Dell Optiplex 3010 running pfSense?

Fodmidoid

Member
Dec 29, 2016
94
0
6
49
Greetings!

It looks as though I've outgrown my ASA-5505 now that I've increased my Fios home connection speed to 150 Mbps Up/Down. So, now I'm back to using the Verizon Fios wireless router
and I'm really wanting to start using pfSense and learning all about it.

...which brings me to my question.

I am thinking of re-purposing my current desktop PC into a pfSense firewall for my home network which has Fios 150/150 Mbps.

Would the following system be a good candidate for running a standalone instance of pfSense, including running apps (squid, snort, Open VPN, etc.)?


Here are the specs:
OptiPlex 3010 Small Form Facto r Standard PSU
3rd Gen Intel Core i3-3220 Pro cessor (Dual Core, 3.30GHz, 3M B, w/ HD2500 Graphics)
x2 4GB (8 GB Total), NON-ECC, 1600MHZ DDR3,1DI MM,OPTI
HARD DRIVE, 500GB, S3, 7.2K, WESTERN DIGITAL, XL500A
OptiPlex 3010 Small Form Factor Standard Power Supply, 250W


I was originally trying to decide whether go with an Atom C2x58, Xeon D-15x8, Xeon E3-12xx, or an Intel i5 6500 build, but after days of reading through countless posts and reviews here and at the pfSense forums, I started wondering if the Optiplex i3 3220 that I already own could be a good candidate. If so, I can put the money into building a nice desktop PC for myself, instead


I would prefer to not have to spend as much as $500-600 on a home firewall, but at the same time, I want it to be able to handle everything I need with my current connection (as well as some future growth) and apps I plan to be running, and need to make sure that it's 100% compatible with pfSense, has AES-NI, quite, low-power, and I would need to add an Intel Quad PCI-e network card for WAN/LAN/DMZ connections. Since this is Small Form Factor, I guess I would need something low-profile.

Is this exactly what I need or should I still be looking at solution such as the ones listed above?

Any advice you all could give me would be greatly appreciated. I tried to give as much info as possible, but let me know if you need some more details.

Thanks very much!
 

markarr

Active Member
Oct 31, 2013
421
120
43
Is your speed synchronous or async? If you have 150/150 without AES vpns "may" struggle, if you also run the other apps. If you don't expect full speed from your vpn then you should have no problems.
 

zhoulander

Active Member
Feb 1, 2016
181
46
28
Why did you specify AES-NI as a requirement if you don't know what you need it for?

It'll be useful for accelerating heavy OpenVPN loads.
 

maze

Active Member
Apr 27, 2013
571
94
28
how about going 5506-x? - the new software update just enabled bridging of the interfaces which basically gives you the 5505, just capable of doing 1gbit :)
 
  • Like
Reactions: Jon Massey

whitey

Moderator
Jun 30, 2014
2,771
872
113
39
What type of network cards/ports does the Optiplex 3010 have or are you just figuring to add a dual/quad port Intel nic?

My thoughts, throw in a network card and run it/call it a day/monitor it, chances are it will be just fine for your use-case...COST = $0 if you have a dual port Intel nic laying arnd, if not I can send ya one that I have no use for lol

EDIT: There's always this bad boi as well if ya REALLY wanna go purpose-built/hands off/easy route :-D

Netgate SG-1000 microFirewall
 

ttabbal

Active Member
Mar 10, 2016
775
209
43
45
Short version, yes, it will work. You might strain the CPU with VPN, maybe. 150Mbit/s isn't really that much, and it may well handle it fine without AES-NI. You're doing all the crypto in software, but with 2 3Ghz i3 cores, it probably doesn't matter.

I second whitey's suggestion, a dual Intel NIC is the way to go. The built in and/or random NIC you might have in there may work in Windows and Linux, but BSD is a bit picky and with 1GbE, Intel is guaranteed to work well.
 

Fodmidoid

Member
Dec 29, 2016
94
0
6
49
What type of network cards/ports does the Optiplex 3010 have or are you just figuring to add a dual/quad port Intel nic?

My thoughts, throw in a network card and run it/call it a day/monitor it, chances are it will be just fine for your use-case...COST = $0 if you have a dual port Intel nic laying arnd, if not I can send ya one that I have no use for lol

EDIT: There's always this bad boi as well if ya REALLY wanna go purpose-built/hands off/easy route :-D

Netgate SG-1000 microFirewall
Thanks. Yes, if I went with the Dell Optiplex, I was planning to throw a nic in there. Wow, that is real nice to offer!... but I think I may have something laying around.

The Netgate SG-1000 was intriguing at first, but when I looked at the specs, it seemed to really fall short. What do you think?
 

whitey

Moderator
Jun 30, 2014
2,771
872
113
39
No sweat, ya got a good/validated nic that'll work well w/ pfSense...if not offer totally still stands, just pay for ship, hate to see ya stand it up and not be happy if the nic's aren't up to snuff. This one's a genuine Intel Pro 1000 PT dual port that I have had laying around lonely for a couple of years at least since I went to 10G on my servers, used to dutifully serve VI3/vSphere 4 traffic back in the day on some of my EARLY home labs/gear.

intel-dual-port-nic.jpg

@PigLover may know better on the SG-1000, I think if memory serves me correct he had done some digging, it's hard to say w/ a 'max connections' and no throughput chart what the hell it will do until some traffic is throw at it. Would LOVE to heard any feedback from members that may have one in operation though.
 

PigLover

Moderator
Jan 26, 2011
3,041
1,348
113
My digging on the SG-1000 was limited. I had found some performance numbers from Netgate somewhere but can't seem to find them again. I did find this, which suggests for a home router and limited apps (i.e., router/FW only, no IDS, etc) it should be good north of 500Mbps (see here: SG-1000 (ufw) Performance Tests • /r/PFSENSE).
 
  • Like
Reactions: whitey

Evan

Well-Known Member
Jan 6, 2016
3,346
584
113
how about going 5506-x? - the new software update just enabled bridging of the interfaces which basically gives you the 5505, just capable of doing 1gbit :)
Sadly a 5506-X is not capable of anywhere near 1G, in mixed tcp/udp it's like 300M, and still only 750M max for pure udp.
1 core for routing and 3 for firepower stuff.

I really want to love the 5506-X but just can't, I asked Cisco to drop me a demo-loan unit to try as I wanted to get some real world testing and see how it goes compared to spec.
 

maze

Active Member
Apr 27, 2013
571
94
28
Sadly a 5506-X is not capable of anywhere near 1G, in mixed tcp/udp it's like 300M, and still only 750M max for pure udp.
1 core for routing and 3 for firepower stuff.

I really want to love the 5506-X but just can't, I asked Cisco to drop me a demo-loan unit to try as I wanted to get some real world testing and see how it goes compared to spec.
No issues on a 750M link from my knowledge.. unless your doing a lot to your traffic Ofc..
 

Diavuno

Active Member

Evan

Well-Known Member
Jan 6, 2016
3,346
584
113
On the other hand I have a joint Colo with a pair (again in ha) of super micro atoms. The c2758 (8core) iirc, amazing chips

They are almost always idle. Even pushing huge VPN traffic.


Sent from my 0PJA2 using Tapatalk
Difference being the c2000 atom chips support AES-NI and build for server dutys not to mention the very high end i350 NIC.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
584
113
If the VPN performance is ok for you then of course it's not mandatory.
Just saying why the C2000 systems are much faster.

There is other advantages as well like IPMI fog management of those devices.

All depend on needs and choose a solution accordingly