Hardware advice pfSense 1gig pppoe

[Tim0252]

Hi all I bought a protectli FW4B a few years ago and installed pfSense - it couldn't cope with my 1gig pppoe connection (because single thread performance not good enough). Hence I installed Untangle which has been rock solid for almost 3 years now.

Anyway, free features on pfSense require an annual license on Untangle so I want to switch back.

I don't want any performance bottlenecks on my 1gig pppoe connection.. even with wireguard/ openvpn tunnelling for a couple of clients, snort/ suricata, pfblocker-ng, etc. on.

I'm looking at the cwwk mini-pcs based on n100, i3- n305, i5-1235u and i3-1315u CPUs. Other suggestions welcome.

Only need 2 Ethernet ports (WAN+LAN).

What spec will serve my needs? I'm prepared to buy what's needed but at the same time I don't want to over engineer it and end up with a system which barely breaks a sweat 100% of the time.

I'm not interested in Proxmox/vsphere/virtualisation unless for some reason it's a requirement to get stuff working.

Thanks in advance for any help!

 

[rtech]

You might just want to explore other Linux firewall distros
BSD based stuff is slow and you might not be able to saturate even with more powerful HW

Endian Firewall Community
Smoothwall express
Ipfire
VyOS
ClearOS

 

[slidermike]

If your current hardware can do it, keep it. Focus on a linux distro FW.
Ipfire is good out of the box.
If you care for a more customizable, lots of plug-ins (read more effort /learning curve) openWRT is great.
Rtech gives some solid recommendations.

 

[Tech Junky]

Just pick a CPU that does wg well and the rest will fall into place.

I use Ubuntu and iptables for the FW side. It's simple and effective and hits wire speed.

Iptables is only a few lines to lock things down.

 

[slidermike]

The good news is, if you stick with wireguard it is multicore capable unlike openvpn. That means single core clock speed is not as important as it is with openvpn.
Your current FW4B (4 core I believe) will perform far better with wireguard than openvpn right out of the box because of this.
If it were me I would install one of the above suggested OS's on your current FW and give it a whirl.
If you still want to upgrade the hardware, it cost you nothing and gained you some practice and knowledge about which OS you might want to install on the new hardware.

Good luck!

 

[Tim0252]

Thank you for your advice everyone - sounds like some experimentation is needed!

 

[themeuge]

Hi all I bought a protectli FW4B a few years ago and installed pfSense - it couldn't cope with my 1gig pppoe connection (because single thread performance not good enough). Hence I installed Untangle which has been rock solid for almost 3 years now.

Anyway, free features on pfSense require an annual license on Untangle so I want to switch back.

I don't want any performance bottlenecks on my 1gig pppoe connection.. even with wireguard/ openvpn tunnelling for a couple of clients, snort/ suricata, pfblocker-ng, etc. on.

I'm looking at the cwwk mini-pcs based on n100, i3- n305, i5-1235u and i3-1315u CPUs. Other suggestions welcome.

Only need 2 Ethernet ports (WAN+LAN).

What spec will serve my needs? I'm prepared to buy what's needed but at the same time I don't want to over engineer it and end up with a system which barely breaks a sweat 100% of the time.

Thanks in advance for any help!

My N6005 box would absolutely saturate 1Gb with extensive Snort and Pfblocker rules, and would get about 70% CPU use when doing so.
Any of the N-1xx series or especially the i3-n3xx series would be even faster.
I did just pick up a new Topton i5-1240p with 10Gb because I was considering going up to 5Gb fiber, but for 1Gb N5105 or above would be fine.