Need pfSense Hardware Advice for Gigabit Internet

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
Hi All,

A few months ago, I started a thread asking advice for pfSense hardware to support a 150/150 Mbps home connection. In the end, I decided to go with the APU2C4, and I've been very happy with that decision, until now. I figured that would hold me over for the next few years at least. But, as it turns out, Fios offered me 940/880 Mbps. Very excited! However, now that I'm running gigabit internet, it seems that the APU2C4 is only capable of around 600-700 Mbps.

So...It's time for me to build (or buy) something else that can handle the new speeds, with ease. My budget is fairly flexible, but I think if it starts getting expensive, I may opt to virtualize it instead, as I'm also really wanting to build a low-power Xeon D-15xx server for my home network and some labbing. It must also support AES-NI.

So advice for both systems would be greatly appreciated, as always. I'm not sure if I'm leaving anything out here.

Thanks!
 
Last edited:

CookiesLikeWhoa

Active Member
Sep 7, 2016
112
26
28
35
I'm not 100% sure on this, but my gut feeling is you'll need to go the Xeon e3-v5/6 route for this especially if you do anything to it (snort, vpn, etc.).
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
For OpenVPN at those speeds, you need AES-NI. It's single threaded, so that's about the only option.

If you have a spare box around, I would try setting it up with pfSense and running gigabit ethernet to a couple boxes or VMs with NICs passed through to see what happens. I expect routing won't be too bad, NAT might hurt a little though.

Note that virtualizing pfSense can cause some tricky issues. IMPORTANT: Xen/KVM networking will not work using default hypervisor settings!
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
Curious @ttabbal but won't 'OpenVPN at those speeds' be kind of irrelevant unless he's on gigabit internet at another location?
I didn't see any use-case info but the message sounds like a 'at home' setup so likely 2-3 users max too.

I'm not a VPN Pro or have experience with fast internet like this but it seems for the stuff that needs more power it may not be an issue if only 1 user is utilizing it and/or from a not-as-fast internet... is that wrong?
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
True. They didn't specify the other end, so I went for worst-case. That may not be needed. The speeds are always dictated by the slowest link, obviously. So "it depends" is generally the answer. I've found that my Opteron 4133 handles ~200Mbps VPN without AES-NI, but it can push one core pretty hard doing it. Just to give one real data point. Encryption settings matter as well, I don't know those offhand. I believe it is just AES-128-CBC, nothing real major, but enough to keep Comcast from decrypting it.

One other interesting thing to note is that the next major version of pfSense is going to require AES-NI. So if you're building up a system for it now, it is probably worth making sure you get it. When that happens, I'll need to upgrade at least the CPU, but since the 4200 series has it, I can get that pretty cheap when it's time. Or have a reason to get newer gear... :)
 
  • Like
Reactions: T_Minus

Drewy

Active Member
Apr 23, 2016
208
56
28
54
I have a 2758 it does 1gb just fine. I don't have the luxury of a 1gb tinternet connection but I run multiple vlans and have lots of firewall rules and snort running on them. Obviously this isn't going to cope with 1gb vpn connections.
 

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
For OpenVPN at those speeds, you need AES-NI. It's single threaded, so that's about the only option.

If you have a spare box around, I would try setting it up with pfSense and running gigabit ethernet to a couple boxes or VMs with NICs passed through to see what happens. I expect routing won't be too bad, NAT might hurt a little though.

Note that virtualizing pfSense can cause some tricky issues. IMPORTANT: Xen/KVM networking will not work using default hypervisor settings!
Thanks. Yeah, the APU2C4 I'm currently running supports AES-NI and I am definitely planning to have another system that supports AES-NI, as well.
 

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
Curious @ttabbal but won't 'OpenVPN at those speeds' be kind of irrelevant unless he's on gigabit internet at another location?
I didn't see any use-case info but the message sounds like a 'at home' setup so likely 2-3 users max too.

I'm not a VPN Pro or have experience with fast internet like this but it seems for the stuff that needs more power it may not be an issue if only 1 user is utilizing it and/or from a not-as-fast internet... is that wrong?
Thanks for the reply. Yes, I should have specified that this was for my home connection and OpenVPN would only be used by 1-2 people, at most. And yes, of course, I am limited by the connection at the other end when it comes to OpenVPN. Which makes total sense. I don't expect to have gigabit speeds over VPN. I was just adding that it's one of the apps I'm planning to run on pfSense.
 
Last edited:

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Double the single thread performance on Xeon-D and $ for performance is about then the same + you get boards that have 10g and sfp+
 

fmatthew5876

Member
Mar 20, 2017
80
18
8
38
I went with a Supermicro C2758 for my pfsense home router because the system is silent. If noise were not a concern I'd probably go with Xeon-D, especially one with built-in 10g onboard.
 

Dww0311

Member
May 19, 2017
49
7
8
57
Does anyone have any hardware suggestions?

Thanks.
I run Sophos UTM 9 (with just about every option turned on) on an E3-1280 v2 @ 3.60 & 32GB servicing a load balanced dual link (two different ISP) 800/800 WAN. That's a good bit more of a load than just pfSense would be.

CPU utilization with a saturated pipe is about 8% max. I think maybe you're throwing more ammunition downrange than you need to unless this box is going to be filling multiple roles.

Dell R210II E3-1280v2 is what I'd recommend - cheap, quiet and capable.
 

Aluminum

Active Member
Sep 7, 2012
431
46
28
Dell T20/T30 or Lenono TS140 or similar, add a cheap intel dual/quad nic from fleabay. There is a $350 T30 deal right now. 3+ Ghz Haswell/Skylake is capable of doing a lot on a gigabit line.

E3 is much much better than Cxxxx for this role, especially for openvpn, snort and anything else locked to 1 thread. Also it seems like the free version of pfsense will likely not be getting some of the custom offload stuff they are working on right now. Xeon D costs too much and single thread clockspeed is kinda low.
 

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
I run Sophos UTM 9 (with just about every option turned on) on an E3-1280 v2 @ 3.60 & 32GB servicing a load balanced dual link (two different ISP) 800/800 WAN. That's a good bit more of a load than just pfSense would be.

CPU utilization with a saturated pipe is about 8% max. I think maybe you're throwing more ammunition downrange than you need to unless this box is going to be filling multiple roles.

Dell R210II E3-1280v2 is what I'd recommend - cheap, quiet and capable.
Thanks for the recommendation.

I've searched eBay and can't find a single Dell R210 II E3-1280v2 for sale there. Would the E3-1240v2 be just as good for this?
 

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
Dell T20/T30 or Lenono TS140 or similar, add a cheap intel dual/quad nic from fleabay. There is a $350 T30 deal right now. 3+ Ghz Haswell/Skylake is capable of doing a lot on a gigabit line.

E3 is much much better than Cxxxx for this role, especially for openvpn, snort and anything else locked to 1 thread. Also it seems like the free version of pfsense will likely not be getting some of the custom offload stuff they are working on right now. Xeon D costs too much and single thread clockspeed is kinda low.
Thank you. Out of the 3 you mentioned, which one would you go with (the T30?) and do you feel these are a better option than the Dell R210 II mentioned above?

Also, there are a lot of T30's that come up. Could you please provide a link to the one you were referencing? How much ram should I have?

I also need a minimum of 3 Intel Gig NICs as I want to have a DMZ as well. If you, or anyone else, could recommend a quad port gigabit Intel NIC, I'd appreciate it.

Thanks again.
 

Dww0311

Member
May 19, 2017
49
7
8
57
Thanks for the recommendation.

I've searched eBay and can't find a single Dell R210 II E3-1280v2 for sale there. Would the E3-1240v2 be just as good for this?
It's slightly slower, but it would work IMO.

If I've determined that I want to run a 1280 in one of these boxes, I'll normally just buy the processor separately and swap it out. On that path, I'll just find the cheapest non-stripped R210 II available, do the surgery once everything arrives and then sell the original processor that I swapped out on fleabay to recoup some of my $$.
 
Last edited:

Dww0311

Member
May 19, 2017
49
7
8
57
Thank you. Out of the 3 you mentioned, which one would you go with (the T30?) and do you feel these are a better option than the Dell R210 II mentioned above?

Also, there are a lot of T30's that come up. Could you please provide a link to the one you were referencing? How much ram should I have?

I also need a minimum of 3 Intel Gig NICs as I want to have a DMZ as well. If you, or anyone else, could recommend a quad port gigabit Intel NIC, I'd appreciate it.

Thanks again.
I haven't played around with the T30's since I only use rack mounts (have a rack, so why clutter up the floor) so I can't say if they're upgradeable with respect to processor. Spec says the only Xeon it was ever offered with is the E3-1225v5, which is actually quite slower than the E3-1280v2 and doesn't support hyperthreading.

Maybe one of the other guys who knows these boxes better can opine on whether the T30 can handle a higher v5 than the 1225. If so, and you're willing to spend the $$ on the replacement processor (for example, cheapest E3-1240 v5 on fleabay I found is about $300), I'd go that route instead of the R210 II