Pfsense - Cryptographic Accelerator Support

I made the assumption you enable all the Cypto options possible, RAND, QAT and IPsec-MB in my case. Wireguard I’ve read benefits from IPsec-MB and OpenVPN QAT.

I have found OpenVPN with DCO unreliable compared to when it’s turned off, so need to review the config. This is one of the reasons I looked at Wireguard for IOS devices.

I’m currently using a Sophos XG125 Rev3 with an Intel Atom C3508. I normally run Sophos XG, but explored pfsense again for some of the finer detailed options. I also have a XG210 Rev 2 unit that is currently sat as a spare. That’s got an Intel G4400 CPU.

Interested in v20 of Sophos XG Home, but will have to look at letsencrypt options separately and separate wireguard setup if required.

Within the Netgate article it states " IPsec-MB can be loaded alongside other cryptographic modules without conflicting, so it is separate from the other options. That said, when it is enabled it will take over acceleration of all its supported algorithms even if other options could potentially be faster (e.g. QAT). "
So to achieve the perfect setup, my assumption is I need to delv into the system tunables?

You turn it on under “System → Advanced” the look for “Cryptographic & Thermal Hardware”

As noted in the documentation “Some modules and hardware are only supported by pfSense® Plus software.”

https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html

Hi Tom,

Yes I’ve done that, but it’s a case of is it recommended to pick and choose the cyptographic options based on requirement. Having QAT and IPsec-MB doesn’t cause issues or do they happily co-exist etc

Sorry I’m rubbish at trying to explain / question.

I am not aware of any issues.