Hey guys, I am wanting to get a PFsense router installed between my 1 Gbps ATT modem and my home network. My current Nighthawk router is starting to flake out and I want something a bit more awesome. I also want to stick it to the man and start traffic shaping some of my WAN traffic through a VPN managed by Pfsense, probably going to use PIA for the VPN.
All of that said… I know you can buy official hardware from Pfsense, but I have read mixed reports on the SG-2220 & SG-2440 handling 1 Gbps and VPN without significant slowdowns, and the SG-4860 seems a bit too expensive for what you are getting. Also anything with a J1900 is out for lack of AES Hardware Encryption, and the Atom C2XXX seems to have a bug impacting Pfsense,
Has anyone setup their own Pfsense with a 1 Gbps connection and VPN? How did it work out? What did you end up using? Any advice before I start ordering stuff willy nilly?
No 1Gbps for me, but you can certainly get a PfSense router to handle that traffic even with a VPN.
I bought a 'old' Dell Optiplex 780: which has a 4 core Xeon at over 3 Ghz, just for $80. With my speed of 60mbps, it is completely being under-utilized. So if you get a 'proper' PC as your router, you're guaranteed to get enough horsepower for your needs.
I'll be experimenting with my Up-board² to see how well it can handle various network loads. I don't have Gigabit, but the chips these machines use do have AES-NI, so it should work fairly well. It will handle gigabit throughput on a LAN by my reckoning, but I don't know how well it will handle moving all those packets over the actual internet.
A full desktop machine based on something like an old i3 or i5, maybe even an old Core 2 Xeon would most likely work very well indeed for gigabit, though.
I'll do testing but what I can do is limited by both my experience and my ISP, so... yeah... if it does well, though, it could be very compelling since the base model is under $100. (unless the shipping puts it over, but meh)
Maybe do something along these lines? https://pcpartpicker.com/list/L66pWX Hyperthreaded pentium on a board with dual intel nics as well as wireless. The pentium does also have the AES stuff to speed up vpn connections, which should make that a breeze.
I am, from what I researched you really don't have any options besides using their modem/router. Although I am just DMZ forwarding everything to my Nighthawk router.
I have no experience with this so take that for what it's worth. But any half decent modern chip with aes-ni will be able to handle the VPN encryption. As for the firewall the speed isn't really that important, what matters is the packets per second that will be processed by the firewall. So you can have gigabit but if you only have a handful of users then you don't need anything too crazy as far as hardware.
Also keep in mind that if you can't put your ISP router in to bridge mode then it is still processing everything through its firewall even if you're using DMZ mode to forward everything (NAT is part of the firewall) so that is going to be your limiting factor in most configurations.
one thing ive havent seen anyone mention is that speedtests of 1Gbps+ will almost never be 1Gbps. the servers most of the time wont even have that fast of a connection. if it does then it might be shared between different server and/or under some load
It's dependent on what cipher you use, but the small ones from pfSense can not do gigabit throughput on a typical VPN. A J1900 is not up to snuff either, it doesn't have any crypto accel. The 2440 and bigger has Intel Quickassist, problem is that it isn't fully supported yet, might be in pfSense 2.4 (haven't checked lately). I admin a SG-2440, and I have trouble getting good speeds over the VPN with AES-256-CBC. I need to investigate so can't say what the problem is yet. However, it will probably never do gigabit speeds over VPN. Remember that OpenVPN is single threaded nowadays (3.0 might be multi-thread), so one fast core is more important than many slow. FreeBSD/pfSense seems to be better at AES-GCM compared to AES-CBC and OpenVPN 2.4 has implemented support for AES-GCM, is available in the pfSense 2.4 beta I think.
Cheapest way to get gigabit speeds is probably what @TheCaveman suggests, a Mini-ITX board with a Pentium that has AES-ni. If you need more network ports, just add a multi-port Intel NIC. Important parta bout the board is that it has Intel NIC's really. Might work with realtek, but don't bet on it.
I use a Shuttle DS57u as a firewall at home. I connect it to a VPN running the AES-256-CBC cipher, one core of the Celeron 3205U 1.5GHz (low power broadwell, no AES) gets maxed out at about 200Mbit. My connection is 250Mbit.
Edit: Screenshot of htop on my fw while downloading Star Citizen (amazon):
While I have never "stuck it to the man" I have considered it and though my research I have stumbled upon these beauties http://www.pcengines.ch/index.htm Perfect for your new router with pfsense/opensense