Need pfSense Hardware Advice for Gigabit Internet

Discussion in 'Networking' started by Fodmidoid, Jun 1, 2017.

  1. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Hi All,

    A few months ago, I started a thread asking advice for pfSense hardware to support a 150/150 Mbps home connection. In the end, I decided to go with the APU2C4, and I've been very happy with that decision, until now. I figured that would hold me over for the next few years at least. But, as it turns out, Fios offered me 940/880 Mbps. Very excited! However, now that I'm running gigabit internet, it seems that the APU2C4 is only capable of around 600-700 Mbps.

    So...It's time for me to build (or buy) something else that can handle the new speeds, with ease. My budget is fairly flexible, but I think if it starts getting expensive, I may opt to virtualize it instead, as I'm also really wanting to build a low-power Xeon D-15xx server for my home network and some labbing. It must also support AES-NI.

    So advice for both systems would be greatly appreciated, as always. I'm not sure if I'm leaving anything out here.

    Thanks!
     
    #1
    Last edited: Jun 1, 2017
  2. CookiesLikeWhoa

    Joined:
    Sep 7, 2016
    Messages:
    111
    Likes Received:
    24
    I'm not 100% sure on this, but my gut feeling is you'll need to go the Xeon e3-v5/6 route for this especially if you do anything to it (snort, vpn, etc.).
     
    #2
  3. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Yes, I am planning to run OpenVPN, as well as a few other apps.
     
    #3
  4. ttabbal

    ttabbal Active Member

    Joined:
    Mar 10, 2016
    Messages:
    723
    Likes Received:
    193
    For OpenVPN at those speeds, you need AES-NI. It's single threaded, so that's about the only option.

    If you have a spare box around, I would try setting it up with pfSense and running gigabit ethernet to a couple boxes or VMs with NICs passed through to see what happens. I expect routing won't be too bad, NAT might hurt a little though.

    Note that virtualizing pfSense can cause some tricky issues. IMPORTANT: Xen/KVM networking will not work using default hypervisor settings!
     
    #4
  5. T_Minus

    T_Minus Moderator

    Joined:
    Feb 15, 2015
    Messages:
    6,832
    Likes Received:
    1,489
    Curious @ttabbal but won't 'OpenVPN at those speeds' be kind of irrelevant unless he's on gigabit internet at another location?
    I didn't see any use-case info but the message sounds like a 'at home' setup so likely 2-3 users max too.

    I'm not a VPN Pro or have experience with fast internet like this but it seems for the stuff that needs more power it may not be an issue if only 1 user is utilizing it and/or from a not-as-fast internet... is that wrong?
     
    #5
  6. ttabbal

    ttabbal Active Member

    Joined:
    Mar 10, 2016
    Messages:
    723
    Likes Received:
    193
    True. They didn't specify the other end, so I went for worst-case. That may not be needed. The speeds are always dictated by the slowest link, obviously. So "it depends" is generally the answer. I've found that my Opteron 4133 handles ~200Mbps VPN without AES-NI, but it can push one core pretty hard doing it. Just to give one real data point. Encryption settings matter as well, I don't know those offhand. I believe it is just AES-128-CBC, nothing real major, but enough to keep Comcast from decrypting it.

    One other interesting thing to note is that the next major version of pfSense is going to require AES-NI. So if you're building up a system for it now, it is probably worth making sure you get it. When that happens, I'll need to upgrade at least the CPU, but since the 4200 series has it, I can get that pretty cheap when it's time. Or have a reason to get newer gear... :)
     
    #6
    T_Minus likes this.
  7. Drewy

    Drewy Member

    Joined:
    Apr 23, 2016
    Messages:
    168
    Likes Received:
    23
    I have a 2758 it does 1gb just fine. I don't have the luxury of a 1gb tinternet connection but I run multiple vlans and have lots of firewall rules and snort running on them. Obviously this isn't going to cope with 1gb vpn connections.
     
    #7
  8. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Thanks. Yeah, the APU2C4 I'm currently running supports AES-NI and I am definitely planning to have another system that supports AES-NI, as well.
     
    #8
  9. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Thanks for the reply. Yes, I should have specified that this was for my home connection and OpenVPN would only be used by 1-2 people, at most. And yes, of course, I am limited by the connection at the other end when it comes to OpenVPN. Which makes total sense. I don't expect to have gigabit speeds over VPN. I was just adding that it's one of the apps I'm planning to run on pfSense.
     
    #9
    Last edited: Jun 1, 2017
  10. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Does anyone have any hardware suggestions?

    Thanks.
     
    #10
  11. MiniKnight

    MiniKnight Well-Known Member

    Joined:
    Mar 30, 2012
    Messages:
    2,952
    Likes Received:
    860
    Supermicro C2758 and be done with it.
     
    #11
  12. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Thanks. Do you think I'm better off with a C2758 than a Xeon D-1518 or xx28 or something?

    I seem to remember people saying that the Atom Cx58's, while very good, were getting dated.
     
    #12
  13. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,864
    Likes Received:
    429
    Double the single thread performance on Xeon-D and $ for performance is about then the same + you get boards that have 10g and sfp+
     
    #13
  14. fmatthew5876

    fmatthew5876 Member

    Joined:
    Mar 20, 2017
    Messages:
    69
    Likes Received:
    10
    I went with a Supermicro C2758 for my pfsense home router because the system is silent. If noise were not a concern I'd probably go with Xeon-D, especially one with built-in 10g onboard.
     
    #14
  15. Dww0311

    Dww0311 Member

    Joined:
    May 19, 2017
    Messages:
    45
    Likes Received:
    7
    I run Sophos UTM 9 (with just about every option turned on) on an E3-1280 v2 @ 3.60 & 32GB servicing a load balanced dual link (two different ISP) 800/800 WAN. That's a good bit more of a load than just pfSense would be.

    CPU utilization with a saturated pipe is about 8% max. I think maybe you're throwing more ammunition downrange than you need to unless this box is going to be filling multiple roles.

    Dell R210II E3-1280v2 is what I'd recommend - cheap, quiet and capable.
     
    #15
  16. Aluminum

    Aluminum Active Member

    Joined:
    Sep 7, 2012
    Messages:
    431
    Likes Received:
    45
    Dell T20/T30 or Lenono TS140 or similar, add a cheap intel dual/quad nic from fleabay. There is a $350 T30 deal right now. 3+ Ghz Haswell/Skylake is capable of doing a lot on a gigabit line.

    E3 is much much better than Cxxxx for this role, especially for openvpn, snort and anything else locked to 1 thread. Also it seems like the free version of pfsense will likely not be getting some of the custom offload stuff they are working on right now. Xeon D costs too much and single thread clockspeed is kinda low.
     
    #16
  17. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Thanks for the recommendation.

    I've searched eBay and can't find a single Dell R210 II E3-1280v2 for sale there. Would the E3-1240v2 be just as good for this?
     
    #17
  18. Fodmidoid

    Fodmidoid Member

    Joined:
    Dec 29, 2016
    Messages:
    94
    Likes Received:
    0
    Thank you. Out of the 3 you mentioned, which one would you go with (the T30?) and do you feel these are a better option than the Dell R210 II mentioned above?

    Also, there are a lot of T30's that come up. Could you please provide a link to the one you were referencing? How much ram should I have?

    I also need a minimum of 3 Intel Gig NICs as I want to have a DMZ as well. If you, or anyone else, could recommend a quad port gigabit Intel NIC, I'd appreciate it.

    Thanks again.
     
    #18
  19. Dww0311

    Dww0311 Member

    Joined:
    May 19, 2017
    Messages:
    45
    Likes Received:
    7
    It's slightly slower, but it would work IMO.

    If I've determined that I want to run a 1280 in one of these boxes, I'll normally just buy the processor separately and swap it out. On that path, I'll just find the cheapest non-stripped R210 II available, do the surgery once everything arrives and then sell the original processor that I swapped out on fleabay to recoup some of my $$.
     
    #19
    Last edited: Jun 3, 2017
  20. Dww0311

    Dww0311 Member

    Joined:
    May 19, 2017
    Messages:
    45
    Likes Received:
    7
    I haven't played around with the T30's since I only use rack mounts (have a rack, so why clutter up the floor) so I can't say if they're upgradeable with respect to processor. Spec says the only Xeon it was ever offered with is the E3-1225v5, which is actually quite slower than the E3-1280v2 and doesn't support hyperthreading.

    Maybe one of the other guys who knows these boxes better can opine on whether the T30 can handle a higher v5 than the 1225. If so, and you're willing to spend the $$ on the replacement processor (for example, cheapest E3-1240 v5 on fleabay I found is about $300), I'd go that route instead of the R210 II
     
    #20
Similar Threads: Need pfSense
Forum Title Date
Networking Need some help installing pfsense or opnsense on HP T620 Plus [RESOLVED] Jul 7, 2018
Networking need advice on home pfsense / cisco virtual wireless controller setup Feb 5, 2018
Networking Need help - Pfsense hangs while shutting down Sep 30, 2017
Networking Need pfSense Low Power Build Advice Feb 2, 2017
Networking pfSense Build Need NIC Advice Jan 6, 2017

Share This Page