Pfsense - Cryptographic Accelerator Support

mikeys · October 9, 2023, 8:05am

I made the assumption you enable all the Cypto options possible, RAND, QAT and IPsec-MB in my case. Wireguard I’ve read benefits from IPsec-MB and OpenVPN QAT.

I have found OpenVPN with DCO unreliable compared to when it’s turned off, so need to review the config. This is one of the reasons I looked at Wireguard for IOS devices.

I’m currently using a Sophos XG125 Rev3 with an Intel Atom C3508. I normally run Sophos XG, but explored pfsense again for some of the finer detailed options. I also have a XG210 Rev 2 unit that is currently sat as a spare. That’s got an Intel G4400 CPU.

Interested in v20 of Sophos XG Home, but will have to look at letsencrypt options separately and separate wireguard setup if required.

Within the Netgate article it states " IPsec-MB can be loaded alongside other cryptographic modules without conflicting, so it is separate from the other options. That said, when it is enabled it will take over acceleration of all its supported algorithms even if other options could potentially be faster (e.g. QAT). "
So to achieve the perfect setup, my assumption is I need to delv into the system tunables?

LTS_Tom · October 9, 2023, 10:44am

You turn it on under “System → Advanced” the look for “Cryptographic & Thermal Hardware”

As noted in the documentation “Some modules and hardware are only supported by pfSense® Plus software.”

https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html

mikeys · October 9, 2023, 11:04am

Hi Tom,

Yes I’ve done that, but it’s a case of is it recommended to pick and choose the cyptographic options based on requirement. Having QAT and IPsec-MB doesn’t cause issues or do they happily co-exist etc

Sorry I’m rubbish at trying to explain / question.

LTS_Tom · October 9, 2023, 7:27pm

I am not aware of any issues.

mikeys · December 24, 2023, 8:35pm

How much of a performance difference is there generally between AES, QAT and IPsec-MB for VPNs.

Running pfsense + atm on a Sophos XG125 Rev 3 that support QAT via CPU. It has a TAC-Lite license assigned to until 04/25, but I may ask if it can be moved. Consolidating kit too as I sold the Dell R220, great box. Mulling selling of the XG125 Rev2 and reverting to the XG230 Rev 2 that I have spare that has pfsense CE.

I have IPSEC VPN S2S to another pfsense unit for management purposes.
OpenVPN for Windows laptop
Wireguard for iPads and iPhone devices.

Not running any PIA VPN services, tried it a few years ago, but didn’t see the need.

CPU on the XG230 Rev 2 - Intel(R) Pentium(R) CPU G4400 @ 3.30GHz (did wonder if any 1151 CPUs that support QAT) (CPU maybe swapped for i3-6100T, I know no QAT support)

CPU on XG125 Rev 3 - Intel(R) Atom™ CPU C3508 @ 1.60GHz

mikeys · December 29, 2023, 10:34am

This answers my QAT vs IPsec-mB question FYI