2024 pfSense Builds

[amalurk]

Can the C3000 processors with pretty poor single core speed saturate the 2.5 gb WAN to LAN with a handful of firewall rules?

I recently purchased one of these:

Q20331g9 4* Sfp+ 10gbe Ports 5 Intel 2.5gbe Lan Multifunctional Computer Vms Nas Home Server Pfsense Opnsense Mini Pc - Buy C3758 C3758r 4x Sfp+ 10gbe 2.5gbe Nas/ Virtualization Host 4x Sfp+ 10gbe Home Server For Proxmox Ve 4 10g Sfp+ Ports Pfsense Firewall Router Mini Pc Product on Alibaba.com

Q20331g9 4* Sfp+ 10gbe Ports 5 Intel 2.5gbe Lan Multifunctional Computer Vms Nas Home Server Pfsense Opnsense Mini Pc - Buy C3758 C3758r 4x Sfp+ 10gbe 2.5gbe Nas/ Virtualization Host 4x Sfp+ 10gbe Home Server For Proxmox Ve 4 10g Sfp+ Ports Pfsense Firewall Router Mini Pc Product on Alibaba.com

www.alibaba.com

Maybe a little overkill, but it a great bit of kit. I've installed pfsense on mine, I have a 10Gbe link to my LAN, 10Gbe into my DMZ and two spare 10Gbe for future expansion. I have used a combination of DAC's and 10Gbe SFP+ transceivers and haven't had a problem with compatibility.

The other 5 copper ports are all 2.5Gbe. I'm running Snort in IPS blocking mode and also ntopng for flow data. I have privacy wire guard VPN's running directly on the box to provide VPN's for all my networks, I can push 1Gb over wireguard without the Firewall breaking sweat. I can also saturate 10Gbe between my LAN and DMZ via the Firewall.

There is a thread on them here - https://forums.servethehome.com/index.php?threads/qotom-denverton-fanless-system-with-4-sfp.41331/
and a great servethehome review here - The Everything Fanless Home Server Firewall Router and NAS Appliance (servethehome.com)

I've had it a month so far - no complaints, it's been a huge upgrade on what I had before and has brought me a ton more flexibility.

 

[blunden]

Only thing that sucks is that I can't enable the QAT because of NetGate's bullsh*t $129 a year subscription for pfPlus.

If I'm not mistaken, you get QAT for free with OPNsense so that's an option if you want to stay with BSD.

VyOS also gives you QAT for free.

Can the C3000 processors with pretty poor single core speed saturate the 2.5 gb WAN to LAN with a handful of firewall rules?

You can see Netgate's benchmarks for the Netgate 8200, which is essentially the same as the top spec C3758R in the Qotom.

pfSense Plus How to buy

Purchase pfSense Plus software on a Netgate Appliance, on AWS or Azure as a cloud instance , or as a virtual machine

www.netgate.com

 

[networkguy]

Can the C3000 processors with pretty poor single core speed saturate the 2.5 gb WAN to LAN with a handful of firewall rules?

I don't have a 2.5Gbe WAN yet, but my Firewall does operate inter-vlan routing - I can saturate 2.5Gbe from my Laptop to my server's on my server VLAN without it breaking sweat.

 

[sic0048]

I don't have a 2.5Gbe WAN yet, but my Firewall does operate inter-vlan routing - I can saturate 2.5Gbe from my Laptop to my server's on my server VLAN without it breaking sweat.

You should put the laptop on the same VLAN as the server and then inter-vlan routing won't be a problem for those devices. That data will be routed at the switch level and not have to traverse to the router and back.

 

[Tech Junky]

laptop on the same VLAN

That's a whole different can of worms. If the server has exposed services then so would the other devices which isn't ideal.

In my case my box is the router / FW connected to the WAN and I have no issues running this way for years whether I had a public IP or not. I technically do but, access from the outside in through the 5G network would require an open tunnel to make it happen. I have a ton of different stuff on the box though running for the LAN side as well. It's a matter of having high bandwidth on the LAN and not bouncing data across the network for storage on incoming files.

 

[networkguy]

You should put the laptop on the same VLAN as the server and then inter-vlan routing won't be a problem for those devices. That data will be routed at the switch level and not have to traverse to the router and back.

Of course - but I quite like the granular control of having subnets for specific use cases/requirements etc. I don't have a problem with the inter-vlan performance with this device, I only have a 2.5Gbe NIC in my Laptop but I can saturate 2.5Gbe between VLAN's without any issue.

My long-term goal is to have my trusted LAN's (servers/users) inter-vlan routed via a L3 switch, p2p default route to my Firewall, as switch performance will always trump a Firewall. Anything that needs to be exposed or I don't trust will sit inside DMZ networks which will be a physically isolated leg (dedicated switch and trunk to the FW etc)

 

[sic0048]

That's a whole different can of worms. If the server has exposed services then so would the other devices which isn't ideal.

Who/what are you trying to protect here when you say "exposed services?" That could mean a lot of different things.....

Even without fully understanding what you are trying to say, I think it is safe to say that in the OPs networkguy's case, the fact that his laptop can communicate with the server even if they are on separate VLANs means the two machines are still "exposed" to each other. He isn't adding any "security" by separating those devices across VLANs when he turns around and add rules to allow communication between those devices. All he is doing in that case is creating a potential data bottleneck by forcing all of that inter-VLAN traffic to travel to/from the router.

 

[sic0048]

Of course - but I quite like the granular control of having subnets for specific use cases/requirements etc. I don't have a problem with the inter-vlan performance with this device, I only have a 2.5Gbe NIC in my Laptop but I can saturate 2.5Gbe between VLAN's without any issue.

My long-term goal is to have my trusted LAN's (servers/users) inter-vlan routed via a L3 switch, p2p default route to my Firewall, as switch performance will always trump a Firewall. Anything that needs to be exposed or I don't trust will sit inside DMZ networks which will be a physically isolated leg (dedicated switch and trunk to the FW etc)

The point is that even operating as a layer 2 switch, the switch handles all intra-VLAN traffic. Therefore if you carefully plan out your VLANs to minimize the amount of inter-VLAN traffic, you can get nearly the same performance out of a layer2 switch as a layer 3 switch (all other things equal).

I'm not suggesting that setting up the switch as a layer 3 device is wrong or should be avoided. I'm just pointing this out because some people have a misconception that moving to a layer 3 switch on their home network is going to greatly increase their performance/network speeds. The truth is that if your "router on a stick" VLANs were set up logically based on real traffic patterns to minimize inter-VLAN traffic, you likely won't see a big jump in performance when you move that VLAN management to a layer 3 switch. Obviously the larger the network is, the more likely it is that you can't avoid large amounts of inter-VLAN traffic and that is why medium and large business are typically set up using layer 3 switches to handle routing.