Upgrading my APU2C4 pfsense box
-
It's time to upgrade my very old APU2C4 pfsense box to something more recent and powerful. I use pfsense with 2 wireguard s2s tunnels, 1 wireguard remote access tunnel, dhcp server, dns resolver (unbound), and want to experiment with suricata. I can buy an HP ProDesk 400 G4 with an i3-7100 CPU and 4GB of RAM for just $75 shipped in eBay but I feel that the CPU is too old, no? I can easily upgrade the RAM to 8GB and add an SFP+ PCIe NIC.
-
Too old for what? It's massively more powerful than the APU. And you probably don't need 8GB of RAM, though it will make playing with Suricata easier.
The only concern I would have is power consumption compared to an APU which will be significantly higher and hence more expensive.Steve
-
@stephenw10 too old since it's 7th gen. Is it better to go with maybe a 10th gen? Probably a Celeron G5900 or something? I was about to ask power consumption too.
-
Define 'better'.
Are 10th gen CPUs better than 7th gen for a given TDP or clock rate? Yes.
Is a 7th gen CPU more powerful than you could ever need for a pfSense install. Probably!Also that's not a good comparison. An i3-7100 is superior to a G5900 in every way that matters:
https://www.cpubenchmark.net/compare/Intel-i3-7100-vs-Intel-Celeron-G5900/2924vs3761Comparing it to an entry level 10th gen i3 would be better IMO.
-
@stephenw10 said in Upgrading my APU2C4 pfsense box:
Define 'better'.
Are 10th gen CPUs better than 7th gen for a given TDP or clock rate? Yes.
Is a 7th gen CPU more powerful than you could ever need for a pfSense install. Probably!Also that's not a good comparison. An i3-7100 is superior to a G5900 in every way that matters:
https://www.cpubenchmark.net/compare/Intel-i3-7100-vs-Intel-Celeron-G5900/2924vs3761Comparing it to an entry level 10th gen i3 would be better IMO.
I see. It's probably a wash with pfsense when choosing these CPU's.
Yeah, I wasn't really comparing both. You brought up a good point about power consumption and so I'm thinking if the G5900 woud be more suitable in my use case since the 7100 is more power hungry. Another option is maybe go with a T processor.
-
Yup you will save some power with a 'T' variant but probably not as much as you think. Remember the TDP value merely indicates the size of the cooling solution required and not the actual power consumption of the CPU for a given load. The G5900 actually has a higher TDP than the i3-7100.
The T variant CPUs usually do run cooler at idle though in my experience so if your firewall CPU is mostly idle that counts.
Steve
-
@stephenw10 said in Upgrading my APU2C4 pfsense box:
Yup you will save some power with a 'T' variant but probably not as much as you think. Remember the TDP value merely indicates the size of the cooling solution required and not the actual power consumption of the CPU for a given load. The G5900 actually has a higher TDP than the i3-7100.
The T variant CPUs usually do run cooler at idle though in my experience so if your firewall CPU is mostly idle that counts.
Steve
I see. Yeah, there's really no way to compare the actual power consumption of different CPU's using TDP alone.
The only problem I have with the T variants is that they are mostly on uSFF all-in-one desktops. That's all and good except for the fact that you can't install half-height PCIe NICs on them and I need an SFP+ NIC in there.
Speaking of SFP+ NICs, which are known to work flawlessly with pfsense? Mellanox ConnectX-3's? I'm reading that the Intel SFP+ NICs are picky with transceiver modules.
-
The Mellanox NICs, particularly the older ones, present strangely in pfSense. I have one I bought just to test and whilst I did get it working it was always odd. Hard to recommend it.
The ix supported Intel NICs, so X500 series, are still what I'd recommend.
Bare in mind that either of those NICs probably use as much power as the APU just by being in the system.Steve
-
@stephenw10 said in Upgrading my APU2C4 pfsense box:
The Mellanox NICs, particularly the older ones, present strangely in pfSense. I have one I bought just to test and whilst I did get it working it was always odd. Hard to recommend it.
The ix supported Intel NICs, so X500 series, are still what I'd recommend.
Bare in mind that either of those NICs probably use as much power as the APU just by being in the system.Steve
But those Intel NICs are picky with transceivers, correct?
Lol, really? That much power, huh.
-
Well maybe only a dual (or quad) port card.
But, yeah, they have big heatsinks on for a reason.I have never found the Intel SFP NICs to be that bad, especially in separate cards.
The 10G NICs built into the C3K SoC are more so because of the missing coms lines used to detects the module connection data.
The advice is still to use modules intended for Intel NICs though if you can.Steve
-
@stephenw10 got it.
Does pfsense prefer more cores? I'm looking at the comparison between the i3-7100 (2 cores, 4 threads) and i3-8100 (4 cores, 4 threads). Will the 8100 have an advantage over the 7100 in pfsense or not at all?
-
Yes. 1 thread per core means far less switching and pfSense can usefully use 4 threads easily given the right NICs. The must support multiple queues.
4 cores uses more more power than 2 of course.
And note that the 7100 is actually faster than the 8100 for single threaded applications. So, Snort or OpenVPN for example.Steve
-
@kevindd992002
Your smaller APU2C2 can be changed against another APU4D4 or APU6B4 double of the CPU core and double
of the RAM. Also low power using.Intel 7th gen. CPUs are not more bad than others or older ones? What a firewall does? Pushing Packet from a to b.
(LGA 1150) Mini ITX Motherboard ~100 €
Intel i350-4 it is a 4 Port 1 GBit/s NIC ~50 €
Small MiniITX Case with PSU ~50 €
16 GB DDR3 ECC RAM 40 €
Intel Xeon E3-1231v3 4C/8T - 3,40 to max. 3,80GHz
Compex WLE200NX
128 GB mSATA ~40 € (snort / suricata and/or squid)
CPU Cooler 10 €pfBlocker-ng, Squid & SquidGuard, Snort, ClamAV, apcupsd, HotSpot with voucher and certificates, FreeRadius, Tinc and much others.
It runs what ever you want with pfSense until today!
The CPU is from 2014, RAM was used and cheap. -
@stephenw10 said in Upgrading my APU2C4 pfsense box:
Yes. 1 thread per core means far less switching and pfSense can usefully use 4 threads easily given the right NICs. The must support multiple queues.
4 cores uses more more power than 2 of course.
And note that the 7100 is actually faster than the 8100 for single threaded applications. So, Snort or OpenVPN for example.Steve
Right, that's what I've been thinking. So if using Suricata (which uses multi thread) and Wireguard (instead of OpenVPN), would you personally pick the 8100 over the 7100?
Also, would an nvmE SSD (with a PCIe to M.2 nvmE converter) make sense with pfsense?
@dobby_ said in Upgrading my APU2C4 pfsense box:
@kevindd992002
Your smaller APU2C2 can be changed against another APU4D4 or APU6B4 double of the CPU core and double
of the RAM. Also low power using.Intel 7th gen. CPUs are not more bad than others or older ones? What a firewall does? Pushing Packet from a to b.
(LGA 1150) Mini ITX Motherboard ~100 €
Intel i350-4 it is a 4 Port 1 GBit/s NIC ~50 €
Small MiniITX Case with PSU ~50 €
16 GB DDR3 ECC RAM 40 €
Intel Xeon E3-1231v3 4C/8T - 3,40 to max. 3,80GHz
Compex WLE200NX
128 GB mSATA ~40 € (snort / suricata and/or squid)
CPU Cooler 10 €pfBlocker-ng, Squid & SquidGuard, Snort, ClamAV, apcupsd, HotSpot with voucher and certificates, FreeRadius, Tinc and much others.
It runs what ever you want with pfSense until today!
The CPU is from 2014, RAM was used and cheap.Yeah, I don't know. I'm still skeptical in going with another APU because of how they are not customizable to an extent, plus the fact that they are more expensive overall compared to getting a lower power SFF desktop in eBay.
-
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
So if using Suricata (which uses multi thread) and Wireguard (instead of OpenVPN), would you personally pick the 8100 over the 7100?
It would probably come down to the cost or availability. There's not much in it in performance terms. What's your WAN speed though? Either CPU is probably fine.
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
Also, would an nvmE SSD (with a PCIe to M.2 nvmE converter) make sense with pfsense?
Drive speed is generally not important in pfSense so probably not.
Steve
-
@stephenw10 said in Upgrading my APU2C4 pfsense box:
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
So if using Suricata (which uses multi thread) and Wireguard (instead of OpenVPN), would you personally pick the 8100 over the 7100?
It would probably come down to the cost or availability. There's not much in it in performance terms. What's your WAN speed though? Either CPU is probably fine.
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
Also, would an nvmE SSD (with a PCIe to M.2 nvmE converter) make sense with pfsense?
Drive speed is generally not important in pfSense so probably not.
Steve
I see. Current Internet speed is 800/800 but I want to prepare this system for multi-Gig speeds in the near future. As usual, I'm probably overthinking this but I just want to get a system that makes most sense since the price differences are not that big.
Ok, so I'll stick with m.2 sata or sata 3 ssd's then.
-
Ok, so I'll stick with m.2 sata or sata 3 ssd's then.
If you "play" around with squid for caching, ids and much of his rules sets that must be decompressed and or pfblocker-ng with many lists inserted, it might be the best sorted with a greater HDD/SSD like the normal 16GB oder 32GB ones.
If you will only run those applications in "small footprint" or less usage the it goes also with the smaller ones.
mSATA and or M.2 mostly are only better regarding to the
electric power usage and/or heating inside of you pfSense box. -
I’m trying to decide if I want to build or buy a Netgate unit. Here is a thread I found interesting as it had some speed tests for various processors under both single and multi core conditions.
This was provided with Lenovo tiny machines in mind but should be a fair reference for others. First post and scroll down to CPU comparisons.
Apologies in advance if cross linking is frowned on.
https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-thinkstation-tiny-project-tinyminimicro-reference-thread.34925/
-
@kevindd992002
I'm using I3-7130U in my "Qotom firewall boxes" at work (8G Ram .. But usually have 30..60% utilization)They're powerfull enough to do Gbit routing , and i have no performance issues.
For $75 , get it ... use it , and when a bigger box (multi Gbit) is needed.
Demote it to Backup/Test box .... And get a better box.For the time being i'm sticking on 1Gbit at home , as i think the 2.5Gbit/10Gbit switches are too expensive... You can get a vlan capable 8-port 1Gbit switch for $45 , no such luck for a "decent brand" 2.5Gb (I won't touch TP-Link)
/Bingo
-
@bingo600 said in Upgrading my APU2C4 pfsense box:
@kevindd992002
I'm using I3-7130U in my "Qotom firewall boxes" at work (8G Ram .. But usually have 30..60% utilization)They're powerfull enough to do Gbit routing , and i have no performance issues.
For $75 , get it ... use it , and when a bigger box (multi Gbit) is needed.
Demote it to Backup/Test box .... And get a better box.For the time being i'm sticking on 1Gbit at home , as i think the 2.5Gbit/10Gbit switches are too expensive... You can get a vlan capable 8-port 1Gbit switch for $45 , no such luck for a "decent brand" 2.5Gb (I won't touch TP-Link)
/Bingo
I just pulled the trigger on a $105 Dell OptiPlex 5050 with an i5-7600 CPU, 8GB RAM, and 128GB SSD. I think it's a good deal and would serve me for my needs.
The only concern I have now is which SFP+ NIC to buy off of eBay. I'm reading in another forum that the Mellanox ConnectX-3 (CX312) is a good choice. Another one is the SolarFlare SFN7002 (which needs
sfxge_load="YES"
to/boot/loader.conf.local
, so the driver would load). @stephenw10 do you reckon any issues in adding that to the bootloader to make it work?