Just throwing this one out to see if anyone has any ideas on this one …
I have a client who has a Sonicwall SOHO 250 and runs a VPN on it - they do not have admin access, and the previous provider is not giving us the access we need to review the configs!
I put a pfSense CE 2.6.0 (for the moment) in place to test, and when I configured the OpenVPN, performance was brutal - the primary medical application that they use (Socrates over here) worked, but some sections where they had to do large queries just died - so basically the client could access it, but slowwwwww …
I then tried an IPsec VPN, and although I can ping the server that they need to access, the application was totally unusable - it couldn’t connect to the server at all (it uses SQL and file shares)
This CPU is a 12 year old low end Atom CPU. Even when it was new it was positioned at the bottom end of the spectrum. According to PassMark - Intel Atom D525 @ 1.80GHz - Price performance comparison it has a passmark score of only 390! II hate to say it, but I think there is no way you can get even close to usable VPN speeds with this CPU.
I don’t have any benchmarks. But it has about eight times the raw compute power of the Atom D525 and it can offload encryption and decryption thanks to AES-NI. So yes it should be able to handle a few IPsec connections with AES encryption just fine.
Both devices that I have available to me for this have 6 x 1GB cards (1 x WAN, 5 x LAN), etc., 4GB RAM and 32GB SSD.
The J4125 is newer (2019) than the 2430M (2011), and has more cores.
Both support AES-IN.
I guess at this stage my question would be, which would be the preferred device, and are they sufficient to support this level of activity over the VPN?
I’m thinking that the J4125 would be the better option, but would like to get advice on this before landing in client site with new devices for them.
How about you buy a Netgate firewall (4100 or 6100) that is the equivalent of the SonicWall for starters, so you will get a guaranteed product AND support for at least 1 year. Also, you will not have any performance issue with encryption/decryption over either SSL VPN or IpSec VPN.
If this is for a commercial use, buy the right product, it will be well worth the price.
My opinion doesn’t really matter, since my application is highly different. Although it’s mostly related to home lab, many of my relatives and colleagues were so impressed with the setup that I have (for better or worse) per their request set up the systems for them, and some have been running with uptimes in years and very little maintenance, all managed via site-to-site connections.
I mostly use the inexpensive Aliexpress fanless Atom devices (now 5105 or 5100- based, but 4125 is ok still for most applications) or if needed quickly Protecli since they can be bought off amazon. However, given what you’re describing is a business application, I think it’s worthwhile to purchase a supported product, so purchasing a device from Netgate is likely the way to go.
From a purely technical standpoint, I think the performance isn’t great because Atom 525 is just an old system.
From my recent experiences if running site-to-site VPN AND fairly robust Snort and PfblockerNG rulesets, you need at least an Atom J4125 to get near line speeds via wireguard VPN for a single site-to-site connection on a 1Gbps link. The new 5105 atoms seem to have substantially better performance for the same power consumption.
Servethehome has great reviews of some of the less expensive J5105 up to 6005 units, as well as a couple of low-end i7 fanless systems (that likely need a fan), but I don’t think I would use that in a business environment.
If there’s MANY users and multiple sites that require truly high performance (or if you need >1Gbps links), I would actually think of either purchasing a much higher end Netgate product, or using a Xeon or Epyc-based server-board-based custom build. There are options that will get you many times the performance of the Xeons, with IPMI and ECC RAM.
Again, I would look at servethehome as a good resource for this tech.
