Need to upgrade my pfSense firewall Hardware to support 1gbps internet bandwith

[Socrates]

I am in the market for a cpu/motherboard combo that supports 1gbps internet bandwith with IPS turned on with Suricata and pfsense.
Currently I am on Sophos, and Snort is single threaded, when IPS is enabled, it throttles my bandwith from 900mb/sec to 200mb/sec
I am told inorder for snort to work i need a cpu with faster clock speed. Although I have made up my mind to move out of Sophos (dont ask), I am moving out!! Well, let me then say.. I need some firewall metrics through logs on my Grafana Dashboard, and sophos does not support it well. Pfsense does it.

So coming back to my original question, I am looking for a CPU with higher cores, 8 and above, and also has decent clock speed (might move back to Sophos/snort in the future), with atleast 3.0 Ghz and above wiht lower TDP

So I have narrowed my CPU hunt to E5-2690 V2 @ 3.6 Ghz, and 10 cores.
I am told that the CPU is of an old architecture, and is a risk.. just in case if i need support I will end up no where.
Also that the advance features of Suricata might not work with older architectures of CPU?
Well, I am also looking at A2SDI-8C+-HLN4F
A buddy who is into this big time recommends this atom processor big time..
I know it has lower TDP,but the cpu itself is slower.. with lower clockspeed.. thus crippling my plans to move to Sophos in the future (if they do plan to enable multi-threaded Snort).

Please guide.

 

[Patrick]

What about a Xeon E3-1200 or even one of the new Core i3-8300's?

 

[Socrates]

What about a Xeon E3-1200 or even one of the new Core i3-8300's?

Sir these are good. but I am really looking for 8 core and above with lower tdp and ideally little higher clockspeed.
But i do see you have left a review for A2SDI-8C+-HLN4F
Whats ur take on these systems for pfsense?

 

[Evan]

I would go for one of the new CPU’s just a 4 or 6 core E-2100 or E3-1200 very high clock speeds and low power consumption when idle.

The C3000 just does not have the per core IPC you seek for single thread although it’s s nice platform just the same. This is used by a lot of firewalls though...

D-2100 maybe also an option for a compact platform with 10G onboard

 

[Socrates]

I would go for one of the new CPU’s just a 4 or 6 core E-2100 or E3-1200 very high clock speeds and low power consumption when idle.

The C3000 just does not have the per core IPC you seek for single thread although it’s s nice platform just the same. This is used by a lot of firewalls though...

D-2100 maybe also an option for a compact platform with 10G onboard

@Evan thanks.
Can you please link me up to a nice low powered, E-2100 or E3-1200 CPU with atleast 6 core? please?
Also a link for D-2100 would be great.

 

[nthu9280]

 

[Jannis Jacobsen]

I believe this should fit the bill:
PC Engines apu2d4 product file

Cheap too

-j

edit: just read about ips etc etc, that will kill the performance on this I think

 

[Evan]

@Socrates i was doing a search for some deals and remembered only a week ago this was published here..
https://www.servethehome.com/intel-xeon-e-2136-benchmarks-and-review/

Should give a good perspective really on price, power, performance and also some competition.

Usually X11SDV d-2100 I would go to people like wiredzone
Search
If nothing else they give you a feeling for reasonable market prices.

None of these are a bargain for sure. Depening in your network preferences or requirements are in a firewall the d-2100 boards ending TP8F offer 2 x 10GBase-T, 2 x 10G SFP+, 4 x 1GBase-T which can’t be super useful, the 4 core version sits around $600-650 or so, you could build the whole thing in a case, little ram, and a small storage for a grand.

 

[gigatexal]

What about a Xeon E3-1200 or even one of the new Core i3-8300's?

This. Or an i3 7350k overclocked? Only two cores and 4 threads but the IPC would be great and it’ll do 5ghz with a decent cooler. Overclocking Intel Kaby Lake Core i3-7350K - Page 3

 

[mstone]

So you want something with high single core performance because your application doesn't scale across multiple cores, but insist on having at least 8 cores just because?

 

[MiniKnight]

This. Or an i3 7350k overclocked? Only two cores and 4 threads but the IPC would be great and it’ll do 5ghz with a decent cooler. Overclocking Intel Kaby Lake Core i3-7350K - Page 3

There's the new i3-8350K as well.

STH had an Intel Xeon E-2146G Review posted yesterday. You can see it beats 8 core Xeon D and has much higher IPC for single thread boosting to like 4.5GHz without overclocking.

Maybe pfSense is a case where the E-2136 is better since you won't use the GPU and can save a few bucks.

Cores are good, but high clock 6 cores will be faster than low clock 8 cores.

 

[Waterkippie]

8 core Xeon E-2100 series will come soon, currently the fastest 8-core on the planet is the i9-9900k. No ECC support tho.

If you want that as a Xeon, you will need to wait a couple of months.

 

[EffrafaxOfWug]

So you want something with high single core performance because your application doesn't scale across multiple cores, but insist on having at least 8 cores just because?

Indeed. What's the requirement here for so many cores? Suricata might multithread better than snort (pretty sure it does but it's not something I've tested extensively) but the limit on these things is always single core performance.

I am in the market for a cpu/motherboard combo that supports 1gbps internet bandwith with IPS turned on with Suricata and pfsense.
Currently I am on Sophos, and Snort is single threaded, when IPS is enabled, it throttles my bandwith from 900mb/sec to 200mb/sec

Perhaps I missed it somewhere, but what's your existing hardware? It would give us an idea of what horsepower would be needed to get your existing software environment from 200Mb/s to 1000Mb/s (assuming you didn't mean millibits). Given the apples and oranges before/after, have you also tried pfsense + snort/suricata on your existing hardware yet to see what performance in that environment will be?

 

[kyo77]

When I initially setup my pfsense box I did some testing with snort and I was able to push about 700mbs to 800mbs with openvpn. The throughput was limited by openvpn I never tested snort alone and I don't recall the cpu usage . Also during my testing I added squid and antivirus scanning with no effect on throughput latency increased slightly though. All this was done on an intel i3-7350k.

As Waterkippie recommended the i9-9900k will probably give you the highest possible performance for your use case.

 

[EffrafaxOfWug]

the i9-9900k will probably give you the highest possible performance for your use case.

...as well as the largest possible hole in your wallet.