4100/6100 Base or Max
-
Thank you @dennypage for having a look!
@dennypage said in 4100/6100 Base or Max:
I don’t really see much of a drop off in you graphs. Wire and Active are the most important measures, and there isn’t that much change there. Inactive (allocated but not being used) drops a bit, but that isn’t nearly as important.
Free goes up from 13 to 36 after stopping pfBlocker. I figured that is a lot, but maybe I need to learn more about memory management.
Are you using DNSBL? If so, are you using Python mode?
Unbound mode
Thanks,
-
@Cabledude said in 4100/6100 Base or Max:
Unbound mode
Why ? can you motivate this choice ?
If it is performance, memory utilization, etc you're after :
NLLab, the authors of Unbound, said themselves : "use Python mode, that's why we've included it".
-
@Gertjan said in 4100/6100 Base or Max:
@Cabledude said in 4100/6100 Base or Max:
Unbound modeWhy ? can you motivate this choice ?
Ummmm…well, how shall I put this. Okay I’ll be honest and say I just left it at its default setting and didn’t notice that the python option existed. Thank you for pointing this out. I will certainly try the python setting now.
Maybe I’ve been too far conditioned to assuming autodetect mechanisms, i.e. to expect the software to select the right version depending on the environment.
However pfSense isn’t quite the “automatic” firewall, it expects us to do research and manually configure the settings most appropriate for our situation or use case. -
@Cabledude said in 4100/6100 Base or Max:
Maybe I’ve been too far conditioned to assuming autodetect mechanisms, i.e. to expect the software to select the right version depending on the environment.
However pfSense isn’t quite the “automatic” firewall, it expects us to do research and manually configure the settings most appropriate for our situation or use case.For the most case, the defaults are good and do not require changing. FWIW, pfBlockerNG defaults to Unbound Mode because prior versions of Unbound could crash based upon pfBlockerNG's configuration. This has since been fixed.
-
If you enable pfBlocker with a large number of lists then you will see an increase in CPU usage for a given volume of traffic. pf has to filter against all the list of IPs for pfBlocker auto-rules and that can be non-trivial.
-
@stephenw10 Hi Steve yes I understand that, however this setup is as basic as can be: AdsBasic DNSBL and PRI1 IP lists. The CPU usage is considerable and the CPU graph goes completely flat after shutting down pfblocker. For this reason I am hesitant to get the 2100 as the CPU is the same as the 1100 CPU.
I will try to switch to python mode and see if that makes a substantial difference.
Pete
Home: SG-2100 + UniFi + Synology. SG-1100 retired
Parents: SG-1100 + UniFi + Synology
Testing: SG-1100 w/ 120GB SSD via ext USB (eMMC dead). Works great -
@Cabledude said in 4100/6100 Base or Max:
this setup is as basic as can be: AdsBasic DNSBL and PRI1 IP lists
Just for reference, the PRI1 IP list is currently 93,947 entries, and the AdsBasic list is a whopping 202,613 entries.
FYI, All the Steven Black lists are pretty large... You might want to consider switching from AdsBasic to Ads. The Ads list is only 9,621 entries, but it hits all the high points.
Edit: EasyList Privacy is another good list at 50,231 entries.
-
Obviously it will only be additional load when traffic is passing and opening new states. Or when it has to reload the ruleset or update the lists.
If it's just idling without any traffic that shouldn't show any significant extra load.
-
To remove the 'pfBlockerng' load :
( A DNSBL example - I don't use any IP list)
because : most, if not all, of the work of pfBlockerng is : collecting / scanning the log files, and making nice charts, graphs etc.
But, after some testing and observing, and you're sure it works, why not silence all this stuff ?
I'm using a 4100 MAX - it's doing 'close to nothing' when I look at the CPU stats :
or these stats. Check also the 'DNS stats'.
-
@Gertjan
Have you ever measured your 4100’s power draw from the wall socket? -
@Gertjan said in 4100/6100 Base or Max:
NLLab, the authors of Unbound, said themselves : "use Python mode, that's why we've included it".
So I switched to Python mode.
I started with the smaller Ads list but I added the IP PRI1 list and the worst of the GeoIP lists just to see what that would do to CPU:
This is the graph now:
Which is to say there is less CPU activity than when using unbound mode.
Just to add I started with the EasyList but that feed stubbornly won’t load.
[Edit: my bad. EasyList running fine now]
-
@Cabledude You can see the CPU much better if you turn off "processes" (click on the green circle).
-
@dennypage that is pretty neat, never knew about that, thanks!
-
@Gertjan
So here is my CPU graph after switching to python mode, ditching AdsBasic and tweaking the feeds:
Here are my current feeds:
So my feeds list now consists of the entire PRI1 list, a custom ingress list for my home NAS email server (not in use atm), about 6 GeoIP countries and the EasyList.
At this point the CPU load is below 5% average which seems very doable, so I'm swinging back to the 2100 which appears to be quite adequate for this load.
-
When you buy a 'base' rather than a Max it is a trivial task to add a suitable SSD. It would take a number of lifetimes to exceed the physical write life of my NVMe.
You know, I don't think I ever set Python mode... I will have to check and adjust if required.
️ -
@JonathanLee and to all in this topic:
I decided to give the SG-2100 a chance, mostly based on @JonathanLee 's recommendation and personal experience.
I went with the SSD model.
When I ordered Netgate just released the new SG-2100 with 128GB SSD and my unit in fact came with the larger drive.No issues so far and idling away at < 3% user util. RAM used 14% of 3388GB.
My ISP upped the cable internet to 400 down / 50 up (from 200/40). Speed tests don't make the SG-2100 sweat.
Power draw 5W steady, peaking to 6W incidentally, on a cheap smart plug in Home Assistant.
I have two weeks to evaluate and if I should prefer the 4100 I can return the 2100 under €25 restocking fee. So far no reason to.
Thanks,
-
@RobbieTT Hello, did you buy the ssd separately? I still couldn’t find a suitable, reliable company. Now I regret that I took it without ssd(. So far I’m only using suricata, I took netgate 6100 base
-
There are lots of SSD options out there (B & M) key, ideally without a DRAM cache. I have Intel Optane in mine - in terms of latency and small read/writes it is way faster than the router could use and has a write-lifetime that will exceed my life remaining!
You don't need a large drive, I ran mine with a 16GB Optane (~ £10) for a bit before using a 64GB (~£50) one:
The 32GB Optane is probably the sweet-spot for pfSense use with Suricata (~£24) when purchased new. I just use used the drive sizes I had kicking around. For non-optane SSD I would go for a 128GB or 256GB drive to get a reasonable lifetime out of it.
️ -
@RobbieTT said in 4100/6100 Base or Max:
There are lots of SSD options out there (B & M) key, ideally without a DRAM cache. I have Intel Optane in mine - in terms of latency and small read/writes it is way faster than the router could use and has a write-lifetime that will exceed my life remaining!
You don't need a large drive, I ran mine with a 16GB Optane (~ £10) for a bit before using a 64GB (~£50) one:
The 32GB Optane is probably the sweet-spot for pfSense use with Suricata (~£24) when purchased new. I just use used the drive sizes I had kicking around. For non-optane SSD I would go for a 128GB drive to get a reasonable lifetime out of it.
️I live in a city where I haven’t found a single ssd pcie key b+m, there is no talk of other parameters. The only available option is yours, MEMPEK1J064GA. I always use suricata actively. ntopng, squid+squidguard, I rarely use it, I may run haproxy in the future.
-
@Stef93 I cannot remember the last time I used a physical store for HDDs or SSDs. Probably not helped by the fact that my 'city' hasn't been the capital of England for a little over a 1000 years!
️
