Co-lo + 5 (or more) sites....connect 'em all
-
@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:
...pfSense, or TNSR. Just don't use OpenVPN. Use IPSEC.
Yep, heard that a few times...no OpenVPN.
pfSense + TNSR sounds interesting, just not sure if it's worth the "hassle" procuring my own hardware (which really isn't a big deal) vs ER4.
It's probably not a bad idea to at least speak w the pfSense folks. -
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
pfSense + TNSR sounds interesting, just not sure if it's worth the "hassle" procuring my own hardware (which really isn't a big deal) vs ER4.
Exactly, this is where I think we all are... there is a really, REALLY simple and supported solution that nearly everyone uses and works SO well.
And then there is "playing around with all kinds of projects just to be weird' which is what the other feels like. If you don't have some documented need for that, I wouldn't even consider it.
-
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
It's probably not a bad idea to at least speak w the pfSense folks.
It's always a bad idea to ask a vendor a question like this. Always.
-
@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:
It's always a bad idea to ask a vendor a question like this. Always.
If I chose to go this route, I def wouldn't use their appliance.
My question for them would be: what hardware & encryption levels are needed to achieve 500+ Mbps?
-
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
My question for them would be: what hardware & encryption levels are needed to achieve 500+ Mbps?
I doubt that pfSense provides that kind of consulting if you aren't buying their stuff.
-
I'd use VyOS before pfSense for this.
-
-
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:
VyOS
Ok, will check it out!
Linux based router OS. Built from the same original code that EdgeOS comes from.
-
@FATeknollogee
I did a test. I get 840 Mbps IPsec between two servers running xcp-ng and one pfSense in each. 4 vCPU 2.5GHz Xeon E5.
This was over 1GbE and with NAT, packet filtering, I/O overhead of Xen etc.I expected more but was too lazy to try on bare metal. But I would assume it's faster, also a newer CPU with higher clock frequencies would likely give it another boost.
If you want a lot more speed you can add an accelerator card. Intel has their Quick Assist Technology and a card that can do up to 50 Gbps is priced around $650.
-
@Pete-S pfSense? What did you test with?
-
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
@Pete-S pfSense? What did you test with?
I would guess from his wording - two xcp-ng hosts, each with a PFSense VM, directly connected to each other, this would take the ISP out of the equation and show max throughput for his given setup (4 vCPU, no RAM listed).
-
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
@Pete-S pfSense? What did you test with?
iperf
is the standard tool for this. -
@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
@Pete-S pfSense? What did you test with?
I would guess from his wording - two xcp-ng hosts, each with a PFSense VM, directly connected to each other, this would take the ISP out of the equation and show max throughput for his given setup (4 vCPU, no RAM listed).
Yes. And it was 2GB RAM.
@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
@Pete-S pfSense? What did you test with?
iperf
is the standard tool for this.Correct. iperf (v3.6) with a couple of parallel streams.
-
@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:
@FATeknollogee
I did a test. I get 840 Mbps IPsec between two servers running xcp-ng and one pfSense in each. 4 vCPU 2.5GHz Xeon E5.
This was over 1GbE and with NAT, packet filtering, I/O overhead of Xen etc.I expected more but was too lazy to try on bare metal. But I would assume it's faster, also a newer CPU with higher clock frequencies would likely give it another boost.
If you want a lot more speed you can add an accelerator card. Intel has their Quick Assist Technology and a card that can do up to 50 Gbps is priced around $650.
How much RAM?
Did you check CPU usage? -
@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:
@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:
@FATeknollogee
I did a test. I get 840 Mbps IPsec between two servers running xcp-ng and one pfSense in each. 4 vCPU 2.5GHz Xeon E5.
This was over 1GbE and with NAT, packet filtering, I/O overhead of Xen etc.I expected more but was too lazy to try on bare metal. But I would assume it's faster, also a newer CPU with higher clock frequencies would likely give it another boost.
If you want a lot more speed you can add an accelerator card. Intel has their Quick Assist Technology and a card that can do up to 50 Gbps is priced around $650.
How much RAM?
Did you check CPU usage?I think that he said 2GB.
-
Update: this is what I ended up with.
Route based VPN using this guide as a template.Master site: 1x ER 12 + 1x ER 4
Sites A, B, C & D :1x ER4 each location
Colo: 1x ER4 & 1x pfSense (SM x10SDV-TLN4F+)