvenient at the time, it was understandable as 
the device was way beyond legacy even back then.  (It also doesn't help when 
developers can't get hardware to test drivers against.)  In a similar vein, at 
FreeBSD 5.0 they dropped support for i386 CPUs (from then on you needed at 
least an i486 and up at that point---i.e., a CPU that had hardware FP support).


> If those figures that the hardware producer provided are correct, it would 
> mean that I could run pfSense 2.1 only on the C204 board, since pfSense 2.1 
> is based on FreeBSD 8.3, and the C222 board is only compatible from FreeBSD 
> 9.1 and upwards, right?!
> 
> Since hardware producers tend to not edit and update such compatibility lists 
> properly, the information provided there could be wrong. For this reason I 
> would like to double-check. Could maybe someone give me a hint where I could 
> look up, which chipsets FreeBSD supports and from what version on?


A good place to look is in the "Hardware Notes" that accompanies each release.  
For example, for 8.3 is is at 
http://www.freebsd.org/releases/8.3R/hardware.html and for 9.1 it is at 
http://www.freebsd.org/releases/9.1R/hardware.html.  Also, if you have a 
specific piece of hardware in mind, a good place to ask is the 
freebsd-questi...@freebsd.org mailing list.  (You don't need to subscribe there 
to post.)  There's a good chance that someone who has the hardware or is 
familiar with it could post whether it works well or not.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Jim Thompson 

> On Nov 6, 2013, at 7:22, Vick Khera  wrote:
> 
> pfSense lists the AES-NI as a supported option for crypto acceleration.  
> pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config 
> setting for it.

I'm not aware if any performance testing for AES-NI on pfSense. 

There are reports that FreeBSD doesn't support AES-NI very well. 

Jim 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Vick Khera 
On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix wrote:

> Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all
> VPN traffic (openVPN)?
> Woud pfSense benefit from this in any other way, too?
>

pfSense lists the AES-NI as a supported option for crypto acceleration.
 pfSense will use it for OpenVPN and IPsec if you tell it to. There's a
config setting for it.

As to your question of is it worth the cost, that depends on how much VPN
traffic you have. The Xeon will handle a damn lot of traffic all on its
own. If you are pushing more than 40Mbps on the VPN, then perhaps consider
the extra cost. If it is low, like under 5 or 10Mbps, then I'd probably
suggest that it is not worth the cost.

As a reference, between my data center and my primary office, I have an
IPsec tunnel.  The office runs on an old Intel 32-bit Pentium 4 2.4GHz dual
core server.  The data center runs on Intel Xeon E31220L @ 2.20GHz
quad-core. Neither one has any built-in cryptodev supported devices. The
IPsec tunnel maxes out at about 20Mbps during large file backups. I don't
think it would go any faster with hardware acceleration, and the load on
these boxes hovers around 0 still. The data center firewall is also busy
pushing over 100Mpbs of regular traffic to hundreds of clients as well.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] website and upgrade procedure

2013-11-06 Thread Vick Khera 
On Tue, Nov 5, 2013 at 2:21 PM, Curtis Maurand  wrote:

> I'm assuming you used a live CD or an installation CD?
>

Yes, that is what I did. I used the live CD to install onto the new
hardware. Then I plugged my laptop into it using a direct ethernet cable
(you may need a crossover depending on your ethernet interface's
capabilities to auto-detect) and gave it an IP on the default private LAN
for the new box. After uploading the backup config file and rebooting, it
asks on the console how to map the LAN/WAN/OPT interfaces to the new
device. Set those and go.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

2013-11-06 Thread Eugen Leitl 
On Wed, Nov 06, 2013 at 09:11:08AM +0200, Thinker Rix wrote:

> Unfortunately the motherboards I plan to buy supports only the
> above-mentioned CPUs.

Anyone running pfSense on a HP Microserver G8?

http://b3n.org/installed-xeon-e3-1230v2-in-gen8-hp-microserver/

These are dual Broadcoms BCM5717 onboard, but you can stick a dual-port
Intel NIC in there as well.

> I have another thread going where I discuss motherboard compatiblity
> with pfSense. Should someone report, that finally I could also use
> the other of the two boards (the one with the 1150-socket and the
> C222 chipset), I could use different CPUs:
> - Pentium
> - 4th generation core i3
> - Xeon E3-1200 v3
> 
> In this case I could go for the i3, since it supports AES-NI.
> 
> But I do not expect that the C222 board will be compatible, so I
> most likely will have to stick with the CPUs mentioned above. Which
> one would you pick of those?
> 
> >If you look around online, you will find almost universal
> >agreement that AES-NI significantly improves VPN speed.  This also
> >means that even if you aren't maxing out the VPN's capacity, you
> >will still be saving processor cycles for doing the other stuff
> >that the machine needs to do.
> 
> There is this one thing I want to learn:
> AES NI helps lowering CPU load for encryption/decryption tasks,
> sure. But what happens if the CPU is not under full load? Will there
> still be an advantage then, i.e. because the CPU can perform the
> de/encryption *faster* when having AES NI support, so that the VPN
> latency might be reduced, so that e.g. VoIP-over-VPN would improve?
> Or is it the case that there is no difference, as long as the CPU is
> not under full load, because all that AES NI does, is allow the CPU
> to computer with less resources?
> 
> Thank you for your time!
> 
> Thinker Rix

> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

2013-11-06 Thread Chris Bagnall 

On 6/11/13 7:11 am, Thinker Rix wrote:

Unfortunately the motherboards I plan to buy supports only the
above-mentioned CPUs.
- Pentium
- 4th generation core i3
- Xeon E3-1200 v3


If your board supports a Core i3, it is *very* unlikely that it won't 
also support the i5 of the same generation (i.e. socket 1155, Sandy/Ivy 
Bridge cores) - given that i3 -> i5 -> i7 is an easy performance 
differentiator for system integrators, who will likely be using the same 
board across their range.


Out of interest, any reason you're not looking at the newer Haswell core 
chips (i.e. socket 1150) - from what I've read their power consumption 
is a fair bit lower than previous Sandy/Ivy Bridge cores?


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

2013-11-06 Thread Michael Schuh 
i have serval different Systems running,
including an old 3GHz Intel Pentium D-CPU with 2GBytes ECC Memory:
4 Nic,  throughput max (so far): 115 MBytes/s at 20k irqs (no polling
enabled, no special tweaking)
1 Nic is Broadcom,  1 Nic is Intel Pro1000 Desktop Adapter, the other two
Nic are an Intel Pro 1000 Dual Port Server Adapter.
Memory is a bit short in this system, but it runs fine.

others Systems p.e. run with Core2Duo 2,66GHz (E7300) another one with a
Pentium 2,9GHz (G2020)
the last one i wouldn't recommend for high throughput and low latency. the
reaction times and the latency rises up fast
if the throughput rises or if i add some VPN-Tunnels( AES-256).

so i would recommend also the Corei5, the core i3 IMO comes close to a
Pentium CPU.

imself keep the Celeron CPU's far away from me. except for small embedded
systems in the lower range.

Corei7 or Xeon is a way to much for my taste and feeling.

hth.

= = =  http://michael-schuh.net/  = = =
Projektmanagement - IT-Consulting - Professional Services IT
Rev. Michael 
Schuh
*Ordained Dudeist Priest *
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
@: m i c h a e l . s c h u h @ g m a i l . c o m

= = =  Ust-ID:  DE251072318  = = =


2013/11/6 Thinker Rix 

>  Hi Moshe,
>
>
> On 2013-11-06 08:35, Moshe Katz wrote:
>
>
>  Price Name Socket Cores Threads Cache Clock default Clock Turbo
>> 33.69 € Celeron 1155 2 2 2 MB 2.7 GHz --
>> 44.31 € Pentium 1155 2 2 3 MB 2.9 GHz --
>> 93.77 € Core i3 1155 2 4 3 MB 3.4 GHz --
>> 167.25 € Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz
>>
>> The Xeon has hardware support for AES encryption that might speed up VPN
>> traffic?
>>
>> Which of the CPUs do you advise me to pick?
>>
>> Thanks for any feedback,
>>
>> best regards
>>
>> Thinker Rix
>>
>
>  I don't see a Core i5 on that list.  See if you can get one of those.
>  It'll be between the i3 and the Xeon in price, but will have the AES-NI
> instruction set.  (It will also have 4 physical cores instead of the i3's
> dual cores with hyperthreading.)
>
>
> Unfortunately the motherboards I plan to buy supports only the
> above-mentioned CPUs.
> I have another thread going where I discuss motherboard compatiblity with
> pfSense. Should someone report, that finally I could also use the other of
> the two boards (the one with the 1150-socket and the C222 chipset), I could
> use different CPUs:
> - Pentium
> - 4th generation core i3
> - Xeon E3-1200 v3
>
> In this case I could go for the i3, since it supports AES-NI.
>
> But I do not expect that the C222 board will be compatible, so I most
> likely will have to stick with the CPUs mentioned above. Which one would
> you pick of those?
>
>
>   If you look around online, you will find almost universal agreement
> that AES-NI significantly improves VPN speed.  This also means that even if
> you aren't maxing out the VPN's capacity, you will still be saving
> processor cycles for doing the other stuff that the machine needs to do.
>
>
> There is this one thing I want to learn:
> AES NI helps lowering CPU load for encryption/decryption tasks, sure. But
> what happens if the CPU is not under full load? Will there still be an
> advantage then, i.e. because the CPU can perform the de/encryption *faster*
> when having AES NI support, so that the VPN latency might be reduced, so
> that e.g. VoIP-over-VPN would improve? Or is it the case that there is no
> difference, as long as the CPU is not under full load, because all that AES
> NI does, is allow the CPU to computer with less resources?
>
>
> Thank you for your time!
>
> Thinker Rix
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list