PfSense + and QAT w/Intel Quick Assist Adapter 8950

To start off I’m a networking noob. I’m considering getting a Intel Quick Assist Adapter 8950 to play with and to speed up my VPN. How overkill would this be or would I just be wasting 40w of power for the card?

Since PfSense Plus is available for home users now useful is QAT?

Pfsense 22.01, QAT w/Intel Quick Assist Adapter 8950, PIA OpnVPN, on a 200 Mbit line?

My system:

Pfsense 22.01-RELEASE (amd64)

Intel(R) Pentium(R) Gold G5400T CPU @ 3.10GHz

4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads

AES-NI CPU Crypto: Yes (active)
QAT Crypto: No

pfSense Plus software:

Support for Intel® QuickAssist Technology, also known as QAT.

QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.

Supported hardware includes many Intel-based systems sold by Netgate (e.g. XG-7100, SG-5100) and add-on cards.

From the FreeBSD man page:

The qat driver supports the QAT devices integrated with Atom C2000 and C3000 and Xeon C620 and D-1500 chipsets, and the Intel QAT Adapter 8950.

It can accelerate AES in CBC, CTR, XTS (except for the C2000) and GCM modes, and can perform authenticated encryption combining the CBC, CTR and XTS modes with SHA1-HMAC and SHA2-HMAC. The qat driver can also compute SHA1 and SHA2 digests.strong text

I have not done any testing with QAT.

1 Like

OMG! You want QAT.
Since pfsense+ became available to the general public on their own hardware I could not get a real answer about QAT/Intel QuickAssist Cryptographic Hardware PCIe cards.
Except one post from Stephenw10 on the netgate forums:
“Run kldstat to check the module is loaded. We are aware he dashboard doesn’t report it yet. A fix for that is incoming. You won’t see much advantage with OpenVPN it accelerates IPSec more.
I’m just a home user/networking noob on a 200Mbit line. I’m running PIA VPN. OpenVPN with surricata through my own built pfsense+ pc/router box. QAT speeds up everything. Everything is instantaneous. There used to be lag, a delay, between when you hit the button and when the page or video loaded. Not anymore. It’s instantaneous as soon as you hit the button. There is no more waiting after you fast forward for the video to catch up. It just plays.
Everything is faster/instantaneous (Page/site loads, Youtube videos, Pron, even Plex x265 files).
Since going to digital TV tuners there is a delay when switching channels after you hit the button to switch. Using AES-NI the delay was longer than the digital tv tuner channel change. With QAT as soon as you hit the button on the remote to change youtube channel it’s instantaneous. Viewing Plex x265 files from my server (intel10850/3090) to my TV, when you would fast forward it would take time for the video to catch up (nvidia shield) or even play 4k files on first gen/older model plex x265 players (roku). No lag on anything anymore.
I bought a “Intel IQA89601G1P5 IQA89601G1 QuickAssist Adapter 8960 NEW” for around $150.00 and decided to try it out. Intel made 8950, 8960, 8970 PCIe QAT cards. They just take up a pcie slot. 8950 requires an external power connector to the psu to work and it uses twice the wattage as the newer 2nd gen 8960/8970. The 8960 and 8970 get their power directly from the pcie bus. 8960 is a pcie3 x8 card. 8970 is a pcie3 x16 card. I was not able to get the 8960 to work in a pcie3 x16 slot. The computer just would not boot in any configuration with the 8960 in a x16 slot. The 8960 card does work in a pci3 x8 and pcie3 x4 slot and uses ~21watts. I have mine in a pcie3 x4 slot and QAT is extremely, noticeably, faster than AES-NI.
That’s just for OpenVPN. IPSec is supposed to be even faster.
Get you one if your motherboard will support it!! You will not be disappointed.

intel 8960 QAT

Speed tests through VPN with 8960 QAT card. Before with traffic shapers on the best speeds I was able to get was 190/20 on a 200/20 Mbit line. Now with the QAT card I am getting full saturation/use of the line 220/21.

Torrents are faster as well

I have a c3558 cpu that has QAT. In the pfsense welcome screen it says QAT yes (inactive). I am running the consumer edition. I did manage to upgrade to the plus edition following the instructions in this link. It upgraded from a new install of pfsense ce 2.6.0 with no hitch. It will say QAT yes (inactive). If you go to Advanced >> Miscellaneous there will be a new option available under hardware crypto for QAT. Just select that and you are all set.

What is the result with “QAT on chip” compared to AES-NI? Are you seeing the same results as the add-in card?

Not good. It might have made a slight difference of 10% or so. The odd thing is that using the C3558 as pfsense gave me a VPN speed of about 80 Mbs. Whilst my existing router based on a Celeron C3865U, bought 5 years ago, was getting about 400 Mbs over VPN. I have a gigabit connection and I was exploring ways to increase the speed. I also tried it with a supermicro A1SM -2758. With that CPU I achieved only 60 Mbs. The specs for the 2758 indicate it has QAT, but it wasn’t active when I was testing. I am a bit confused as to what the difference is in the netgate 6100 since it has the same CPU, but they quote gigabit VPN speeds. I know there are a lot of settings and packages that could come into play and slow things down. However, I don’t have a lot of extra stuff running on my pfsense.

I was able to get the Intel QAT 8960 working in a pcie3 x 16 slot. I just needed to drop the bios setting for that pcie slot down to “gen2” from auto (gen 1, gen 2, and gen 3). Speed boost is noticeable again, going from pci3 x4 slot to pci3x16 to get full x8 speed from the card.

Alright, who was it? LOL

Someone bought up all the new 8960’s, approx 250+, and all the reasonably priced 8970’s available.

Can you tell me about it? Can you tell me the difference you see between the 8960 and 8970?

Hi @Cudzu,

I bought an Intel QuickAssist 8970 card (model IQA89701G1P5) on eBay and tested it on pfSense Plus 22.01 with no success, unfortunately. I loaded the driver, configured the Miscellaneous thing but looks that it’s only compatible up to 895x cards, not yet with the 8970 one.

I have two other 8950 that are needing additional riser cables to provides them additional power and I’m going to test by tomorrow how it performs. I’m looking to offload my OpenVPN and HAProxy SSL traffic using QAT. Let’s see!

Sorry to hear the 8970 didn’t work right away for you. “Loaded the driver?” What do you mean? The driver should be built into pfsense/freebsd. Did you load the intel driver on top of pfsense or do you mean upgraded to pfsense+ 22.01?

It was plug and play with PfSense + 22.01 for me and an 8960 card. The 8960 and 8970 are the same family so I don’t see why the 8970 wouldn’t work. As far as software goes, I just upgraded to pfsense + 22.01 and changed the system/advanced/misc/cryptographic hardware menu to QAT. On the hardware side I have a pciex16 and pciex4 slot, It was plug and play with the pciex4 slot. The pciex16 slot I needed to change a bios setting for that slot from auto to gen2 (1/2/3/auto) to get the pfsense software to see it.

Are you using a pcie3x16 slot for the 8970? Maybe DOA card? Just trying to think of possible solutions.

since I forgot to provide links with my first post…
Intel Quick Assist Adapter 8960/8970
Intel quickassist adapter 8950
Intel® QuickAssist Adapter Family 8960/8970

Could be a DOA card as well, I agree. Anyway, I returned the card to the seller that was supposed brand new.

I used a PCIe x16 card as needed and I also posted on pfSense Forum and “Stephenw10” told me that the drivers is only to 895X and specific PCI cards, like you can see on this link below:

Did you have 8960 working plug and play on pfSense Plus 22.01, right? When I say I loaded the driver I mean that I changed the system/advanced/misc/cryptographic hardware menu to QAT.

@Cudzu the Intel 8970 card that i bought last week should be DOA for sure. It was costing like $500 and I made an offer of $250 and the seller prompted accepted.

Now I’m looking for others 8970 cards in eBay and the prices are prohibitive, the sellers are asking for more than $700.

“Did you have 8960 working plug and play on pfSense Plus 22.01, right?” Yes I have a 8960 installed and working just fine. It’s awesome. the pict , in my second post, of the pfsense cpu/crypto with QAT active, is when it was in my pcie3 x4 slot. It was just plug and play in that slot. I’ve moved it to my pcie3x16 slot now and it’s working great. BUT, the 8960 in the x16 slot seemed to be DOA at first until I changed the bios settings for the x16 slot.

Yeah, someone bought up all the “new old stock” 8960’s, about 250 cards. They disappeared on the 2nd hand market, not long ago, and all the reasonably priced 8970’s disappeared at the same time. Since then prices have escalated dramatically.

I’d really like to try a 8970 myself, but cost of the card ,and the fact that I’m not really using it to it’s potential; I can’t justify it.

Maybe the 8970 uses two of the same chip in the 8950/8960 to get 100g throughput and pfsense doesn’t recognize it?

Pretty cool @Cudzu, congratulations. Unfortunately I didn’t have luck with my “brand new” 8970 on a Dell Server R720xd using a x16 PCIe riser. I thought it was working because the temperature on my pfSense was like 40 celsius and when I removed the card it dropped do around 30 celsius.

The seller accepted the returns so fast, which let me to think that the card was really DOA. Anyway, tomorrow I’m going to test my 8950 ones to see how it works. I have a cloud provider and it could make a huge speed improvement for me if reliefs my CPUs from deal with cryptographic stuff.

Fingers crossed it works out for you. :crossed_fingers: :smiley: My processor usage actually went up from about 10% to 27%. Since it’s not bogged down having to do crypto anymore my line throughput is faster/higher and requires more processor power for suricata.

Are you sure that your 8960 card is doing what is supposed to do? What’s the output of this command below please?

sysctl -a | grep qat

I was working on this when I was distracted a few times before your previous msg.