Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
https://blog.pfsense.org/?p=1626
Speaking of the next-gen work: Preliminary results from Matt Smith have yielded 2.8Mpps on a c2758, and 14.88Mpps on a 12 core X5680 Xeon box. Note that these are (millions of) packets per second, not (billions of) bits per second, and that 14.88Mpps is line rate on a 10G cards. This is with reassembly, packet filtering, forwarding and (re)-fragmentation running in a fast-forwarding kind of way.
Part of the difference between the two platforms is that the packet filtering code perform an N-tuple search over a set of rules with multiple categories and find the best match (highest priority) for each category. (Succinctly, it is not pf, though it is designed to implement something a lot like pf.) On platforms which support AVX/AVX2, this code runs in vector registers, but the C2758 doesnt support these, so the code has to run scalar.
https://blog.pfsense.org/?p=1588
And finally, pfSense will move to use even more advanced encryption techniques for IPsec, TLS and OpenVPN. It should be well-known by now that Netgate and the FreeBSD Foundation co-sponsored a project to enable AES-GCM for IPsec, enabling faster encryption speeds on Intel and AMD processors that support AES-NI instructions. On a pair of fast quad core Xeon systems we can run IPsec at over 2Gbps now. More speed is possible, and I expect the first results showing this to be a port of Intels QuickAssist. On a C2758, this should provide around 8Gbps of IPsec throughput. Other, more exotic QuickAssist hardware exists to take this throughput to 40Gbps and beyond. Additionally, more speed can be had from better pipelined implementations of AES-GCM and AES-CBC on existing and near-future Intel CPUs. In particular, SHA1 and SHA256 can be accelerated via AVX2 instructions, reducing the time required for AH processing in IPsec (and its similar processing in OpenVPN and OpenSSL) on processors that support AVX/AVX2.
What nic did you guys pair up with those setups? I would like to stick with a hardware Intel dial or quad low profile card.
OpenVPN performance wont happen as its currently designed, I have no idea why they're trying to implay that.
No, you have too much context swapping between kernel and userland in OpenVPN. IPSec is in kernel which is a completely different story. This has already been attempted in the past...