pfSense box NIC question.

[KMPLSV]

Revamping home network and putting a pfSense box together. I have 1Gbps incoming internet. Aside from future proofing, can anyone think of any reason I'd want more than 1Gbps ports on the NIC if it's only handling incoming WAN? Looking at a i350-t4v4. Some people have said OMG WUT THOSE ARE ANCIENT!

Am I missing something? I realize 10G or more at switch level after firewall would make sense for more speed on LAN, but it's not like WAN can come in at 1G to the firewall and then get spit out to the LAN at, say, 2.5G and offer additional overhead, correct?

 

[cesmith9999]

There are cable modems that have 2.5gb on the lan side. I usually turn off the FW from the modem to use my own. If I had one of these connections, I would want 2.5gb at least. There are some WAN connection that are greater than 1gb already

Speeds are going up. that is certain. If I was to upgrade/rebuild my FW, I would have at least 2 * 2.5gb connections. I would have to also upgrade my internal switchs too. that would be part of that plan.

Chris

 

[KMPLSV]

I appreciate the info, but my original question stands. If incoming WAN speed is capped at 1Gbps right now, what (if any) are the advantages of using a NIC w/ 2.5G ports right now? It can't bring in the WAN at 1Gbps and then spit it out the back to my LAN at 2.5G, correct? Essentially, futureproofing would be the only advantage?

If you're saying, for the sake of futureproofing, you agree with them? I can dig that. I didn't want this to spiral out into my current entire network device chain revamp conversation that has to happen as well, was just trying to start small. But yes, that is a consideration I need to address.

Currently:

CenturyLink 1Gbps fiber at wall from ONT coming in as ethernet ---> R7000 (running FreshTomato, using VLAN tagging and serving as the modem, router, half-assed thrown together firewall, all-in-one, obviously not BEST practice, all ports 1Gbps)

For part of the revamp, I may go:

Shitty CL provided modem/router combo w/ all wifi shut-off, functioning ONLY as modem ---> pfSense box ---> whatever routing/switch I decide on

But I'm veering off course quickly here (which I have a habit of doing), so bottom line, starting w/ the firewall (1st piece of hardware after the modem), you'd go w/ a NIC w/ 2.5Gbs ports? Any you'd recommend in particular?

The recommendations I've gotten have been all over the place; X520, X540, X710, E810.,i210/i211, Intel i350-t4v5, but I think some of the people spitting those recommendations out didn't read the part where I'm looking for NIC recommendations for the pfSense firewall box ONLY (where incoming WAN only 1Gbps), not anything after that point yet...

 

[Midvalley]

Unless I am misunderstanding something, if you just want to provide 2 * 1Gb (WAN & LAN) then it doesn't really matter what nic you choose that matches that. Gbe has been around a long time, maybe just check for BSD drivers to ensure compatibility with pfSense and buy whatever fits.

For reasons you might need more than 1Gb on LAN, maybe if you wanted to do L3 and needed the pfSense box to do your vlan routing? That would allow up to 2.5Gb (or whatever you buy) switching between vlans if the CPU could handle it with the WAN traffic.

Otherwise, WAN speeds are increasing. As mentioned, 1.5-2.5Gb is becoming more common for DOCSIS providers, and I know for at least one FTTH provider that is up to 8Gb connections in some larger centers. It's up to you if futureproofing is worth it. If you can get a card for minimal cost and need to change it to support greater throughput in 2-3 years, it's not much of a loss.

Depending on what you are doing with your refresh you could get into all sorts of interesting things like using an SFP+ based card to translate to either fiber or a DAC cable between the router and the switch. But again, that's future stuff for when you know what capabilities you want/have.

 

[DavidWJohnston]

If your modem's NIC links at 1G, having > 1G won't do anything. If, on the other hand, your modem NIC links at > 1G, but your service package is 1G, then you might get a little more juice over and above 1G that you'd otherwise miss out on.

When I had 1GB/940M fiber (Bell), the modem had a 10G interface, and I could get 1150/1005. So they give a little extra over what the package says. If I only had a 1G NIC I'd miss out on that extra 150/65

Having a decent NIC with offloading that actually works might reduce CPU usage, and make life easier in other ways.

 

[KMPLSV]

You guys are awesome. I'm gonna absorb this then get back with maybe a few more questions like how much routing is cool at the pfSense level and what is better to hand off but that may be another subject.

But yes, both the R7000 I'm currently using as a modem and all-in-one and the CL provided shit modem/router are limited to 1Gbps ports.

I appreciate it. Good job deciphering my low brain power, still fasting at the gym, rambling as well!

As future proofing a bit to 2.5G seems worth it, my next question is what do y'all think some good 2.5G NIC card options are? Probably four port and I'll assume RJ45 for now unless I can talk myself into doing a DAC between like Midvalley mentioned but I dunno. I'm gonna start diagraming this later today, not sure if SFP on the pfSense box NIC is gonna be necessary if I want it to hit a SFP 10G switch.

 

[Midvalley]

There's no right or wrong regarding L3 at the router or in the switch, it's more a matter of best use of the hardware available. If you have an L3 switch capable of line-speed switching of vlans, do it there. If you have a vlan aware L2 switch, then you can do it at the router provided you have the horsepower available to do so.

I haven't looked at 2.5Gb in any great detail, but all the CWWK/Topton/etc (pf/OPN)sense ali appliances seem to be Intel i225 or i226. There's realtek options as well.

You can also get 10Gbase-T SFP+ transcievers that support 1/2.5/5/10Gb link speeds, if that's of interest. Using one of those in a 2 port SFP+ card like a ConnectX3 or X4 for WAN, you could then use DAC/fiber/another 10GBase-T for the LAN link on the other port. That would give greater flexibility and futureproofing, but in this case that means more cost so there needs to be some sort of use case to justify it.