Inlägg

Hey, I'll try to run some tests during the weekend and report back!

This is off-topic, but there are several issues with the new pfSense 2.5.0 release, ranging from USB installation problems to performance degradation and lockup issues, even on Netgate's official hardware.

Nevertheless, I'll play around with Wireguard to see what performance is achievable.

That was `i7-4510U` CPU. I remember running a similar test with OpenVPN and NordVPN about 2 years ago. At that time I believe I got 700Mbit/s but suspect the limitation was on the NordVPN side or the ISP side (not verified though).

I have some thoughts on this: https://teklager.se/en/pfsense-vs-opnsense/

In principle, it should work. It runs on a PCI interface that is present in the TLSense i5/i7 box.
I have not tested this specific card so I can't guarantee that it's compatible, but as far as I can tell, it should be fine.

I can run some more tests this weekend

Thanks for your kind words! Yeah, i5 should be back in stock in about 2-3 weeks.

Not sure if OPNsense is "too much". To me, it seems quite intuitive to use. Maybe other users can also comment on this?

I think this is where OpenWRT is lacking. Firewall logs aren't enabled by default, and it's not super straightforward to get a log of dropped packets. It's possible to do, but the user experience is far from OPNSense in this area.

Yes, some patience is required here

If you plan to use your Asus as an access point, then you can use any router OS.
If you would want to have WiFi inside of the main router than I would recommend OpenWRT because it has much better WiFi support.

I used Ubuntu because I had two boxes with already installed OS. I believe OpenWRT will have the same performance. In fact, I have one APU2 with OpenWRT so I can run another test quickly... more about this below.

I would not recommend Ubuntu on a router to anyone I used it only for benchmarking purposes. I suggest using OpenWRT for wireguard. It has a relatively nice web UI for configuring everything. There's no need to mess with the terminal. I find it pleasant to use.

Yeah, the i5 are out, but they should be back in about 2 weeks. See this performance comparison for different models: https://teklager.se/en/knowledge-base/apu-vs-tlsense-cpu-perf... I believe i5 will run at gigbit both ways as well.

I executed a quick test with OpenWRT as a wireguard server. The download throughput was 750Mbit/s - more than I expected. The upload was at ~520Mbit/s. Interestingly, it's not identical. I suppose encryption is more performant than decryption. These tests weren't executed simultaneously. If I run upload and download at the same time, the numbers drop by half. I think this is a great result for a router that consumes 6W of power

https://i.imgur.com/kIlExH8.png

Hi @box4mm
It's been more than a year since I've executed these tests and I don't have the data anymore. I'll run another test tomorrow and come back to you with the performance data and some charts

Best,
Pawel

There's a little section about Wireguard performance on APU2 at the end of this article: https://teklager.se/en/knowledge-base/apu2-vpn-performance/

I ran this test on Linux. I have not tried on BSD yet. I also think that the performance will be lower, but I'm not sure by how much.

From the quality perspective, I think they are equivalent. Both of these boxes are well built and perform well.

TLSense i5 will have a lot more horsepower for IDS/IPS/VPN. If these are not very important to you then you won't see a difference in regular routing.

TLSense J3P4 has really small form factor which I think is cool

https://teklager.se/media/filer_public_thumbnails/filer_public/4...

From the left: TLSense i7 6P, TLSense i5, J3P4, APU4C4, APU2D4, APU2D0.

Cheers!

I run TekLager as a hobby business, so I usually answer during weekends and after regular office hours

I'm a little torn on this because I support what Vilfo is trying to achieve (secure personal routing), but I have a hard time trusting proprietary software since I can't really verify that it's truly secure.
On the other hand, I understand why they didn't open source the Vilfo OS. This software is their competitive advantage, so it's a business decision.
I wish there was a way for them to open source it, and keep the competitive edge.

I have not tried this, but I believe that it should be quite easy in pfSense/OPNsense. Once you have a VPN provider configured, you will have a virtual VPN WAN interface, and your regular WAN interface. Then it should be possible to route some clients to regular WAN and some clients to VPN-WAN. I believe you can do this based on IPs or VLANs in pfSense by going to Firewall-> NAT -> Outbound -> create Manual Outbound NAT rule.

Best,
Pawel

Hey there! If you have any questions, I'm happy to help or advise!

Hi!

Vilfo seems like nice hardware! I've been looking at it for a while, but in the end, decided not to re-sell it because the software is not fully open source. My concern with closed-source OS is that it will stop being updated with security patches, and will make hardware obsolete.

Now, to your questions:
1. That's correct. You will need a CPU with good single-core performance to reach high OpenVPN throughput because OpenVPN is single-threaded. TLSense i5 will give you about 600-800Mbit/s.
2. I have not tested it myself yet, but I've heard from one customer that he reached about 180Mbit/s on OpenVPN on this hardware. This is lower than I expected, so I'll need to test it myself (hope to do this within the next week).

If you are completely new to OPNSense/pfSense then I recommend pfSense because it has more documentation and tutorials online.

Let me know if you have any other questions.

Best,
Pawel

@Smack Jack: It looks like Mullvad published a short tutorial on how to set up OpenWRT with WireGuard https://mullvad.net/en/guides/running-wireguard-router/

I think APU2 with a new BIOS version can do a little more than 600Mbit/s with WireGuard. The new BIOS enabled CPU boost to 1.4Ghz (from 1.0Ghz). I haven't tested this myself yet, so take this with a grain of salt

@Smack Jack My Swedish is still far from great, so I'll answer in English. Hope that's OK!

OpenWRT works well with WireGuard as @improwise says. I believe OPNSense added WireGuard support in the latest "Development" version. I know it's there, but I haven't tested how well it works.

On APU2 you will get about 600Mbit+ on Wireguard (only about 140 Mbit/s on OpenVPN )
On TLSense routers you will get full Gigabit on WireGuard (and about 600-900Mbit/s on OpenVPN).

Let me know if you have any more questions!

@improwise: which cipher are you using?

OpenVPN with AES-256-GCM should give you about 700Mbit/s on the hardware you have. Of course, Wireguard will be much faster.

GCM is more performant and more secure than CBC, so if you are using CBC, consider switching

Thanks for pinging me!

I'm happy to answer any questions about this hardware - hope it won't get me banned Rules on this forum are rather strict "no marketing of any kind".

Router linked by @Nima2001 has Intel J1900 CPU, without AES-NI. It won't be supported by pfSense 2.5 (which will be released soon). So if you are planning on using pfSense, I don't recommend it.

@stefaneriksson123 I need to do new VPN test to verify the OpenVPN speed. Recent BIOS update enabled CPU-boost to 1.4Ghz on APU, which should significantly improve VPN performance. There' s more information about it in our "Knowledge Base"

For those who are running APU routers with pfSense, we have some good news
New BIOS with some configuration changes, allow pfSense to route at 1Gbit on all APU routers. Read this article for details:
https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughp...

@Undie: Price increase was rather small, but the reason is that manufacturer increased prices of parts, and PostNord increased prices for shipping.

Thanks for linking to us!
I'll be here if anyone has any questions about these routers.

@swenorth1: it's possible that your neighbor just purchased a new router and is using exactly the same channel as you are, so you are getting interference. Try installing "WiFi analyzer" on your phone to see which WiFi channels are congested and which are open. Once you know it, you can reconfigure your router.

It's also possible that your access point is dying... but that's probably less likely.