Need pfSense Low Power Build Advice

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

mstone

Active Member
Mar 11, 2015
505
118
43
46
Thank you. The Xeon D wouldn't just be for firewall. It would be for the purpose of running a whole virtual environment in my home, which could include a pfsense vm.
Well, you really need to decide what you want. If it's just a firewall, then it doesn't require much in the way of resources for a simple home network. What bumped up the hardware requirement was when you started to talk about squid and snort and openvpn etc.

So, squid: I'm hard pressed to suggest running it anywhere at this point, unless you're trying to play with some kind of content filter (which you'll probably just end up giving up on). There's just not much bandwidth to be saved caching HTTP these days, so you're adding complexity and latency for nothing.

Snort: no reason for this to be on the firewall. Put it on a VM on a span port, you can throw as much or as little hardware at it as you want, and experiment with multiple tools more easily. Unless you're trying to IPS, then it needs to be inline. (But on a home network snort IPS is mostly going to just make you sad anyway.)

OpenVPN: hardware requirement for this is heavily dependent on your available bandwidth. Up to around 50Mbps you can keep up with most modern x86 hardware. Up to around 100Mbps you're fine with almost anything that has AES-NI. Beyond that, you need to start looking more closely at the requirements and the CPU specs.

If you keep the firewall as just a firewall the requirements are pretty low. I prefer a standalone firewall configured minimally, because it'll just run forever without needing to touch it or think about it. Putting it on a VM adds complexity, and you have to answer questions like "why isn't the internet working" when you want to futz around with the VM server. Heck, if you don't want to agonize over hardware and have modest bandwidth requirements you can just get SG-1000 microFirewall pfSense® Security Gateway Appliance from the pfsense store and be done with it.

Anyway, you need to figure out what you're trying to do
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
I know there is a lot of talk about going ultra low power but at what cost, what's your ROI? How bad are electricity costs in your area?
For me, chasing low TDP is less about electricity costs than avoiding moving parts. If I can get the performance I need without a fan, I'd rather skip the fan. Especially those stupid little high RPM fans.
 
  • Like
Reactions: tp1

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
Well, you really need to decide what you want. If it's just a firewall, then it doesn't require much in the way of resources for a simple home network. What bumped up the hardware requirement was when you started to talk about squid and snort and openvpn etc.

So, squid: I'm hard pressed to suggest running it anywhere at this point, unless you're trying to play with some kind of content filter (which you'll probably just end up giving up on). There's just not much bandwidth to be saved caching HTTP these days, so you're adding complexity and latency for nothing.

Snort: no reason for this to be on the firewall. Put it on a VM on a span port, you can throw as much or as little hardware at it as you want, and experiment with multiple tools more easily. Unless you're trying to IPS, then it needs to be inline. (But on a home network snort IPS is mostly going to just make you sad anyway.)

OpenVPN: hardware requirement for this is heavily dependent on your available bandwidth. Up to around 50Mbps you can keep up with most modern x86 hardware. Up to around 100Mbps you're fine with almost anything that has AES-NI. Beyond that, you need to start looking more closely at the requirements and the CPU specs.

If you keep the firewall as just a firewall the requirements are pretty low. I prefer a standalone firewall configured minimally, because it'll just run forever without needing to touch it or think about it. Putting it on a VM adds complexity, and you have to answer questions like "why isn't the internet working" when you want to futz around with the VM server. Heck, if you don't want to agonize over hardware and have modest bandwidth requirements you can just get SG-1000 microFirewall pfSense® Security Gateway Appliance from the pfsense store and be done with it.

Anyway, you need to figure out what you're trying to do
Well, as I said, I would prefer a dedicated box. But when I started adding up the costs, everything is at least $400 it seems. My connection is 150/150 Mbps. I will definitely be using VPN. squid, short, etc were just examples when I said I wanted it to be able to handle apps. I don't have experience yet with pfSense which is why I'm doing this. I want to learn and play with the fmdifferent option, features, apps, and so on.

It was already my intention to build a virtual host after this project. I was looking at the Xeon D-1528 a d D-1541 and starting wondering if it would just make more sense at this point to virtualize pfsense. Though, I agree with you completely that every time I want to do maintenance it would be taking the internet connection down,thiugg you could technically migrate it to another host prior to maintenance (if there were a second host in a cluster).

Anyway, I was planning to save that for another thread but I got curious.

Dedicated hardware definitely still seems like the way to go, but it kills me that I have to spend so much if I want to play with apps, have three NICs, and support 150 down/up. SG-1000 only has two ports and from what I've read, falls short when put to the test.

Thanks for the info. Much appreciated.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
If your new server will be always on, making it virtual would be the answer I guess to save $ and high performance, although does introduce some complexity but not so much I feel.

At 150m connection and you want fanless and Low power (and under $400) you could also consider Cisco 5506-X, but just keep in mind the specs like the smaller Netgate appliances say they won't go near gig speeds. Also the firepower services have subscriptions (not too pricy) but the ASA router is licensed forever. I asked Cisco for a demo loan so I can test one but they have not yet provided so I can't comment from any experience with these small boxes.
Amazon.com: Cisco ASA5506-K9 Asa 5506X with Firepower: Computers & Accessories

Bit sad about @Patrick info about denverton's arrival not that it actually affects me and it being a bit crap will save me money and the need to play haha
 

Geran

Active Member
Oct 25, 2016
332
91
28
39
I'm piecing together a pfSense build to handle 1GB through VPN so I'm leaning towards the D-1508 with 10Gbe NICs in a CSE-505-203B
 

mattr

Member
Aug 1, 2013
120
11
18
I know there is a lot of talk about going ultra low power but at what cost, what's your ROI? How bad are electricity costs in your area?
My requirements for low power are for battery run time and noise. When I first built my system we had several power outages a week. The UPS my network gear is on could run for about 2 days and I had several NUC desktops that would run for 24 hours on battery as well. That way we could still have internet to a couple desktops and mobile devices during power outages.
 

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
Decent for what? A D series Xeon would be great if you wanted a 10 gig firewall, I guess? Even the system the OP is putting together is overkill for a firewall, but he said he wanted to be able to run anything he might come up with on it. For just firewalling up to the hundreds of megabits/s it's hard to beat the APU2 platform for about $150. If you want gigabit VPN then you're gonna spend more. But in general it seems like a lot of people are over-specing their firewalls.
Would you happen to have more information about a complete build for one of these? And can it handle running some apps, including OpenVPN?

I can't seem to find a retailer for these, other than an eBay listing for $200 and mini-box.com for $169. The one that seems like it could work for me and has 3 NICs is the APU2C4. You've got me curious about these but I'm having trouble locating the stuff.

Thanks.
 
Last edited:

namike

Member
Sep 2, 2014
70
18
8
43
I'm running a Zotac CI-323 as a PFsense box (well technically ESXi is messaged onto it and PFsense is in a VM). Tossed in 16GB of RAM in case I wanted to run other VMs and a spare SSD.

  • Intel Celeron N3150 (quad-core, 1.6GHz, up to 2.08GHz)
  • Intel HD Graphics
  • 2 x 204-pin DDR3L-1600 SO-DIMM (up to 8GB)
  • Support 1 x 2.5-inch SATA3 HDD
  • 1 x HDMI, 1 x Display Port, 1 x VGA
  • 3 x USB 3.0 Ports, 2 x USB 2.0 Ports

I have a 150Mb cable connection at home and I have no issues with maxing it out. It should also churn out VPNs like a champ with the native AES-NI. Two built in realtek NICs (supported by PFsense). It is also silent and doesn't take up a ton of space.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
Would you happen to have more information about a complete build for one of these? And can it handle running some apps, including OpenVPN?

I can't seem to find a retailer for these, other than an eBay listing for $200 and mini-box.com for $169. The one that seems like it could work for me and has 3 NICs is the APU2C4. You've got me curious about these but I'm having trouble locating the stuff.
I've just bought direct, but there are resellers listed. PC Engines sales You need the board, a case, and a power supply. They sell small drives or you can get that as a generic part. It will run a openvpn, but I don't know that it'll sustain 150Mbps with openvpn. (I've never tried.)
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
It should also churn out VPNs like a champ with the native AES-NI.
It's actually not much faster than the APU2 (about 10-15% more crypto at a 60% faster clock rate); the silvermont & airmont systems don't have particularly efficient AES-NI implementations. A braswell with AES-NI is significantly better at crypto than a bay trail without AES-NI, but worse than almost anything else with AES-NI. That doesn't make it a bad solution, people just need to have the right expectations.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
As a point, looking at geekbench 3 single core AES...
N4200 1135 MB/s
E3940 868 MB/s
N3700 382 MB/s
I3-6100U 3110 MB/s
GX-420CA 1005 MB/s
D-1540 2290 MB/s

I don't know if the figures can be trusted at all and for some use case you will be able to use more than single core but does give an idea that even some with AES-NI can still be weak.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
As a point, looking at geekbench 3 single core AES...
N4200 1135 MB/s
E3940 868 MB/s
N3700 382 MB/s
I3-6100U 3110 MB/s
GX-420CA 1005 MB/s
D-1540 2290 MB/s

I don't know if the figures can be trusted at all and for some use case you will be able to use more than single core but does give an idea that even some with AES-NI can still be weak.
Yeah, that looks about right, and you can see the big improvement between airmont & goldmont. (Yet another reason I'm waiting for those denvertons to show up.) Goldmont also incorporates SHA acceleration and has better pipelining, so the difference is even more dramatic for real world use like AES-CBC+SHA or AES-GCM than it is for raw AES benchmarking. You can also see why I'm a fan of a silvermont or kaby lake i3 (or even pentium now!) over the D series for a VPN server. :) Especially if you compare the i3-6100 rather than the i3-6100U if you're willing to go all the way up to 50W TDP (more like 5000MB/s).
 
  • Like
Reactions: Evan

bds1904

Active Member
Aug 30, 2013
271
76
28
Just to remind everyone, with the current OpenVPN build (on pfSense) AES-NI does next to nothing. AES-NI on pfSense really only applies to IPSEC currently.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
@mstone i tried to pick all lower power cpu's but your absolutely right about big tdp i3/i5/i7 or Xeon seeing much higher rates, as does even a d-1521.

Denverton may be really interesting for firewall devices for sure with the soc also supporting 4 x Ethernet. But the wait for some people may be a bit much, seems like there will be significant delays. Also let's see what they cost... on the other hand they will support super common ddr4 rdimm :) so make memory as simple as looking in the spare parts bin almost, which saves system build cost a lot.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
Just to remind everyone, with the current OpenVPN build (on pfSense) AES-NI does next to nothing. AES-NI on pfSense really only applies to IPSEC currently.
Why do you believe that? OpenVPN on pfsense uses OpenSSL, which uses AES-NI. You may be thinking of the checkbox in the interface which enables AES-NI via cryptodev. That will actually slow things down vs using the default OpenSSL native implementation (don't use it, and it's gone in the 2.4 beta because it confused too many people; note that I think you do need to click it in 2.3 to enable AES-NI for ipsec). I assure you that if you set up the proper environment variables to disable AES-NI in OpenSSL you'd see a significant slowdown in OpenVPN on pfsense (there is no way to do this from the GUI).
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
@mstone i tried to pick all lower power cpu's but your absolutely right about big tdp i3/i5/i7 or Xeon seeing much higher rates, as does even a d-1521.
The key is the AES bytes/s/$--those kaby lake pentiums & i3's blow the others out of the water on that metric. If you're trying to do a bunch of other things on the box then adding a bunch of cores may be important. But for a limited number of functions on a dedicated system it's really hard to justify the price premium of the bigger CPUs. (Things change for 10gbe with the integrated part on the D series--if you're planning 10gbe.)

Denverton may be really interesting for firewall devices for sure with the soc also supporting 4 x Ethernet. But the wait for some people may be a bit much, seems like there will be significant delays. Also let's see what they cost... on the other hand they will support super common ddr4 rdimm :) so make memory as simple as looking in the spare parts bin almost, which saves system build cost a lot.
There's only one denverton on intel's site so far, but check the recommended customer price: Intel® Atom™ Processor C3338 (4M Cache, up to 2.20) Specifications

Assuming that holds as denvertons hit market, they may have finally figured out the pricing. It never made sense that with silvermont it was cheaper to buy a J series and just ignore the GPU that took up half the die than it was to buy a small C series without the GPU. Compare the C3338 to the C2350 and it's exactly what the low end network device market needs to get a kick in the pants. Big question is whether intel drags it out so that by the time people can actually get them they're no longer interesting (which is basically what happened to avoton).
 
Last edited:

mstone

Active Member
Mar 11, 2015
505
118
43
46
What about the SUPERMICRO X11SBA-LN4F running a N3700?

IPMI, AES-NI, good PCIe, quad 1Gb NICs
See above about actual AES-NI performance on airmont. It was a decent chip two years ago, and it isn't a horrible choice--but I'd rather not buy into that architecture in 2017. Compare to the N4200 at the same recommended customer price: the apollo lake will be maybe 50% faster generally, something like 300% faster for crypto (better AES and even SHA acceleration), and adds goodies like vt-d. If you can wait, that's a lot to ignore.
 

Fodmidoid

Member
Dec 29, 2016
94
0
6
50
I think I have finally decided to go with an i3 build. Here's what I have so far (PIC below), but could use advice for storage and a power supply. Will a Pico psu work with this, or am I better off with something else? Any thoughts on the other parts I picked out, including ram?

Also, I need to install a LAN card for an additional Intel NIC. I want three all together so I can have a DMZ and this board only has two.

Thanks a lot everybody. I'm excited to finally order the parts and get started!
 

Attachments

Last edited:

Geran

Active Member
Oct 25, 2016
332
91
28
39
I think I have finally decided to go with an i3 build. Here's what I have so far (POC below), but could use advice for storage and a power supply. Will a Pico psu work with this, or am I better off with something else? Any thoughts on the other parts I picked out, including ram?

Thanks a lot everybody. I'm excited to finally order the parts and get started!
You should return the case and get this: M350 enclosure with picoPSU-80 and 60W adapter. It is the case and PSU included and will use pretty much no power.

If you need a little more power than 60W, here is one with 150W: M350 Enclosure WITH PICOPSU-150-XT and 150W Adapter KIT