Replacing Sonicwall SOHO 250 with pfSense

Just throwing this one out to see if anyone has any ideas on this one …

I have a client who has a Sonicwall SOHO 250 and runs a VPN on it - they do not have admin access, and the previous provider is not giving us the access we need to review the configs!

I put a pfSense CE 2.6.0 (for the moment) in place to test, and when I configured the OpenVPN, performance was brutal - the primary medical application that they use (Socrates over here) worked, but some sections where they had to do large queries just died - so basically the client could access it, but slowwwwww …

I then tried an IPsec VPN, and although I can ping the server that they need to access, the application was totally unusable - it couldn’t connect to the server at all (it uses SQL and file shares)

OpenVPN is configured as:

IPsec is configured as:

Is there anything I can do on pfSense to “tweak” the VPN performance to a point that it can be used?

There will also be a Site-to-Site VPN being configured between 2 x pfSense boxes as soon as I get this issue resolved …


What are the specs for your current pfsense box? Does the CPU support AES-ni?
If so, is it enabled?

Running dmesg | grep -i cpu from the GUI returns:

CPU: Intel(R) Atom™ CPU D525 @ 1.80GHz (1795.74-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: on acpi0
CPU: Intel(R) Atom™ CPU D525 @ 1.80GHz (1795.74-MHz K8-class CPU)

I’ll have access to the physical unit later on today … and can run this from the shell at that point

According to the Intel site, tjis CPU does not have “AES New Instructions”

This CPU is a 12 year old low end Atom CPU. Even when it was new it was positioned at the bottom end of the spectrum. According to PassMark - Intel Atom D525 @ 1.80GHz - Price performance comparison it has a passmark score of only 390! II hate to say it, but I think there is no way you can get even close to usable VPN speeds with this CPU.

Cheers for this - but not for the fact that it won’t do what I want!!

What about the Intel J4125 - 3 years old, but does support “AES New Instructions”

I don’t have any benchmarks. But it has about eight times the raw compute power of the Atom D525 and it can offload encryption and decryption thanks to AES-NI. So yes it should be able to handle a few IPsec connections with AES encryption just fine.

1 Like

Thanks for this feedback

So looking at alternates for this, and wondering which of the following would support:

  • Up to 5 IPsec mobile VPN connections (on a normal day 1 all day, and maybe 2 more at various times)


  • IPsec site-to-site connection (up to 6 users accessing the application across this)

The choices of devices that I have available at the moment are:

Both devices that I have available to me for this have 6 x 1GB cards (1 x WAN, 5 x LAN), etc., 4GB RAM and 32GB SSD.

The J4125 is newer (2019) than the 2430M (2011), and has more cores.
Both support AES-IN.

I guess at this stage my question would be, which would be the preferred device, and are they sufficient to support this level of activity over the VPN?

I’m thinking that the J4125 would be the better option, but would like to get advice on this before landing in client site with new devices for them.

Here is a link with some hardware considerations to what you’re looking for:

How about you buy a Netgate firewall (4100 or 6100) that is the equivalent of the SonicWall for starters, so you will get a guaranteed product AND support for at least 1 year. Also, you will not have any performance issue with encryption/decryption over either SSL VPN or IpSec VPN.
If this is for a commercial use, buy the right product, it will be well worth the price.

My opinion doesn’t really matter, since my application is highly different. Although it’s mostly related to home lab, many of my relatives and colleagues were so impressed with the setup that I have (for better or worse) per their request set up the systems for them, and some have been running with uptimes in years and very little maintenance, all managed via site-to-site connections.

I mostly use the inexpensive Aliexpress fanless Atom devices (now 5105 or 5100- based, but 4125 is ok still for most applications) or if needed quickly Protecli since they can be bought off amazon. However, given what you’re describing is a business application, I think it’s worthwhile to purchase a supported product, so purchasing a device from Netgate is likely the way to go.

From a purely technical standpoint, I think the performance isn’t great because Atom 525 is just an old system.

From my recent experiences if running site-to-site VPN AND fairly robust Snort and PfblockerNG rulesets, you need at least an Atom J4125 to get near line speeds via wireguard VPN for a single site-to-site connection on a 1Gbps link. The new 5105 atoms seem to have substantially better performance for the same power consumption.

Servethehome has great reviews of some of the less expensive J5105 up to 6005 units, as well as a couple of low-end i7 fanless systems (that likely need a fan), but I don’t think I would use that in a business environment.

If there’s MANY users and multiple sites that require truly high performance (or if you need >1Gbps links), I would actually think of either purchasing a much higher end Netgate product, or using a Xeon or Epyc-based server-board-based custom build. There are options that will get you many times the performance of the Xeons, with IPMI and ECC RAM.

Again, I would look at servethehome as a good resource for this tech.