New to pfsense. Hardware and setup
-
Ok I can't find a definite answer to my questions searching so now I'm asking. I want to build a pfsense PC. I want to run something like nordvpn on it. I'm open to recommendations on VPN providers. I currently have FiOS gig internet. I know using a VPN is going to slow my connection but obviously I'd like to do what I can to keep it up. What I plan on buying/building is a Dell t1700sff PC , xeon e3-1271v3 cpu, 16gb ecc memory, 250gb ssd(haven't decided who's yet but I don't think that's a big deal. I'm still looking for the Intel low profile quad port nic that I want. Recommendations for that would also be appreciated. So for the hardware does that all seem up to the task for the speeds I am going to try to get? And on the other side I was once told if I wanted to get good speeds with pfsense and a VPN provider I was going to have to spend alot of time on setting it up. I know alot of configurations can probably be made but could someone give me a general guide line on what I might be looking at doing trying to increase speeds? So far I've bought nothing but plan to start this project as soon as I have an idea on what I'm doing.
-
@frankr2994 No one shall hold your hands and walk you to the hardware of your dream...spend sometime in the hardware section of the forum and familiarize yourself, then check Lawrence system on YouTube.
-
If you're buying a new computer, you may want to look at the Qotom mini PCs. Check my sig for the one I'm running.
-
@nollipfsense didn't ask anyone for a step by step. I'll check out you tube but I've done a fair amount of reading. I know that cpu will work well. What I don't know is if I can benefit from more. I know pfsense supposedly now works with QAT addon cards. Some of the older cards are at a reasonable price. I could not find anything on what speeds related to using something like nordvpn would be affected by going past just cpu accelerated with aes-ni when just dealing with gig internet. Low profile quad port Intel nics I've found show on Intel ark they were released in 2007. A low profile quad nic would have been something that only came on a blade server and I can't find all that much info on them like what part numbers should I try searching on eBay. So ya a few questions. Once I put something together I'd imagine I'll have more questions but they will be more specific and I'll post them in the appropriate section.
-
@jknott didn't plan on buying new. Dell t1700 are "workstation" pcs that are off lease now. I can get a barebones sff for about 35 bucks. E3-12xxv3 cpus are very cheap and the ecc unregistered memory they ran is again very cheap. Very nice compact little system with better than consumer hardware should be great for running 24/7. Really I planned on putting the PC together for under 200 bucks. Just trying to get the most bang for the buck.
-
I would start by looking at some of the specs on the Netgate devices. I'm not saying "buy one" but you should be able to get an idea of how much CPU and "stuff" you need. Netgate testing may not exactly mirror what you have/want, but I believe they are consistent in the way they test product. I don't recall offhand but they may performance numbers for VPNs.
Start by looking at the specs for the 5100/6100 series. -
Most VPN providers use OpenVPN. OpenVPN is single threaded so if you are aiming just for that you need a CPU that has good single thread performance.
You can improve that by using several VPN client tunnels but a single connection will only ever use one of them.
Some VPN providers now support WireGuard which will likely give you better throughput.What bandwidth is your WAN?
Steve
-
@stephenw10 I think OP said Fios 1gig in the first post.
-
Ah, so he did! Yeah so 1Gbps OpenVPN requires very fast single thread performance. It's unlikely you will see it.
-
Looks like the 5100 and 6100 are close enough in VPN performance to pick either one. They both use Atom cpus, not sure how that compares xeon e3-1271v3 cpu you're talking about, but the Atom has "integrated AES-NI and QAT (QuickAssist Technology)" (hardware assist) that speeds up the encryption/decryption bits. To me that would be a factor.
-
@stephenw10 said in New to pfsense. Hardware and setup:
Ah, so he did! Yeah so 1Gbps OpenVPN requires very fast single thread performance. It's unlikely you will see it.
That would depend on the other end. If he's sitting in a coffee shop, he likely won't get 1 Gb.
However, it would be nice if OpenVPN supported multithreading.
-
@mer any of the cpu options I may use would at least be a quad core with a base speed of 3.5ghz. the 1271 is base 3.6 turbo 4.0. any of those netgate appliances are 2.2ghz quad cores. They have more instructions it seems. Not sure if I can do an apple to apple comparison. I'd obviously would have more memory and more storage. But as far as putting together my own device for a reasonable price I don't think you can do better than a single core speed of 4.0ghz
-
@frankr2994 Check the intel website for the datasheet on your CPU. If it talks about having at least AES-NI that should be good. Encrypting/Decrypting is a lot of math intensive operations, so the AES-NI offloads that work (kind of like offloading to a GPU). That speeds things up. The memory and storage I don't think really matter, it's CPU and NIC throughput that matters (in my opinion).
Worst case you find out for short money what isn't good enough. -
That older Xeon is a far more powerful CPU, in both senses. It probably still won't pass 1G OpenVPN though, not over a single connection.
-
@mer I knew it had aes-ni since the beginning. Reason why I'd be buying different components vs grabbing some old stuff I have at home. What I touched on earlier is if maybe I should be considering a QAT card as well. Some of the older ones are available for under 150 and are rated at 20 or 25gbps encryption speed which is way overkill. But if the cpu isn't up to the task short of some quad core pumping out 5ghz then that would be my next option.
-
@frankr2994
Cool. I honestly have nothing more than compare to the 5100/6100 and go from there. RAM and storage are irrelevant, NICs become a bit more important. -
@mer ok then. Still trying to figure out what nic I want. Wouldn't mind future proofing it a bit but I'm not going to drop 400 or 500 on one.
-
@frankr2994 Well your upstream is 1G up and down. So if your internal LAN had all 10G, everything gets throttled to 1G on WAN (now does the throttle happen at your WAN or further into ISP network?) I think that quad 1G Intel is relatively inexpensive and remember it wasn't all that long ago that 56K dialup was common.
I personally don't have any recommendations on NICs, but if you are in US, I'd start with amazon, best buy, tiger direct and new egg. I'm sure there are a lot of other choices but these are at top of my head.
-
Currently the QAT driver/hardware won't help you with OpenVPN.
If you already have that machine then I would just try it and see how it performs.
Steve
-
@stephenw10 said in New to pfsense. Hardware and setup:
Currently the QAT driver/hardware won't help you with OpenVPN.
If you already have that machine then I would just try it and see how it performs.
Steve
That's what I was waiting to hear. Thanks
Ok so what I have planned is to get an intel x540-t2 nic. Its a 10gb dual port card. I can't use 10G atleast through my isp but I would assume that this will atleast have enough on the controller end to deal with not being a bottleneck. Thats a pcie 2.0 x8 card. That will go into my pcie 3.0 x16 slot. I will still have a 2.0 x4 slot available If I wanted to add an intel I350T4 card. I may do this as I don't think my planned area for a switch will be near this box but I may have a server or two near that could use the additional ports.
Not accounting for the I350 nic that I may or may not buy in the future the full build is 280 bucks. I did change from the xeon 1271 to a 1246 to get integrated graphics. base is 3.5 and turbos 3.9 so not too much different and now I don't have to use one of my pcie slots with some little quadro card I have lying around.
Going to get this ordered up and get it going. Thanks for the help.
