Yet another PfSense Question - Building a box ( quiet/1u/passive'ish )

Discussion in 'Networking' started by Robert Fontaine, Jul 13, 2018.

  1. Robert Fontaine

    Robert Fontaine Active Member

    Joined:
    Jan 9, 2018
    Messages:
    112
    Likes Received:
    26
    I have 150 down 15 up with the possibility of 300 down in the near future.
    Currently running my pfsense off of a Optiplex 990.

    I have 2 objectives:
    1) tidy things up and get it in my network rack.
    2) reduce the db's in my dungeon
    => other related solutions to my noise issue may be a network cabinet, moving the cabinet to another room


    I have a couple of startech 1u chassis on order:
    I am thinking either passive cooling or some slow noctua fans for a slight breeze.

    What I am not clear on is the wonderful world of intel cpus (what a mess).
    AES-NI is a requirement on the chip.


    Processor? -
    so Atom, Celeron, I3, Xeon-D, AMD. There seems to be about 10 variations of each over over the last 8 years that might work.

    So the question to someone who knows

    What is the the best combination of cheap and low-power that will support 300 up/down plus AES-NI that I can configure to be essentially silent in a 1u aluminum box in my network rack?

    Thanks,
    R.
     
    #1
  2. Aestr

    Aestr Active Member

    Joined:
    Oct 22, 2014
    Messages:
    687
    Likes Received:
    178
    You've mentioned pfsense and 300/300 so far as requirements. What packages are you looking to run? Do you need/want 300/300 over VPN? Routing 300/300 should be pretty easy for most of the hardware you'd be considering (c2000, i3, etc.), but those other things add up and might restrict your options. A good example of a low power, inexpensive board that can do a lot of what you could ask would be the A1SRI-2558F that has popped up in a few deals recently including this thread.
     
    #2
  3. fsck

    fsck Member

    Joined:
    Oct 10, 2013
    Messages:
    51
    Likes Received:
    12
    Are you running snort? budget? There are many, many options.
    I myself have the following box:
    e3-1220 v2
    6GB ecc
    80GB x-25m g2

    running sophos home utm. It's in a supermicro 512 with the blower. I find it to be relatively quiet as my desktop drowns it out.

    Xeon-D's are popular for their 10G connectivity and low power. AMD is not a current favorite.

    Take a look at: PfSense hardware for home router - OpenVPN performance

    I assume AES-NI is a requirement for OpenVPN use, in that case, you'd need decent performance to saturate your connection. AES-NI used to be rare, but it's pretty common on any processor that you'd generally consider running for single thread performance.
     
    #3
  4. Robert Fontaine

    Robert Fontaine Active Member

    Joined:
    Jan 9, 2018
    Messages:
    112
    Likes Received:
    26
    VPN is occasional.
    300/15 sadly (at silly prices)
    1 Gig internal network

    Haven't had much luck with VPN providers bandwidth wise. Occasionally have to connect to corporate VPN's for client support. I don't have any need for man in the middle analysis of packets. I am happy enough with list based filtering via DNS.

    Budget isn't a huge concern but I would like to spend to my requirement. i.e. I don't need Gigabit processing, I don't need heavy processing, actual number of concurrent clients being routed on the box never likely to be higher than about 5.

    I do an unreasonable amount of video conferencing from my dungeon and I have a sound gate/compressor to filter out the noise floor in here but anything I can do to reduce the volume is a big improvement in the sound quality of my conferencing.
     
    #4
  5. Aestr

    Aestr Active Member

    Joined:
    Oct 22, 2014
    Messages:
    687
    Likes Received:
    178
    Sounds like a C2000 such as the A1SRI-2558F would suit you just fine.

    • Low cost if you can watch for deals on ebay. If new is a requirement you can still get them pretty cheap.
      • It does take DDR3 SODIMMS which are more expensive than full sized RDIMMs, but still can be had for decent prices and for just pfsense you don't need much.
    • Low power and heat means low noise
    • Capable of doing everything you've asked and more
    • 4 gigabit ports in case you want to add additional networks without VLANs
     
    #5
  6. fsck

    fsck Member

    Joined:
    Oct 10, 2013
    Messages:
    51
    Likes Received:
    12
    I agree, assuming you can actually get one.
    If you're american, there is still a surplus of Supermicro X9 LGA1155 gear hanging around and you can have a full system with a Xeon v2 (which have AES-NI unlike the i3s) for <200$ USD shipped I believe.

    Depends on how long you want to wait, how lucky you are and how good you are at searching.
    I failed the previous line, thus I ended up with the system I linked in my previous post, having to get it shipped from the states.
     
    #6
  7. Robert Fontaine

    Robert Fontaine Active Member

    Joined:
    Jan 9, 2018
    Messages:
    112
    Likes Received:
    26
    I have no interest in lga1155 gear. I am interested in low power, quiet.
    A1SRI-2558F looks just about perfect for my little router.
     
    #7
  8. fsck

    fsck Member

    Joined:
    Oct 10, 2013
    Messages:
    51
    Likes Received:
    12
    ASRock J3355B-ITX Intel Dual-Core Processor J3355 (up to 2.5 GHz) Mini ITX Motherboard/CPU Combo - Newegg.com

    Don't forget about consumer netbook-size stuff or about mobile chips. Especially if you want to go completely fanless.

    Free Shipping! 4 Gigabit LAN ports Mini PC Celeron 3215U/Core i3/Core i5 5250 using pfsense as Router/ Firewall, x86 Linux-in Mini PC from Computer & Office on Aliexpress.com | Alibaba Group

    there's literally an endless stream of options. Qotom produces some nice boards for pfsense.
     
    #8
    Last edited: Jul 14, 2018
  9. kapone

    kapone Active Member

    Joined:
    May 23, 2015
    Messages:
    423
    Likes Received:
    139
    Don't write off 1155 gear because of that. I have several 1155 based systems still, and from a power/performance/cost factor, they can't be beat (with Ebay prices).

    A barebones 1155 motherboard (like the ones from Dell for their Optiplex 3010 series) with an i3 3220/8GB RAM (two sticks)/SSD/CPU fan idles at ~15w (with a decent to good power supply) and is practically silent.

    A slightly more feature rich board like Supermicro's x9 series which include IPMI, dual LAN etc add about 5-7w to that number. Still practically silent.

    I find the upgrade cost/performance from these systems to newer ones to be worse. The newer systems are "technically" more power efficient and offer better IPC performance, but once you're down to under 20w idling, the difference is not worth writing home about.

    Unless there are features of the newer platforms that you absolutely need, there is nothing wrong with used gear, a gen or two older.
     
    #9
    fractal likes this.
  10. nthu9280

    nthu9280 Well-Known Member

    Joined:
    Feb 3, 2016
    Messages:
    1,076
    Likes Received:
    247
    Another option if you are in US. Take a look at the the threads on HP T620 Plus thin client that @BLinux posted here in the last cuple of week or so. They can be had for ~ $120 or less all in. Can do AES-NI, near silent, draws < 20w. It's based on AMD chip. One down side - it's not rackmountable
     
    #10
  11. fsck

    fsck Member

    Joined:
    Oct 10, 2013
    Messages:
    51
    Likes Received:
    12
    i3 3220 doesn't have AES-NI. He'd need an i5 or above for it, or a xeon.
     
    #11
  12. kapone

    kapone Active Member

    Joined:
    May 23, 2015
    Messages:
    423
    Likes Received:
    139
    I was just using an example. An i5- 3570s (which does have AES-NI) has almost exactly the same power draw at idle.
     
    #12
  13. mstone

    mstone Active Member

    Joined:
    Mar 11, 2015
    Messages:
    472
    Likes Received:
    109
    if it's going in a rack you basically don't care about TDP, you care about power at idle. (the firewall will basically always be at idle) most reasonably modern processors idle within a similar range, so the question is whether, on rare occasions, you'd rather have the fan spin up a bit more so you can run the cpu faster if something unusual happens, or whether you'd rather throttle the cpu to prevent it from running faster. if you're in a passive cooling situation then throttling is a good choice. otherwise, you're basically just saying "I'd rather pay extra to make sure this thing is never fast if it needs it to be". most cpus made within the past few years will hit your performance target (it's not at all high) so just buy what's cheapest.

    people tend to dramatically overthink this "what cpu do I need for pfsense" problem. the only thing to check is aes-ni (for the simple reason that the pfsense people are trying to hurt the chinese firewall appliance vendors) and that's only an issue for really old gear or low tdp bay trail era desktop chips like the j1900 (which you shouldn't be looking at if you can use a fan).
     
    #13
  14. Robert Fontaine

    Robert Fontaine Active Member

    Joined:
    Jan 9, 2018
    Messages:
    112
    Likes Received:
    26
    WIN_20180716_14_00_23_Pro.jpg My rack is currently about 3 feet from my microphone here in the dungeon so TDP is important as it relates to no spinning fans in a 1u container slot... My bigger source of noise is my damn workstation. Supermicro X9DRG-QF cpu fans never spin down. The noctuas are much better than they were when I had server fans on them but still far to many db's. Going to have to either figure out the IPMI settings or water cool the damn things.
     
    #14
    Last edited: Jul 16, 2018
  15. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    1,436
    Likes Received:
    281
    If heat/noise is a concern, pick up one of these. They are 100% silent (obviously since fanless) and do an EXCELLENT job of cooling. I have 2 (1 on each side of a 1Gbps Site-to-Site VPN connection that pushes 400-500Mbps through every day and they don't break a sweat. CPUs stay right around 30C. They aren't cheap, but silence is priceless IMO.
     
    #15
  16. mstone

    mstone Active Member

    Joined:
    Mar 11, 2015
    Messages:
    472
    Likes Received:
    109
    In that case, I'd just lose the rack--it doesn't seem like the right tool for the job. Larger cases which can use larger low-RPM fans will run quieter and you won't keep bumping into the fact that rack mount gear typically doesn't have noise as a design factor.
     
    #16
  17. Robert Fontaine

    Robert Fontaine Active Member

    Joined:
    Jan 9, 2018
    Messages:
    112
    Likes Received:
    26
    Network rack for network gear. I want a nice quiet 12u up on the wall in a cabinet when done
     
    #17
  18. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,151
    Likes Received:
    4,103
    Rohit has a review of the Protectli FW4A as a silent pfSense box almost done. Amazon Protectli FW4A

    Looks fairly good. No moving parts from the pictures.
     
    #18
  19. kapone

    kapone Active Member

    Joined:
    May 23, 2015
    Messages:
    423
    Likes Received:
    139
    While that's not a bad box, it's "only" clocked at 1.9GHz. In the OPs case, that may be sufficient as he has less than 200mbps internet, but for a faster connection (I have 1gbps symmetric), that may not be enough, depending on what you run.

    Something to think about.
     
    #19
  20. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,151
    Likes Received:
    4,103
    If you have a 1Gbps symmetric connection and are running a lot of processing on traffic, you are probably buying something higher-end than a $340 configured node.

    And if you are just doing NAT, DHCP, DNS, and etc, it is still pretty fast. At 200mbps a quad-core Atom will not have an issue.
     
    #20
Similar Threads: another PfSense
Forum Title Date
Networking pfsense behind another pfsense Aug 22, 2015
Networking Infiniband PCIe card preventing boot in one server but not another May 12, 2018
Networking Another Intel Fake? Jul 21, 2017
Networking HP 1810G-24. Questions about adding another switch Mar 5, 2017
Networking Sorry another 10gb setup question Oct 26, 2016

Share This Page