Co-lo + 5 (or more) sites....connect 'em all

FATeknollogee

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

2. How much over IPsec: as much as I can get!

What does this even mean?

As much of the available bandwidth (per site) as I can get, this is definitely hardware constrained by the router used.

JaredBusch

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

3. Features: mainly Site to Site VPN

Duh, that was that point of the entire thread.

What are you doing over the tunnel?

S2S!! Like you said, this is the point of the thread.

No, the tunnel is for site to site. But that means shit. What is going through the tunnel. That is what matters.

FATeknollogee

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

No, the tunnel is for site to site. But that means shit. What is going through the tunnel. That is what matters.

Ahh, I missed the question.
Mainly RDP type traffic.

JaredBusch

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

No, the tunnel is for site to site. But that means shit. What is going through the tunnel. That is what matters.

Ahh, I missed the question.
Mainly RDP type traffic.

So you are making a tunnel for a tunnel.
WTF are you pushing over RDP that needs 400mbps?

You should have no need for those speeds.

FATeknollogee

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

So you are making a tunnel for a tunnel.

I guess you could call it that!

WTF are you pushing over RDP that needs 400mbps?

I'm just trying to take advantage of the solid connections at both ends

You should have no need for those speeds.

JaredBusch

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

So you are making a tunnel for a tunnel.

I guess you could call it that!

WTF are you pushing over RDP that needs 400mbps?

I'm just trying to take advantage of the solid connections at both ends

You should have no need for those speeds.

Right, pop an ER4 in every location and pin up solid IPSEC connections and you will run smooth.

On the rare occasion that you pull more than a few mbps at any one site, you will still be good for it.

Or if you rally want more, then spin up vyatta on your own hardware, or pfSense, or TNSR. Just don't use OpenVPN. Use IPSEC.

FATeknollogee

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

...pfSense, or TNSR. Just don't use OpenVPN. Use IPSEC.

Yep, heard that a few times...no OpenVPN.

pfSense + TNSR sounds interesting, just not sure if it's worth the "hassle" procuring my own hardware (which really isn't a big deal) vs ER4.
It's probably not a bad idea to at least speak w the pfSense folks.

scottalanmiller

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

pfSense + TNSR sounds interesting, just not sure if it's worth the "hassle" procuring my own hardware (which really isn't a big deal) vs ER4.

Exactly, this is where I think we all are... there is a really, REALLY simple and supported solution that nearly everyone uses and works SO well.

And then there is "playing around with all kinds of projects just to be weird' which is what the other feels like. If you don't have some documented need for that, I wouldn't even consider it.

scottalanmiller

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

It's probably not a bad idea to at least speak w the pfSense folks.

It's always a bad idea to ask a vendor a question like this. Always.

FATeknollogee

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

It's always a bad idea to ask a vendor a question like this. Always.

If I chose to go this route, I def wouldn't use their appliance.
My question for them would be: what hardware & encryption levels are needed to achieve 500+ Mbps?

scottalanmiller

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

My question for them would be: what hardware & encryption levels are needed to achieve 500+ Mbps?

I doubt that pfSense provides that kind of consulting if you aren't buying their stuff.

scottalanmiller

I'd use VyOS before pfSense for this.

FATeknollogee

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

VyOS

Ok, will check it out!

scottalanmiller

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

VyOS

Ok, will check it out!

Linux based router OS. Built from the same original code that EdgeOS comes from.

1337

@FATeknollogee
I did a test. I get 840 Mbps IPsec between two servers running xcp-ng and one pfSense in each. 4 vCPU 2.5GHz Xeon E5.
This was over 1GbE and with NAT, packet filtering, I/O overhead of Xen etc.

I expected more but was too lazy to try on bare metal. But I would assume it's faster, also a newer CPU with higher clock frequencies would likely give it another boost.

If you want a lot more speed you can add an accelerator card. Intel has their Quick Assist Technology and a card that can do up to 50 Gbps is priced around $650.

FATeknollogee

@Pete-S pfSense? What did you test with?

Dashrender

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S pfSense? What did you test with?

I would guess from his wording - two xcp-ng hosts, each with a PFSense VM, directly connected to each other, this would take the ISP out of the equation and show max throughput for his given setup (4 vCPU, no RAM listed).

JaredBusch

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S pfSense? What did you test with?

iperf is the standard tool for this.

1337

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S pfSense? What did you test with?

I would guess from his wording - two xcp-ng hosts, each with a PFSense VM, directly connected to each other, this would take the ISP out of the equation and show max throughput for his given setup (4 vCPU, no RAM listed).

Yes. And it was 2GB RAM.

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S pfSense? What did you test with?

iperf is the standard tool for this.

Correct. iperf (v3.6) with a couple of parallel streams.

FATeknollogee

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee
I did a test. I get 840 Mbps IPsec between two servers running xcp-ng and one pfSense in each. 4 vCPU 2.5GHz Xeon E5.
This was over 1GbE and with NAT, packet filtering, I/O overhead of Xen etc.

I expected more but was too lazy to try on bare metal. But I would assume it's faster, also a newer CPU with higher clock frequencies would likely give it another boost.

If you want a lot more speed you can add an accelerator card. Intel has their Quick Assist Technology and a card that can do up to 50 Gbps is priced around $650.

How much RAM?
Did you check CPU usage?