Hardware for Gbit VPN/firewall

[Enigma86]

Hey guys this is my first post,

I've been reading this forum and others for a while trying to figure out the cheapest way to accomplish this task. I'm in the process of setting up my home network for a few different things and have decided I want to implement a firewall directly behind my modem which will run to 4 subnets used for various tasks. Some of the things my network will include is a lot of downloading and multiple HD streams out of a media server along with remote connections from myself and a couple friends that I will be building a development environment for.

Since I know that connections to a VPN service will be limited themselves, I was looking for either a dedicated firewall device or maybe convert a server into one where I can load 4 instances of the VPN client on the firewall as well as run an OpenVPN server. That way the full bandwidth to the house on a Gig connection can still be utilized throughout the 4 subnets even if only getting 200/Mbps from each VPN connection. But that means I need hardware that can support SSL at close to 1Gbps.

I've looked at old watchguard routers and possibly getting a supermicro server with pfsense to handle the task... but I'm not really sure how much power I really need for that. Thanks!

 

[altmind]

Mikrotik publishes ipsec benchmark for its routers.
CCR1009* and higher can handle gigabit ipsec and they are inexpensive.

MikroTik!

 

[Enigma86]

Hey there, thanks for the input. I guess part of my confusion with some of these devices and hardware is that they post the IPsec throughput but if you're using OpenVPN based VPN services and OpenVPN as a server at home then you're running SSL encryption which is a lot slower than IPsec correct? I appreciate that input though. I would also love to hear some other ideas or maybe things people have used already.

 

[altmind]

Yes, ipsec is usually the fastest, yet a pain to configure. Idk what openvpn bandwith you can expect on ccr1009, prob around 150 mbit.

 

[IamSpartacus]

Yes, ipsec is usually the fastest, yet a pain to configure. Idk what openvpn bandwith you can expect on ccr1009, prob around 150 mbit.

IPsec CAN be a pain to configure but it depends on the interface. In pfsense for example it's super easy. And with their latest release that supports routed IPsec it's even better.

OP, I get 1Gbps IPsec on a Site-to-Site VPN connection I have between two C2758 Pfsense boxes, if that helps at all.

 

[e97]

Prefer the embedded Ryzen R1000 and embedded EPYC 3000 for 1G and 10G firewalls.

 

[altmind]

There is nothing in this tasks that requires or favors AMD.
There are a plenty good value intel solutions. And the market is more liquid for used intel equipment than AMD.

 

[e97]

There is nothing in this tasks that requires or favors AMD.
There are a plenty good value intel solutions. And the market is more liquid for used intel equipment than AMD.

ECC and price.. if you know of a <$200 intel solution with ECC under 15W please share!

 

[altmind]

There is no requirement for ECC, nor there are SOHO routers with ECC.

Check your pricing for epyc 3000 again, there are no offers for 200. CPU+Mobo are around $500

i3-9100f+ASRock B365M-HDV is 90+65.

This intel/amd discussions is steering off the topic.