Yet another PfSense Question - Building a box ( quiet/1u/passive'ish )

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
I have 150 down 15 up with the possibility of 300 down in the near future.
Currently running my pfsense off of a Optiplex 990.

I have 2 objectives:
1) tidy things up and get it in my network rack.
2) reduce the db's in my dungeon
=> other related solutions to my noise issue may be a network cabinet, moving the cabinet to another room


I have a couple of startech 1u chassis on order:
I am thinking either passive cooling or some slow noctua fans for a slight breeze.

What I am not clear on is the wonderful world of intel cpus (what a mess).
AES-NI is a requirement on the chip.


Processor? -
so Atom, Celeron, I3, Xeon-D, AMD. There seems to be about 10 variations of each over over the last 8 years that might work.

So the question to someone who knows

What is the the best combination of cheap and low-power that will support 300 up/down plus AES-NI that I can configure to be essentially silent in a 1u aluminum box in my network rack?

Thanks,
R.
 

Aestr

Well-Known Member
Oct 22, 2014
967
386
63
Seattle
You've mentioned pfsense and 300/300 so far as requirements. What packages are you looking to run? Do you need/want 300/300 over VPN? Routing 300/300 should be pretty easy for most of the hardware you'd be considering (c2000, i3, etc.), but those other things add up and might restrict your options. A good example of a low power, inexpensive board that can do a lot of what you could ask would be the A1SRI-2558F that has popped up in a few deals recently including this thread.
 

fsck

Member
Oct 10, 2013
51
12
8
Are you running snort? budget? There are many, many options.
I myself have the following box:
e3-1220 v2
6GB ecc
80GB x-25m g2

running sophos home utm. It's in a supermicro 512 with the blower. I find it to be relatively quiet as my desktop drowns it out.

Xeon-D's are popular for their 10G connectivity and low power. AMD is not a current favorite.

Take a look at: PfSense hardware for home router - OpenVPN performance

I assume AES-NI is a requirement for OpenVPN use, in that case, you'd need decent performance to saturate your connection. AES-NI used to be rare, but it's pretty common on any processor that you'd generally consider running for single thread performance.
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
VPN is occasional.
300/15 sadly (at silly prices)
1 Gig internal network

Haven't had much luck with VPN providers bandwidth wise. Occasionally have to connect to corporate VPN's for client support. I don't have any need for man in the middle analysis of packets. I am happy enough with list based filtering via DNS.

Budget isn't a huge concern but I would like to spend to my requirement. i.e. I don't need Gigabit processing, I don't need heavy processing, actual number of concurrent clients being routed on the box never likely to be higher than about 5.

I do an unreasonable amount of video conferencing from my dungeon and I have a sound gate/compressor to filter out the noise floor in here but anything I can do to reduce the volume is a big improvement in the sound quality of my conferencing.
 

Aestr

Well-Known Member
Oct 22, 2014
967
386
63
Seattle
Sounds like a C2000 such as the A1SRI-2558F would suit you just fine.

  • Low cost if you can watch for deals on ebay. If new is a requirement you can still get them pretty cheap.
    • It does take DDR3 SODIMMS which are more expensive than full sized RDIMMs, but still can be had for decent prices and for just pfsense you don't need much.
  • Low power and heat means low noise
  • Capable of doing everything you've asked and more
  • 4 gigabit ports in case you want to add additional networks without VLANs
 

fsck

Member
Oct 10, 2013
51
12
8
Sounds like a C2000 such as the A1SRI-2558F would suit you just fine.

  • Low cost if you can watch for deals on ebay. If new is a requirement you can still get them pretty cheap.
    • It does take DDR3 SODIMMS which are more expensive than full sized RDIMMs, but still can be had for decent prices and for just pfsense you don't need much.
  • Low power and heat means low noise
  • Capable of doing everything you've asked and more
  • 4 gigabit ports in case you want to add additional networks without VLANs
I agree, assuming you can actually get one.
If you're american, there is still a surplus of Supermicro X9 LGA1155 gear hanging around and you can have a full system with a Xeon v2 (which have AES-NI unlike the i3s) for <200$ USD shipped I believe.

Depends on how long you want to wait, how lucky you are and how good you are at searching.
I failed the previous line, thus I ended up with the system I linked in my previous post, having to get it shipped from the states.
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
I have no interest in lga1155 gear. I am interested in low power, quiet.
A1SRI-2558F looks just about perfect for my little router.
 

fsck

Member
Oct 10, 2013
51
12
8
ASRock J3355B-ITX Intel Dual-Core Processor J3355 (up to 2.5 GHz) Mini ITX Motherboard/CPU Combo - Newegg.com

Don't forget about consumer netbook-size stuff or about mobile chips. Especially if you want to go completely fanless.

Free Shipping! 4 Gigabit LAN ports Mini PC Celeron 3215U/Core i3/Core i5 5250 using pfsense as Router/ Firewall, x86 Linux-in Mini PC from Computer & Office on Aliexpress.com | Alibaba Group

there's literally an endless stream of options. Qotom produces some nice boards for pfsense.
 
Last edited:

kapone

Well-Known Member
May 23, 2015
1,095
642
113
I have no interest in lga1155 gear. I am interested in low power, quiet.
A1SRI-2558F looks just about perfect for my little router.
Don't write off 1155 gear because of that. I have several 1155 based systems still, and from a power/performance/cost factor, they can't be beat (with Ebay prices).

A barebones 1155 motherboard (like the ones from Dell for their Optiplex 3010 series) with an i3 3220/8GB RAM (two sticks)/SSD/CPU fan idles at ~15w (with a decent to good power supply) and is practically silent.

A slightly more feature rich board like Supermicro's x9 series which include IPMI, dual LAN etc add about 5-7w to that number. Still practically silent.

I find the upgrade cost/performance from these systems to newer ones to be worse. The newer systems are "technically" more power efficient and offer better IPC performance, but once you're down to under 20w idling, the difference is not worth writing home about.

Unless there are features of the newer platforms that you absolutely need, there is nothing wrong with used gear, a gen or two older.
 
  • Like
Reactions: fractal

nthu9280

Well-Known Member
Feb 3, 2016
1,628
498
83
San Antonio, TX
Another option if you are in US. Take a look at the the threads on HP T620 Plus thin client that @BLinux posted here in the last cuple of week or so. They can be had for ~ $120 or less all in. Can do AES-NI, near silent, draws < 20w. It's based on AMD chip. One down side - it's not rackmountable
 

fsck

Member
Oct 10, 2013
51
12
8
Don't write off 1155 gear because of that. I have several 1155 based systems still, and from a power/performance/cost factor, they can't be beat (with Ebay prices).

A barebones 1155 motherboard (like the ones from Dell for their Optiplex 3010 series) with an i3 3220/8GB RAM (two sticks)/SSD/CPU fan idles at ~15w (with a decent to good power supply) and is practically silent.

A slightly more feature rich board like Supermicro's x9 series which include IPMI, dual LAN etc add about 5-7w to that number. Still practically silent.

I find the upgrade cost/performance from these systems to newer ones to be worse. The newer systems are "technically" more power efficient and offer better IPC performance, but once you're down to under 20w idling, the difference is not worth writing home about.

Unless there are features of the newer platforms that you absolutely need, there is nothing wrong with used gear, a gen or two older.
i3 3220 doesn't have AES-NI. He'd need an i5 or above for it, or a xeon.
 

kapone

Well-Known Member
May 23, 2015
1,095
642
113
i3 3220 doesn't have AES-NI. He'd need an i5 or above for it, or a xeon.
I was just using an example. An i5- 3570s (which does have AES-NI) has almost exactly the same power draw at idle.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
if it's going in a rack you basically don't care about TDP, you care about power at idle. (the firewall will basically always be at idle) most reasonably modern processors idle within a similar range, so the question is whether, on rare occasions, you'd rather have the fan spin up a bit more so you can run the cpu faster if something unusual happens, or whether you'd rather throttle the cpu to prevent it from running faster. if you're in a passive cooling situation then throttling is a good choice. otherwise, you're basically just saying "I'd rather pay extra to make sure this thing is never fast if it needs it to be". most cpus made within the past few years will hit your performance target (it's not at all high) so just buy what's cheapest.

people tend to dramatically overthink this "what cpu do I need for pfsense" problem. the only thing to check is aes-ni (for the simple reason that the pfsense people are trying to hurt the chinese firewall appliance vendors) and that's only an issue for really old gear or low tdp bay trail era desktop chips like the j1900 (which you shouldn't be looking at if you can use a fan).
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
WIN_20180716_14_00_23_Pro.jpg My rack is currently about 3 feet from my microphone here in the dungeon so TDP is important as it relates to no spinning fans in a 1u container slot... My bigger source of noise is my damn workstation. Supermicro X9DRG-QF cpu fans never spin down. The noctuas are much better than they were when I had server fans on them but still far to many db's. Going to have to either figure out the IPMI settings or water cool the damn things.
 
Last edited:

IamSpartacus

Well-Known Member
Mar 14, 2016
2,515
650
113
If heat/noise is a concern, pick up one of these. They are 100% silent (obviously since fanless) and do an EXCELLENT job of cooling. I have 2 (1 on each side of a 1Gbps Site-to-Site VPN connection that pushes 400-500Mbps through every day and they don't break a sweat. CPUs stay right around 30C. They aren't cheap, but silence is priceless IMO.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
View attachment 8814 My rack is currently about 3 feet from my microphone here in the dungeon so TDP is important as it relates to no spinning fans in a 1u container slot... My bigger source of noise is my damn workstation. Supermicro X9DRG-QF cpu fans never spin down. The noctuas are much better than they were when I had server fans on them but still far to many db's. Going to have to either figure out the IPMI settings or water cool the damn things.
In that case, I'd just lose the rack--it doesn't seem like the right tool for the job. Larger cases which can use larger low-RPM fans will run quieter and you won't keep bumping into the fact that rack mount gear typically doesn't have noise as a design factor.
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
In that case, I'd just lose the rack--it doesn't seem like the right tool for the job. Larger cases which can use larger low-RPM fans will run quieter and you won't keep bumping into the fact that rack mount gear typically doesn't have noise as a design factor.
Network rack for network gear. I want a nice quiet 12u up on the wall in a cabinet when done
 

kapone

Well-Known Member
May 23, 2015
1,095
642
113
Rohit has a review of the Protectli FW4A as a silent pfSense box almost done. Amazon Protectli FW4A

Looks fairly good. No moving parts from the pictures.
While that's not a bad box, it's "only" clocked at 1.9GHz. In the OPs case, that may be sufficient as he has less than 200mbps internet, but for a faster connection (I have 1gbps symmetric), that may not be enough, depending on what you run.

Something to think about.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
If you have a 1Gbps symmetric connection and are running a lot of processing on traffic, you are probably buying something higher-end than a $340 configured node.

And if you are just doing NAT, DHCP, DNS, and etc, it is still pretty fast. At 200mbps a quad-core Atom will not have an issue.