Budget 1Gb pfSense build

[Stokkes]

Hey all

I'm looking to move away from my Unifi USG3 to pfSense which I have experience with. Looking to see what the best budget build would be for the following setup.

• 1.5Gbps down/960Mbps up fibre link to the home
• About 5 computers, 30-40 smart IOT devices/cameras over 3-4 VLANs
• Want to run Suricata/Snorr
• Want to run pfBlockerng
• Probably a few other packages maybe bandwidthd (I think that's the name)
• VPN will be WireGuard but not used very often
• Need to maintain full line speed with all IDS/IPS and other packages turned on
• Prefer a smaller form factor/low wattage not a rack mount
• Looking to spend about 200-250$ US

I know it's not budget but I think the new SG-4100 can do the above but it's $599 and likely above my budget unless there are no other alternatives.

Any suggestions? I've been reading about the HP T620 plus or possibly an Optiplex SFF but honestly I'm not sure what would be best to maintain the requirements I mentioned above.

Appreciate the help.

 

[sic0048]

I use a T620+ and it works great, but I'm not sure if it can handle those speeds. I only have 300/300 and it works just fine, but that is a long way from 1.5/1. I'm not saying it wouldn't work, I just don't know. As far as devices and VLANs, I run a lot more than what you are thinking about.

 

[newabc]

The barebone for J4125 + 4 x intel i225B3 (i225 is a 2.5Gbps RJ45 NIC) already costs $19x at aliexpress.com(link). The RAM and SSD also have costs.

Patrick made an introduction on a same configuration item(link), but he hasn't tested the Topton one which he is waiting for the delivery.

Personally, if I were you and got 1Gbps up/down, I would try Wyse 5070 extended and HP T730. But their passmark scores are lower than the J4125 for 12-18%. Both can reach over 1Gbps on one-way on the IDS of Suricata(not IPS).

 

[newabc]

HP T740 (CPU performance similar to AMD Ryzen 5 2400ge) and Pentium N6005 have higher passmark scores.
The barebone of Pentium N6005 + 4 x i225 costs around $27x (link). T740 usually costs around $300 at ebay.

 

[infojunky]

I can get 1 gbit WAN speed with a GX-424CC (2.4 GHz) but Surricata cuts the speed in half so IPS is not usable. Wireguard-kmod speed across LAN was around 700 MB/s iirc.

T620 plus's top CPU is GX-420CC (2 GHz) so it's even worse than what I described.

 

[Stokkes]

Thanks for the replies. It seems maintaining that 1Gb throughout with everything lit up is ever elusive in a small box. Maybe I should just shell out for the new SG-4100

 

[newabc]

Thanks for the replies. It seems maintaining that 1Gb throughout with everything lit up is ever elusive in a small box. Maybe I should just shell out for the new SG-4100

Atom C3558's passmark is only around 2400 and C3338 is just a little above its half. For the IDS and IPS which consume lots of CPU power usually, it will be pretty lucky if the Atom C3558 can reach 500Mbps up and down at the same time when running Suricata as IPS. The C3338 can handle much less than C3558. sg4100 and sg6100 are based on pure software solution and lacking a switching chip like the sg7100.

 

[zer0sum]

The Lenovo M720q and M920q might be one of your best little boxes that could do it.

https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-tiny-project-tinyminimicro-reference-thread.34925/

They usually come standard with an 8500T or 8700T which have passmark scores of ~7600 and ~10600 respectively.

They have a PCIe slot so you can put a 10G dual port network card in them so you can get 1/2.5/5/10G from your ISP gateway.

I run an M920q and use proxmox as an edge hypervisor running various firewalls like Palo Alto, Juniper, OPNsense etc. with SR-IOV or hardware passthrough

I won't run pfsense due to their history and garbage, so I can't give you a direct comparison there.

 

[memilanuk]

I run an M920q and use proxmox as an edge hypervisor running various firewalls like Palo Alto, Juniper, OPNsense etc. with SR-IOV or hardware passthrough

How much RAM do you have in that box? Any other VMs or CTs running besides the firewall?

I've got one on the way, with 8GB RAM. Wasn't sure if that was enough overhead for both the hypervisor and the firewall to run comfortably.

 

[etorix]

@newabc @zer0sum To ask the question the other way around: What minimal hardware would be suitable as a small pfSense/OPNsense for 1 Gb traffic? With or without Suricata? (Bare metal, no extra function.)

 

[newabc]

You can see the below real world test result:

CPU:

(1) My own test result: If considering only 1 packet pattern(an example is only using iperf to initiate the Suricata IDS to send alert), Atom C3758(8 core, passmark 44xx) can do 1Gbps in one-way at the same time. Because the server barebone and the lab limit, I haven't tested 10Gbps yet.

(2) The others on reddit for Netgate sg7100 (Atom C3558, 4 core, with switching chip on board): 1Gbps IDS.

RAM:
(1) 16GB allows Suricata to monitor 2 interfaces with a full set of Snort rules on the Atom C3758 server, 25-30% or less memory usage.
(2) 8GB can do 2 interfaces with a full Snort set, too. But it is easy to fill up all the memory for misconfiguring other services on pfSense.

I can estimate passmark 3000 is capable to do 1Gbps in one-way at the same time with Suricata IDS. Or even more bandwidth. I haven't test IPS since there are tons of works on optimizing the rule set for real world usage.

If anyone doesn't consider IDS, IPS and VPN, only consider packet forwarding and routing, passmark 1500 is pretty enough for 1Gbps up and down. For ARM solutions, it means Mikrotik rb4011/rb5009 and Unifi dream machine pro are enough for 1Gbps up and down without these stuffs.

 

[etorix]

Thanks! This is very useful guidance.

 

[Filez]

The Lenovo M720q and M920q might be one of your best little boxes that could do it.

https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-tiny-project-tinyminimicro-reference-thread.34925/

They usually come standard with an 8500T or 8700T which have passmark scores of ~7600 and ~10600 respectively.

They have a PCIe slot so you can put a 10G dual port network card in them so you can get 1/2.5/5/10G from your ISP gateway.

I run an M920q and use proxmox as an edge hypervisor running various firewalls like Palo Alto, Juniper, OPNsense etc. with SR-IOV or hardware passthrough

I won't run pfsense due to their history and garbage, so I can't give you a direct comparison there.

whats the power draw for these if I run them 24x7?

 

[adman_c]

whats the power draw for these if I run them 24x7?

I have a m720q with a supermicro 2x 10g card that idles around 12-15w with pfsense running on top of proxmox. See here for some pics.