Choosing Hardware For pfSense
-
Hi all,
I wanted to ask the community for some help/opinions as I'm trying to choose between two hardware options for a pfSense deployment.
Option 1: Intel Atom C3958 based system; 16 cores @ 2 GHz, includes QAT support; 31W TDP
Option 2: Intel Xeon D-1718T based system, 4 cores (8 threads) @ 2.6 GHz (3.5 GHz Turbo), includes AVX-512 support; 46W TDPAdditional Information:
- Multi-gig fiber WAN connection (currently 2Gbit/s; but may increase to 5-10Gbit/s in the future)
- In terms of packages, IPS/IDS will not required, but pfBlockerNG will be used
- Both OpenVPN and Wireguard VPNs will be used
- Approximately 100 connected devices
At a high level I think both these systems have enough power to meet the requirements above, but is one better than the other? Is the Xeon too much power and the Atom would suffice? Or, is the Atom pretty dated hardware at this point and it's best just go with newer options?
Thanks in advance for your help and insight.
-
@tman222
If you're not using PPPoE for WAN, both systems may seem like overkill. In my opinion, the Xeon will provide better performance, even with fewer cores. -
Mmm, for 2Gbps PPPoE indeed.
-
@tman222 said in Choosing Hardware For pfSense:
hardware options for a pfSense deployment.
Start by reviewing these devices, and the performance they achieve. https://www.netgate.com/pfsense-plus-software/how-to-buy#appliances
Other devices will not be as optimised so you will need a higher spec hardware -
Thanks everyone for all your help. I did look at come performance characteristics of similar systems and compared the two CPU's. I get the impression (via some quick back of the envelope calculations) that the Atom C3958 would overall be able to move more packets due to having 16 cores, but the Xeon D will move more packets per core. For overall scalability (i.e. as network grows over time) would one be better than the other (i.e. more slower cores vs. fewer faster cores)? I suppose if there are a smaller number of clients requiring high throughput (i.e. a few fast flows), having fewer, faster CPU cores might be better vs. a large number of clients sharing the same bandwidth (i.e. a large number of slower flows), more CPU cores (even if slower) might be better. How does IPsec-MB support on a multipurpose CPU like the Xeon D compare vs. QAT support of that generation of Atom CPU (i.e. Atom C3000 series)? Thanks again for your help and insight.
-
Is it PPPoE? If so that can only use one CPU core in FreeBSD/pfSense currently so you need a CPU with good single thread performance.
-
@stephenw10 said in Choosing Hardware For pfSense:
Is it PPPoE? If so that can only use one CPU core in FreeBSD/pfSense currently so you need a CPU with good single thread performance.
Hi @stephenw10 - no PPPoE, just a regular fiber connection. The other thing I was wondering about too is if having more cores would benefit packet processing since most fast network cards these days support a large number of RX/TX queues, which could then each be handled by a separate CPU core. Thanks again.
-
@tman222
The Atom C3958 is capable of handling 10-20 Gbit/s for NAT, while the Xeon D-1718T can handle around 20-30 Gbit/s. Both are overkill for 2 Gbit/s tasks. For simple NAT with many parallel queues, the Atom is better, but for tasks involving DPI and NAT, the Xeon performs better. -
@w0w said in Choosing Hardware For pfSense:
@tman222
The Atom C3958 is capable of handling 10-20 Gbit/s for NAT, while the Xeon D-1718T can handle around 20-30 Gbit/s. Both are overkill for 2 Gbit/s tasks. For simple NAT with many parallel queues, the Atom is better, but for tasks involving DPI and NAT, the Xeon performs better.Thanks @w0w - could you share some more details on how you came up with those NAT numbers for each of these processors? I looked on the Netgate appliances page and just extrapolated the firewall performance based on the 6100/8200 for the Atom C3958 and the 8300 for the Xeon D-1718T. This led to a number closer to 30Gbit/s for the Atom and closer to 20Gbit/s for the Xeon. However, perhaps my calculations were too simplistic / not comprehensive enough. Thanks again.
-
I'd be surprised to see numbers that high to be honest.
There is some scaling with more CPU cores but not everything. For example most NICs can use 4 or 8 queues but not 16.
But, yes, if you don't have PPPoE then either should be fine for 2Gbps.
-
Hola buenas tardes, xq no pruebas los nuevos equipos oficiales Netgate, nosotros en la empresa que trabajo, adquirimos uno, y nos ha ido bastante bien.
-
@tman222 said in Choosing Hardware For pfSense:
D-1718T
It depends on the topology, board design, and the ethernet card itself. Some cards can be expensive, you know.
https://www.servethehome.com/supermicro-x12sdv-4c-sp6f-review-25gbe-and-intel-xeon-d-1718t/3/
For example, 2x25Gbit Ethernet. I'm not claiming that my opinion is 100% correct, but those numbers should be achievable. However, I haven't tested it myself. -
hi all,
looking at a refurbished Dell Optiplex 7010 as a new pfSense platform.
Will be looking at a couple of them... some with Proxmox for other purposes also / clustered,
for pfSense,
- what's the Intel chip that is best supported for 2.5GbE.
- Also want to look at a dual port SFP+ card, Intel chip recommendations.
G
-
@georgelza said in Choosing Hardware For pfSense:
what's the Intel chip that is best supported for 2.5GbE.
Intel made the i225 and i226 in several variants. The i226 uses less power. The early revisions of the i225 had issues with spontaneously losing link.
@georgelza said in Choosing Hardware For pfSense:
Also want to look at a dual port SFP+ card, Intel chip recommendations.
Hard to beat the x520 IMO. What do you plan to use it with though?
Steve
-
@stephenw10
will fit 1 x dual port 2.5GB and 1 x dual port SFP+
the 2.5's will be used initially,
1 to fiber provider ONT
1 to Unifi switch
to be later replaced with 1 x SFP+ to fiber provider and 1 x Unifi switch.
My NAS will also get a 2.5GbE card and the additional machines that will go into a Proxmox cluster that will run a EKS cluster and various other VM's.The pfSense will be redeployed onto the Dell, with i5 CPU and 8GbE RAM.
looking at the 7010 atm, but might look for something i5 but smaller that can take the 2 cards. that use less power.
the Proxmox cluster will be 4 x 7010's, the unit's i can get is 8GbE and 500GB SSD, will initially take as is, but upgrade to either 16 or 32GB RAM.
storage will be from the NAS.
Might have some 4TB HDD becoming free, replace the 4TB's with 8 or 10TB's in the NAS. so they can be local storage in the Proxmox nodes.G
-
So using the SFP_ ports at 10G? And with fiber SFP modules?
-
As a start the dual port 2.5Gb i226 will be the in port from Fiber provider and out to core.
Then that will be migrated/replaced via the Fiber plumbing.
10GbE SFP+ based as that is what the Unifi switch have as uplink port.
So as a start I will still come into the pfSense via the 2.5GbE port, but go out to Unifi Core switch via the SFP+ port/fiber.
Plan is to have the input into the pfSense also go SFP+ fiber based.G
-
Should be fine then. Where people usually run into issues is trying to use an SFP port at 2.5 or 5G. Or even at 1G with a module that doesn't offer it.
-
Not to worry
Know dif between 2.5 GbE that can run over cat 5+ copper
SFP which is 1 GbE based fiber and
SFP+ which is 10GbE based fiber.G
