Help me rationalise my network please

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

crembz

Member
May 21, 2023
35
0
6
Yes it would be under both scenarios, my hosts are mainly a bunch of mini PC's with 1g NICs. But the Nas will be able to handle more multiple 1g connection from the hosts.

What would be the minimum CPU required for pfsense to handle 10g intervlan routing? I can't seem to find a definitive answer.
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
That probably depends on the complexity ot your rules and services u run (ips/ids comes to mind)...
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
That probably depends on the complexity ot your rules and services u run (ips/ids comes to mind)...
No probably about it. Once you're doing any inspection, or rules beyond very simple port and address based allow/deny, you hit the CPU quite hard. Plain routing is not CPU intensive by comparison.
 
  • Like
Reactions: Amrhn

crembz

Member
May 21, 2023
35
0
6
No probably about it. Once you're doing any inspection, or rules beyond very simple port and address based allow/deny, you hit the CPU quite hard. Plain routing is not CPU intensive by comparison.
Yeah I understand that. I'm still trying to find a baseline to decide if I'd be better served with a used mini pc or building a new Alder lake system.

E.g. would a i5 9500 be sufficient for inter vlan routing at 10g or should I build an itx alderlake w/16gb?
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
Just look at rhe ready made offerings of your preferred fw vendor, ie pfsense/opnsense. I think they have premade boxes that should give u an idea what hardware they recommend/use for a 10g capable box
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
OPNSense’s most expensive unit can only manage 2 Gbps throughout with threat inspection, per its data sheet. It’s an embedded EPYC of some variety.

Here’s Netgate’s data sheet: https://info.netgate.com/hubfs/website-assets/netgate-hardware-comparison-doc.pdf
Looks like for mixed traffic at 10 Gb firewall throughout you’d need a 1537. It’s an embedded Xeon with QAT support (I think that only accelerates crypto functions though, not firewall inspection.) Netgate doesnt give numbers for inspection, just mixed traffic with 10k ACLs.
 

Sean Ho

seanho.com
Nov 19, 2019
768
352
63
Vancouver, BC
seanho.com
Again, if you can reduce or eliminate the need for 10Gbps inter-VLAN routing, your hardware requirements for opensense simplify greatly. IDS/IPS is most useful at the border; if your ISP link is gigabit or less, normal hardware like say X10SL* is plenty. If you do find yourself needing 10Gbps inter-VLAN, consider routing those VLANs in hardware via L3 switch like something from the ICX megathread.
 
  • Like
Reactions: Amrhn

crembz

Member
May 21, 2023
35
0
6
Again, if you can reduce or eliminate the need for 10Gbps inter-VLAN routing, your hardware requirements for opensense simplify greatly. IDS/IPS is most useful at the border; if your ISP link is gigabit or less, normal hardware like say X10SL* is plenty. If you do find yourself needing 10Gbps inter-VLAN, consider routing those VLANs in hardware via L3 switch like something from the ICX megathread.
I'll probably only need one or two devices to route at 10g to be honest. The rest will all be on the same subnet. Debating between a used sff optiplex (i5 9500) or building a miniitx 13100. Just want this thing to be small and quite whilst still providing 10g.