Firewall options for 1 Gbps VPN throughput

Alfa147x

Active Member
Feb 7, 2014
148
29
28
I'm in the market for a firewall to place in a small rack at a data center to access backup storage and a few NVME backed VMs. My current firewall is a DIY 2U firewall 2013 AMD AM1 Kabini with a 4 port NIC running Sophos XG but this setup struggles with my 1 Gbps connection prior to VPN. I'm assuming the lack of hardware acceleration for IPsec is causing the performance issues. I like the Sophos OS but it requires 2nd system for Netflow monitoring. I would be happy to if I can find one device to do both.



Here are options I'm considering:
  • MikroTik options (CCR2004-1G-12S+2XS The Connectivity Router)
    • Requires 2nd system to monitor bandwidth
    • The routerboard UI leaves a lot to be desired but I have few complaints about my MikroTik APs.
  • Juniper SRX300
    • The higher-end models (Juniper SRX 650s) that provide 1 Gbps VPN throughput are hard to find on the secondary market.
  • Fortinet FortiGate 60E

Constraints:
  • I'm looking for low-cost options as I'm looking to buy a pair. ($500 - $700/each)
  • I'm open to used hardware from the secondary market and I don't require support but I would like easy access to upgrades and security patches.
  • Rackmountable
  • Energy efficiency
    • Similar to the Kabini (15w TDP) system or better
  • Open to wireguard or other VPN technology to gain energy efficiency

I'm asking for any suggestions on models or brands to consider for this use.
 

RTM

Well-Known Member
Jan 26, 2014
892
334
63
So while it is not rackmountable, perhaps Netgate's SG-5100 with pfSense plus might do the trick.
They claim 923Mbps IPSEC performance, and while I have no idea about how much overhead one should expect on a 1G link, it does sound like it is quite close to the theoretical limit.

If you don't mind waiting (for who knows how long), you could also consider waiting for Netgate to open up pfSense plus for non-netgate devices.
That could allow you to build your own device, using standard components from a vendor like Supermicro and still have QAT assisted VPN.
 
  • Like
Reactions: Amrhn and Alfa147x

uldise

Active Member
Jul 2, 2020
173
53
28
another option from Mikrotik will be MikroTik RB4011iGS+RM
it depend of your packet size to achieve 1Gb/s or not trough VPN..
i have this device, but have not tested VPN for that speed. for me it works with Gigabit internet just fine. and don't compare it with Mikrotik Wifi - if you need wifi, then you choose different brand :)
 
  • Like
Reactions: Amrhn and Alfa147x

jjacobs

Member
Dec 25, 2020
74
31
18
CO
The Netgate XG-1541 claims 2.8Gb/s imix IPSec (AES-128-GCM / AES-N) throughput at $2650.00. That's the exactly the same as the Supermicro 5018D-FN4T. I have a 5018D-FN4T for sale in the forsale/trade forum here for $800. Sorry if the self promotion is inappropriate...

You should get comparable throughput using any firewall distro that uses strongswan.

It's not 15w, 25-30w under typical load. Wireguard will be available on pfsense when FreeBSD gets it's act together and Netgate stops their nonsense. Wireguard is available if you run VyOS. I know it doesn't tick all of your boxes but it is a lot of firepower for a gateway for a good price.
 
  • Like
Reactions: Amrhn and Alfa147x

Alfa147x

Active Member
Feb 7, 2014
148
29
28
The Netgate XG-1541 claims 2.8Gb/s imix IPSec (AES-128-GCM / AES-N) throughput at $2650.00. That's the exactly the same as the Supermicro 5018D-FN4T. I have a 5018D-FN4T for sale in the forsale/trade forum here for $800. Sorry if the self promotion is inappropriate...

You should get comparable throughput using any firewall distro that uses strongswan.

It's not 15w, 25-30w under typical load. Wireguard will be available on pfsense when FreeBSD gets it's act together and Netgate stops their nonsense. Wireguard is available if you run VyOS. I know it doesn't tick all of your boxes but it is a lot of firepower for a gateway for a good price.
I've considered VyOS in the past but I'll admit that I'm a bit intimidated by the lack of a UI.
 

jjacobs

Member
Dec 25, 2020
74
31
18
CO
I had the same feelings about it. After, oh..., an hour or so it felt natural.

The way the firewall is configured through me for a loop at first. <some network> -> in and <some network> -> local is different than I was used to. Once I realized that the <some network> -> local controls access to the gateway itself (and services provided by the gateway like dhcp, dns, mdns proxy, etc) and <some network> -> in is that network to other networks I was good to go. There is also egress filtering (<some network> -> out) if needed. You can also do a zone based firewall if you like that way of thinking about it.

I do like that that I can get a config file (show configuration) or a script (show configuration commands) easily.

The documentation is *pretty good* and you can get help on the forum without drama.

Yes, more typing and more thinking than a GUI. In the end you actually know what is going on with your gateway instead of having it all hidden behind the GUI. I think that's a plus ;)

Concerning your original post. Have thought about implementing your VPN on dedicated devices or in VMs on either end? There is some value to getting away from the all-in-one appliance and going with a more modular approach...
 
  • Like
Reactions: Alfa147x

Alfa147x

Active Member
Feb 7, 2014
148
29
28
I had the same feelings about it. After, oh..., an hour or so it felt natural.

The way the firewall is configured through me for a loop at first. <some network> -> in and <some network> -> local is different than I was used to. Once I realized that the <some network> -> local controls access to the gateway itself (and services provided by the gateway like dhcp, dns, mdns proxy, etc) and <some network> -> in is that network to other networks I was good to go. There is also egress filtering (<some network> -> out) if needed. You can also do a zone based firewall if you like that way of thinking about it.

I do like that that I can get a config file (show configuration) or a script (show configuration commands) easily.

The documentation is *pretty good* and you can get help on the forum without drama.

Yes, more typing and more thinking than a GUI. In the end you actually know what is going on with your gateway instead of having it all hidden behind the GUI. I think that's a plus ;)

Concerning your original post. Have thought about implementing your VPN on dedicated devices or in VMs on either end? There is some value to getting away from the all-in-one appliance and going with a more modular approach...
I found this blog and feel ready to take the dive into VyOS.

It's easier to conduct this test while my rack lives in my house before I have to move it into a data center.

I'm also hoping to reduce complexity by having a one-box solution in hopes for stability, fewer things to maintain. But I've found that with my Sophos XG I still need a 2nd solution/server for monitoring even the most bandwidth stats (netflow).
 
  • Like
Reactions: jjacobs

zer0sum

Well-Known Member
Mar 8, 2013
719
387
63
The Netgate XG-1541 claims 2.8Gb/s imix IPSec (AES-128-GCM / AES-N) throughput at $2650.00. That's the exactly the same as the Supermicro 5018D-FN4T. I have a 5018D-FN4T for sale in the forsale/trade forum here for $800. Sorry if the self promotion is inappropriate...

You should get comparable throughput using any firewall distro that uses strongswan.

It's not 15w, 25-30w under typical load. Wireguard will be available on pfsense when FreeBSD gets it's act together and Netgate stops their nonsense. Wireguard is available if you run VyOS. I know it doesn't tick all of your boxes but it is a lot of firepower for a gateway for a good price.
Forget pfsense and switch to OPNsense instead!
OPNsense® a true open source security platform and more - OPNsense® is a true open source firewall and more

Another option you could think about is running a bare metal hypervisor and then trying out some virtual firewalls.
That way you could very easily test pfsense, opnsense, palo alto, juniper, etc. and switch whenever you felt you might want to try something different.
I find throughput really fast and love the flexibility
 

m4ff3w

New Member
May 7, 2021
8
3
3
No quite 1Gb VPN throughput, but the Ubiquiti UDM-Pro is rated for 800Mb/s for IPSEC, at a sub-$400 each cost.

Max power draw is 33w - but that includes potential draw for a 3.5" hard disk if using it for video recording, too.
 

coxhaus

Member
Jul 7, 2020
94
33
18
That blog makes VyOS look simple. What about using VyOS to build a VPN appliance separate from your firewall? That way you can work on them independently.

I am retired now for years so I have no need for a VPN.
 

jjacobs

Member
Dec 25, 2020
74
31
18
CO
Forget pfsense and switch to OPNsense instead!
OPNsense® a true open source security platform and more - OPNsense® is a true open source firewall and more

Another option you could think about is running a bare metal hypervisor and then trying out some virtual firewalls.
That way you could very easily test pfsense, opnsense, palo alto, juniper, etc. and switch whenever you felt you might want to try something different.
I find throughput really fast and love the flexibility
Yeah, I gave up on pfsense some time ago. OPNsense is ok, although not without it's own issues. VyOS hits the spot for me. I use it for LAN <-> WAN only and once working I am confidently ignoring it :)

For local networks I use a multi-layer switch. Again, once working as I want I can ignore it. DHCP/DNS/VPN/Radius/etc all hum happily away in VMs on a fan-less, low power device.

I'm done with the all-in-one appliance approach. To dependent on one vendor getting *everything* right from version to version. Too brittle in practice.
 
  • Like
Reactions: Amrhn

coxhaus

Member
Jul 7, 2020
94
33
18
Yeah, I gave up on pfsense some time ago. OPNsense is ok, although not without it's own issues. VyOS hits the spot for me. I use it for LAN <-> WAN only and once working I am confidently ignoring it :)
Sounds really good you don't have to touch it often. What about updates and security fixes? Is it easy to update?
 

jjacobs

Member
Dec 25, 2020
74
31
18
CO
Sounds really good you don't have to touch it often. What about updates and security fixes? Is it easy to update?
Updates in VyOS are system images. You can have as many images as you want and switch between them. You can have different configs for different images if you like. The default (1.3 train as of 5/21) is a rolling release. I chose to build my own install image from the 1.2 LTS train and use that. (Super easy to do, there's a docker image with everything you need to build from source) When 1.3 becomes the long term support train I'll build it and make the move. That said, most use 1.3 and have no issues.

So, this isn't like some other distro's with frequent updates of questionable quality (looking at you Ubiquiti). The release engineering is managed better than pfsense as of late, the wireguard issue with pfsense still makes me want to scream.

Currently 3 trains: 1.2 is LTS. You have to pay for that unless you build it yourself. 1.3 is stable. Free. 1.4 is dev. Watch out for dragons.
 
Last edited: