New pfsense router

[pedda pedal]

Hi guys.
Its time for a new router.
I've been running my current pfsense setup in a virtual invironment together with lab/storage vms and it's now time to ugprade and i thought i would run pfsense standalone, not in a virtual environment.
The pfsense setup is pretty basic with 2 openvpn servers, dns server etc.
I've been looking at intels atom options for this

E300-9A-4C | Mini 1U | SuperServers | Products | Super Micro Computer, Inc.

Will the 4core version be enough even if i decide in the future to upgrade with a 10gbaset card or should i go for the 8core version?

Or should i go for amds epic? E301-9D-8CN4 | Embedded | A+ Servers | Products | Super Micro Computer, Inc.

Or does intel/amd have anything new in the works that i should wait for?


I would like you guys opinion on this!

 

[Evan]

Per core performance on the AMD 3251 is like 3x better, uses a bit more power but not that much. It’s also rather new.

You didn’t say what your connection is and what services your running. But since you mentioned 10G I am assuming it’s a 1G today ? If then the c3000 is at its limits.

 

[Mithril]

What services are you running? OpenVPN is fairly single threaded per server, so if high performance of those is a consideration you need to focus on single threaded performance.

What are your other goals? How much routing are you doing, mostly just for internet, or lots of inter-vlan routing? Whats your internet connection speed? Is power consumption or noise a big factor for you?

 

[pedda pedal]

Per core performance on the AMD 3251 is like 3x better, uses a bit more power but not that much. It’s also rather new.

You didn’t say what your connection is and what services your running. But since you mentioned 10G I am assuming it’s a 1G today ? If then the c3000 is at its limits.

Sorry forgot top include that, yes 1gbps wan.
That's what i thought also since Netgates 6 port gbit router is based on the C3558 but their 2port 10gb sfp+ router is also based on that cpu, is there a siginifcant difference between 10gbase-t and 10gb sfp+ regarding signal processing computing aka cpu usage?

Also, the AMD is more expensive than the intel so maybe that's more comparable to the SuperServer E300-9A and that one have 10gbase-t and 12core, how does that compare to the amd option in terms of single thread performance and overall performance?
Then there's the xeon d platform, how capable is that as a router?

 

[pedda pedal]

What services are you running? OpenVPN is fairly single threaded per server, so if high performance of those is a consideration you need to focus on single threaded performance.

What are your other goals? How much routing are you doing, mostly just for internet, or lots of inter-vlan routing? Whats your internet connection speed? Is power consumption or noise a big factor for you?

Not much in terms of services except the basic router ones. 2 openvpn instances, no vlan but i would like the possibility to do some internal routing in the future.
1gb wan
Noise is a big factor but i have a SuperServer E200-9A and solved it by drilling a huge hole in the top and putting in a 140mm fan with a blowerstyle configuration (with fan filter) and that keeps the system very cool, thought i would do the same with this configuration if i go the supermicro mini itx route.

 

[Evan]

C3000 will handle the routing easily.

Where the d-1600/1600 and AMD EYPC 3000 is going to be better is the VPN and IDS/IPS functions.

The issue is what is more valuable to you, lower power and less heat etc or maximum performance.

For me the 4 or 8 core C3000 would do the job fine.

Apparently the A2sdi-8c can idle around 15w which I find amazing compared to the really also good 30w or so for a d-1500 / amd 3000 option.

I have done so many firewalls over the years but recently (kids and content filtering option etc) just went to meraki, mx67 is never going to vpn or filter at 1G though even that’s my link speed, I just found I didn’t care enough to run and fiddle with anything else.

So just to add one last thing, d-1500 has lots of options with embedded 10G either rj45 or sfp+ out of the box, hard to go past is you want to really do something 10G

 

[pedda pedal]

C3000 will handle the routing easily.

Where the d-1600/1600 and AMD EYPC 3000 is going to be better is the VPN and IDS/IPS functions.

The issue is what is more valuable to you, lower power and less heat etc or maximum performance.

For me the 4 or 8 core C3000 would do the job fine.

Apparently the A2sdi-8c can idle around 15w which I find amazing compared to the really also good 30w or so for a d-1500 / amd 3000 option.

I have done so many firewalls over the years but recently (kids and content filtering option etc) just went to meraki, mx67 is never going to vpn or filter at 1G though even that’s my link speed, I just found I didn’t care enough to run and fiddle with anything else.

So just to add one last thing, d-1500 has lots of options with embedded 10G either rj45 or sfp+ out of the box, hard to go past is you want to really do something 10G

Great input!

I can see that the 4core at om will struggle with the vpn at 1gbit wan, and then the step from 8 core atom to amd/d1500 isnt too far.

Aren't the d1500 quite old now?
Are the amd epyc compatible with pfsense (freebsd)?

 

[Evan]

Yeah the D-1500 is kind of old, they launched a small MHz increase version D-1600
The D-2100 is a different product and vertically not low power.

Sorry don’t know if the AMD is compatible but the Supermicro boards have intel NIC and seems to work but no idea on actual support.

 

[pedda pedal]

Yeah the D-1500 is kind of old, they launched a small MHz increase version D-1600
The D-2100 is a different product and vertically not low power.

Sorry don’t know if the AMD is compatible but the Supermicro boards have intel NIC and seems to work but no idea on actual support.

As i see it, the best option is the 4core atom if i can live with slow vpn speeds, you think it will struggle with 100mbit over vpn?
The step to 8 core atom and then amd/D1500 is probobly not worth it just for the vpn throughput.

 

[Evan]

IPsec will easily do it.
OpenVPN is more or less single threaded , you will get your 100mbit but maybe not a huge amount above that.

 

[pedda pedal]

IPsec will easily do it.
OpenVPN is more or less single threaded , you will get your 100mbit but maybe not a huge amount above that.

I can live with that.

How about snort over 1gbit wan? Last when i ran snort it used tons of cpu on a 100mbit wan, is it still very cpu consuming or has it been optimized since?

 

[Evan]

I can live with that.

How about snort over 1gbit wan? Last when i ran snort it used tons of cpu on a 100mbit wan, is it still very cpu consuming or has it been optimized since?

Same same, these cpu’s will manage a few hundred but for gigabit speeds you want a high clocked full core CPU to be running full speed.
Suricata is multithreaded as an option, snort 3.x which is not yet final close is multithreaded as well but that’s not production ready yet.

 

[pedda pedal]

Same same, these cpu’s will manage a few hundred but for gigabit speeds you want a high clocked full core CPU to be running full speed.
Suricata is multithreaded as an option, snort 3.x which is not yet final close is multithreaded as well but that’s not production ready yet.

Allright, thanks for your input, cleared things up and made this a little bit easier