The original Firebox X series is nearing its end of life, so I was able to purchase an x700 on eBay for a song. Watchguard is no longer providing updates for it as of October 2009, so you might start seeing more of them on eBay. The original Watchguard X-series consisted of the x500, x700, x1000, and x2500. Since they were software-upgradable, I am assuming the hardware for all is identical. (Warning: WatchGuard has many stickers on the box and more inside indicating that opening the box or removing any hardware voids the warranty.) Why would I buy an end-of-life firewall? Because it's great hardware to run pfSense, one of the best open-source firewall packages available.
WARNING: You should not pay more than $100 for the x500 through x2500. They're end-of-life. And don't let anyone confuse an even older, 2RU model, with the x-series.
What's the hardware? (Boot console text here, photos here.) It's a 1.2 GHz Celeron processor, 256 MB of PC133 RAM, a SanDisk 64MB "Industrial Grade" compact flash card, an Intel Motherboard with six RealTek (!) LAN ports. There's a serial port, two fans, a PCI slot, and a mini-PCI slot occupied by a SafeNet SafeXcel 1141 v.1.1 card. Unfortunately, the SafeXcel 1141 is not supported in FreeBSD even thought the boot shows that it found something. (Maybe OpenBSD...)
Just to be sure, I did the OpenSSL speed check from the Watchguard's console after I installed pfSense.
Firebox Xseries, SafeNet 1141 v1.1 installed:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 26917.66k 27987.75k 28248.74k 28359.04k 28376.05k
aes-192 cbc 22900.88k 23917.93k 24122.93k 24210.67k 24213.70k
aes-256 cbc 20624.38k 21210.58k 21364.18k 21430.52k 21439.17k
Firebox Xseries, Safenet removed:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 26924.00k 27986.35k 28249.58k 28358.33k 28374.19k
aes-192 cbc 22911.56k 23924.39k 24126.03k 24212.23k 24220.05k
aes-256 cbc 20624.28k 21211.41k 21360.39k 21429.22k 21439.88k
While there's no difference, it blows away my Alix 2d3 Board with the Soekris mini-PCI HiFn 7955 card. This is
what I'm currently running pfSense on. To be fair, it was still live and sending 310k/sec to Backblaze, but that's another story.
Alix board w/Soekris VPN Card:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 5186.19k 5310.60k 5423.67k 5473.56k 5487.10k
aes-192 cbc 4548.62k 4671.94k 4780.79k 4802.54k 4801.88k
aes-256 cbc 4117.25k 4157.12k 4243.48k 4263.61k 4257.15k
Finally, some commentary on the original Watchguard Firebox series:
I used one of these at a former client's main site. The user interface was great, and it offered superb logging and even offered a realtime view of connections that I have seen no-one duplicate since. That much let me identify info leak attempts in real time, because I did not leave all outbound ports open.
However, Watchguard included the encryption acceleration hardware, but didn't let you use it without an additional licen$e. pfSense is free.
Your AES-128-CBC figures for the ALIX 2D3 seem odd, when compared with those posted at pfSense's website:
ReplyDeletehttp://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported
Your numbers with the Soekris card seem slower than the non-accelerated 2D3, and the onboard Geode-accelerated figures are comparable to the X700 for 16 byte chunks, and wipe the floor with the X700 for larger chunks.
Those are the stats that openSSL speed does. I'm not sure that openSSL uses the same sets of hardware encryption that IPSec would use.
ReplyDelete