Upgrading my APU2C4 pfsense box
-
The Mellanox NICs, particularly the older ones, present strangely in pfSense. I have one I bought just to test and whilst I did get it working it was always odd. Hard to recommend it.
The ix supported Intel NICs, so X500 series, are still what I'd recommend.
Bare in mind that either of those NICs probably use as much power as the APU just by being in the system.Steve
-
@stephenw10 said in Upgrading my APU2C4 pfsense box:
The Mellanox NICs, particularly the older ones, present strangely in pfSense. I have one I bought just to test and whilst I did get it working it was always odd. Hard to recommend it.
The ix supported Intel NICs, so X500 series, are still what I'd recommend.
Bare in mind that either of those NICs probably use as much power as the APU just by being in the system.Steve
But those Intel NICs are picky with transceivers, correct?
Lol, really? That much power, huh.
-
Well maybe only a dual (or quad) port card.
But, yeah, they have big heatsinks on for a reason.I have never found the Intel SFP NICs to be that bad, especially in separate cards.
The 10G NICs built into the C3K SoC are more so because of the missing coms lines used to detects the module connection data.
The advice is still to use modules intended for Intel NICs though if you can.Steve
-
@stephenw10 got it.
Does pfsense prefer more cores? I'm looking at the comparison between the i3-7100 (2 cores, 4 threads) and i3-8100 (4 cores, 4 threads). Will the 8100 have an advantage over the 7100 in pfsense or not at all?
-
Yes. 1 thread per core means far less switching and pfSense can usefully use 4 threads easily given the right NICs. The must support multiple queues.
4 cores uses more more power than 2 of course.
And note that the 7100 is actually faster than the 8100 for single threaded applications. So, Snort or OpenVPN for example.Steve
-
@kevindd992002
Your smaller APU2C2 can be changed against another APU4D4 or APU6B4 double of the CPU core and double
of the RAM. Also low power using.Intel 7th gen. CPUs are not more bad than others or older ones? What a firewall does? Pushing Packet from a to b.
(LGA 1150) Mini ITX Motherboard ~100 €
Intel i350-4 it is a 4 Port 1 GBit/s NIC ~50 €
Small MiniITX Case with PSU ~50 €
16 GB DDR3 ECC RAM 40 €
Intel Xeon E3-1231v3 4C/8T - 3,40 to max. 3,80GHz
Compex WLE200NX
128 GB mSATA ~40 € (snort / suricata and/or squid)
CPU Cooler 10 €pfBlocker-ng, Squid & SquidGuard, Snort, ClamAV, apcupsd, HotSpot with voucher and certificates, FreeRadius, Tinc and much others.
It runs what ever you want with pfSense until today!
The CPU is from 2014, RAM was used and cheap. -
@stephenw10 said in Upgrading my APU2C4 pfsense box:
Yes. 1 thread per core means far less switching and pfSense can usefully use 4 threads easily given the right NICs. The must support multiple queues.
4 cores uses more more power than 2 of course.
And note that the 7100 is actually faster than the 8100 for single threaded applications. So, Snort or OpenVPN for example.Steve
Right, that's what I've been thinking. So if using Suricata (which uses multi thread) and Wireguard (instead of OpenVPN), would you personally pick the 8100 over the 7100?
Also, would an nvmE SSD (with a PCIe to M.2 nvmE converter) make sense with pfsense?
@dobby_ said in Upgrading my APU2C4 pfsense box:
@kevindd992002
Your smaller APU2C2 can be changed against another APU4D4 or APU6B4 double of the CPU core and double
of the RAM. Also low power using.Intel 7th gen. CPUs are not more bad than others or older ones? What a firewall does? Pushing Packet from a to b.
(LGA 1150) Mini ITX Motherboard ~100 €
Intel i350-4 it is a 4 Port 1 GBit/s NIC ~50 €
Small MiniITX Case with PSU ~50 €
16 GB DDR3 ECC RAM 40 €
Intel Xeon E3-1231v3 4C/8T - 3,40 to max. 3,80GHz
Compex WLE200NX
128 GB mSATA ~40 € (snort / suricata and/or squid)
CPU Cooler 10 €pfBlocker-ng, Squid & SquidGuard, Snort, ClamAV, apcupsd, HotSpot with voucher and certificates, FreeRadius, Tinc and much others.
It runs what ever you want with pfSense until today!
The CPU is from 2014, RAM was used and cheap.Yeah, I don't know. I'm still skeptical in going with another APU because of how they are not customizable to an extent, plus the fact that they are more expensive overall compared to getting a lower power SFF desktop in eBay.
-
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
So if using Suricata (which uses multi thread) and Wireguard (instead of OpenVPN), would you personally pick the 8100 over the 7100?
It would probably come down to the cost or availability. There's not much in it in performance terms. What's your WAN speed though? Either CPU is probably fine.
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
Also, would an nvmE SSD (with a PCIe to M.2 nvmE converter) make sense with pfsense?
Drive speed is generally not important in pfSense so probably not.
Steve
-
@stephenw10 said in Upgrading my APU2C4 pfsense box:
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
So if using Suricata (which uses multi thread) and Wireguard (instead of OpenVPN), would you personally pick the 8100 over the 7100?
It would probably come down to the cost or availability. There's not much in it in performance terms. What's your WAN speed though? Either CPU is probably fine.
@kevindd992002 said in Upgrading my APU2C4 pfsense box:
Also, would an nvmE SSD (with a PCIe to M.2 nvmE converter) make sense with pfsense?
Drive speed is generally not important in pfSense so probably not.
Steve
I see. Current Internet speed is 800/800 but I want to prepare this system for multi-Gig speeds in the near future. As usual, I'm probably overthinking this but I just want to get a system that makes most sense since the price differences are not that big.
Ok, so I'll stick with m.2 sata or sata 3 ssd's then.
-
Ok, so I'll stick with m.2 sata or sata 3 ssd's then.
If you "play" around with squid for caching, ids and much of his rules sets that must be decompressed and or pfblocker-ng with many lists inserted, it might be the best sorted with a greater HDD/SSD like the normal 16GB oder 32GB ones.
If you will only run those applications in "small footprint" or less usage the it goes also with the smaller ones.
mSATA and or M.2 mostly are only better regarding to the
electric power usage and/or heating inside of you pfSense box. -
I’m trying to decide if I want to build or buy a Netgate unit. Here is a thread I found interesting as it had some speed tests for various processors under both single and multi core conditions.
This was provided with Lenovo tiny machines in mind but should be a fair reference for others. First post and scroll down to CPU comparisons.
Apologies in advance if cross linking is frowned on.
https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-thinkstation-tiny-project-tinyminimicro-reference-thread.34925/
-
@kevindd992002
I'm using I3-7130U in my "Qotom firewall boxes" at work (8G Ram .. But usually have 30..60% utilization)They're powerfull enough to do Gbit routing , and i have no performance issues.
For $75 , get it ... use it , and when a bigger box (multi Gbit) is needed.
Demote it to Backup/Test box .... And get a better box.For the time being i'm sticking on 1Gbit at home , as i think the 2.5Gbit/10Gbit switches are too expensive... You can get a vlan capable 8-port 1Gbit switch for $45 , no such luck for a "decent brand" 2.5Gb (I won't touch TP-Link)
/Bingo
-
@bingo600 said in Upgrading my APU2C4 pfsense box:
@kevindd992002
I'm using I3-7130U in my "Qotom firewall boxes" at work (8G Ram .. But usually have 30..60% utilization)They're powerfull enough to do Gbit routing , and i have no performance issues.
For $75 , get it ... use it , and when a bigger box (multi Gbit) is needed.
Demote it to Backup/Test box .... And get a better box.For the time being i'm sticking on 1Gbit at home , as i think the 2.5Gbit/10Gbit switches are too expensive... You can get a vlan capable 8-port 1Gbit switch for $45 , no such luck for a "decent brand" 2.5Gb (I won't touch TP-Link)
/Bingo
I just pulled the trigger on a $105 Dell OptiPlex 5050 with an i5-7600 CPU, 8GB RAM, and 128GB SSD. I think it's a good deal and would serve me for my needs.
The only concern I have now is which SFP+ NIC to buy off of eBay. I'm reading in another forum that the Mellanox ConnectX-3 (CX312) is a good choice. Another one is the SolarFlare SFN7002 (which needs
sfxge_load="YES"
to/boot/loader.conf.local
, so the driver would load). @stephenw10 do you reckon any issues in adding that to the bootloader to make it work? -
It's hard to recommend anything other that an Intel NIC. I would be looking at something X520 based.
-