Pre-purchase SG-4860 questions

pwnell

I have built and used pfSense systems for many years, usually based on an i3 based high clock speed CPU to ensure I get 1Gbps throughput under varying configurations.  I am tempted to get a SG-4860 unit as I like the form factor and finding a decent small case with front facing network ports is a pain.  So I have a few questions:

1. After the initial year of support, am I free to install a stock community image on the device as I would do for a custom built system?
2. Would the Atom 4-Core 2.4Ghz CPU be fast enough to sustain 1Gbps even with OpenVPN / IPSec, and packages running such as ntop?
3. Does the unit support the upcoming 2.5 requiring AES-NI?
4. Is there any reason you would recommend building a custom system rather that purchasing the SG-4860?  Asking since I can build a mITX based i3-8100 4-Core 3.6GHz, 8GB RAM, 128GB SSD, 4 x Intel NIC system for about the same price as the SG-4860.  It will be larger and the ports will be in the back, which is a bit of a pain in my cabinet.

johnpoz

1. Yeah you can put CE on it whenever you want.
2. Not sure on this do not have mine yet.
3. Yes… Listed on the product page. { Future pfSense distributions will have support for QuickAssist. AES-NI support is included.}
4. Me no... Others yes normally based on price.  But you seem to say its comparable in price to your own build.  One thing to keep in mind with your own build. How much power going to pull vs the appliance?  Which changes the price model when your looking 3 or 4 years down the line..  Hope even 5 years down the line of paying extra $ in elec.  Also building your own rig doesn't help out pfsense..

I am hoping to get my sg-4860 sometime in Nov.. I will be testing #2 then.. I only have a 500/50 connection but can always do testing locally for gig performance, etc.

VAMike

@pwnell:

4. Is there any reason you would recommend building a custom system rather that purchasing the SG-4860?  Asking since I can build a mITX based i3-8100 4-Core 3.6GHz, 8GB RAM, 128GB SSD, 4 x Intel NIC system for about the same price as the SG-4860.  It will be larger and the ports will be in the back, which is a bit of a pain in my cabinet.

Supermicro has a bunch of rack mounts with front facing ports (see chassis 505, 513, 515, etc.) If it's not on a rack, I don't understand the distinction between "front" and "back"– just turn it around. The SG-4860 doesn't particularly have front-mounted ports...

Anyway, if you're looking for overall performance you're likely to be disappointed by a dual core rangeley.

belt9

4. Build your own since you're already comfortable doing so.

C2558 is a very poor CPU for OpenVPN, but it depends on how much throughput you need.

In short, Official pfSense products >SG1000 are aimed at businesses, not home users.

Look at the spec sheet, $750 gets you an old C2558 Atom, i350t4, i211t2, 32GB flash storage, 8GB DDR3L, picoPSU, 1 year Gold.

For what you can build on your own with $750…

Supermicro Board
Xeon D-1521
2x10GbE
4x1GbE - Intel
Compact Case
picoPSU
2x4GB DDR4 w/ room for more if you want it
2x32GB SSD in zfs mirror

https://www.newegg.com/Product/Product.aspx?Item=N82E16813182973&ignorebbr=1&nm_mc=KNC-GoogleAdwords-PC&cm_mmc=KNC-GoogleAdwords-PC--pla--Motherboards+-+Server-_-N82E16813182973&gclid=CjwKCAjwpfzOBRA5EiwAU0ccN75hRij3pDZ1CSgacCFvfzvouZcsqFE5DgfmO0PSe0PGpPG24ylm9hoCO4kQAvD_BwE&gclsrc=aw.ds

http://www.mini-box.com/picoPSU-90-100W-power-kit

http://www.mini-box.com/M300-Enclosure-w-Bootable-CF-Reader_2

https://smile.amazon.com/G-SKILL-Ripjaws-288-Pin-Platform-F4-2400C15D-8GVR/dp/B013GHSKR8/ref=sr_1_4?s=pc&rps=1&ie=UTF8&qid=1507814768&sr=1-4&keywords=ddr4&refinements=p_85%3A2470955011%2Cp_n_feature_twenty_browse-bin%3A16158157011

https://www.aliexpress.com/item/KingDian-SATA3-60GB-32GB-16GB-8GB-120GB-240GB-256GB-480GB-SSD-2-5-inch-HDD-internal/32717269281.html?spm=2114.search0104.3.9.akYYY7&ws_ab_test=searchweb0_0,searchweb201602_1_10152_10065_10151_10068_10130_10344_10345_10342_10343_10340_10341_10307_10060_10155_10154_10056_10055_10054_10059_10534_10533_10532_100031_10099_10338_10103_10102_10052_10053_10142_10107_10050_10051_10324_10325_10084_10083_10080_10082_10081_10178_10110_10111_10112_10113_10114_10312_10313_10314_10078_10079_10073,searchweb201603_24,ppcSwitch_7&btsid=39abf7b8-36af-41ae-8e9f-17a5dc223f21&algo_expid=3f7527be-5b34-4585-91a5-8f72a1e258d6-4&algo_pvid=3f7527be-5b34-4585-91a5-8f72a1e258d6

https://www.aliexpress.com/item/Brand-new-PCIe-x4-Quad-port-Gigabit-Ethernet-Network-Card-1000M-I350AM4-Chipset-for-Server-low/32815761581.html?spm=2114.search0104.3.2.ywEX6f&ws_ab_test=searchweb0_0,searchweb201602_1_10152_10065_10151_10068_10130_10344_10345_10342_10343_10340_10341_10307_10060_10155_10154_10056_10055_10054_10059_10534_10533_10532_100031_10099_10338_10103_10102_10052_10053_10142_10107_10050_10051_10324_10325_10084_10083_10080_10082_10081_10178_10110_10111_10112_10113_10114_10312_10313_10314_10078_10079_10073,searchweb201603_24,ppcSwitch_7&btsid=76fd7544-cd67-4b73-9a11-f60021b84935&algo_expid=bc167daf-acce-4a70-9555-7e713dcf3fff-0&algo_pvid=bc167daf-acce-4a70-9555-7e713dcf3fff

Not that you need all that, the point is that if you're comfortable with DIY, you will always come out on top - by a massive margin.

The above build uses high-end supermicro board with a xeon and 10GbE NIC's, you don't need that. For hundreds less you can build a SFF Pentium or i3 box with as many NIC's as you need.

You don't need an i3-8100 either, you can if you want but way overkill. Something like a G4560 is probably still major overkill - it certainly blows a C2558 out of the water performance wise.

From a power consumption standpoint - it probably doesn't matter all that much. Anything modern isn't going to pull a ton of power, especially with picoPSU's, SSD's, and modern NICs.
The SG-4860 claims to pull about 7W at idle (which it will usually be idling).
anandtech benchmarked power consumption on a D1540 w/ 4x16GB DDR4 + 128GB Samsung Pro SSD @ 27W idle
The G4560 hit just 24W on a stress test!

So to put those numbers in perspective, at a 20W delta, if you live in America that probably means <$25/yr, if you live in the EU that probably means <$45/yr price increase over 7W on an SG-4860.

http://ec.europa.eu/eurostat/statistics-explained/index.php/Electricity_price_statistics
https://www.bls.gov/regions/midwest/data/averageenergyprices_selectedareas_table.htm
http://www.rapidtables.com/calc/electric/electricity-calculator.htm

So if you build a G4560 system for say, $400 and it has a 20W delta over the SG-4860 (unlikely), and you live in the EU, and you purchase a year of Gold, it will still take you over 5 and a half years to break even on electricity for your more powerful system.

More than likely the actual power delta will be in the 10-15W range and most people in the developed world pay notably less than $0.25/kwH - so most people probably wouldn't break even on power usage for something like a decade+.

Power usage is so commonly highlighted on router builds - but it really is not a significant point for home users with only one system deployed. We're talking about the power difference equivalent to one CFL lightbulb here!
Where it starts to matter is again - with businesses that deploy a large number of systems.

VAMike

@johnpoz:

Future pfSense distributions will have support for QuickAssist

That's been a talking point for literally years. Whether the quickassist on the SG-4860 will ever be utilized is an open question, and not a great reason to pick a particular piece of hardware. (There are different, incompatible, versions of quickassist, and it isn't obvious that a future version of pfsense will focus on old hardware instead of then-current hardware.) It's also not clear that quickassist is going to do much for openvpn performance, which is the thing people seem interested in. (It's known to help ipsec performance, but ipsec isn't generally identified as a bottleneck.) Think of quickassist as a potential unexpected bonus for some day in the future, and don't factor it into current purchasing decisions at all. Buy hardware that will perform as needed with software available today, because you have no idea what the performance characteristics of unreleased software are going to be.

johnpoz

That board looks like nice esxi host… Just need more ram and more space and bigger case..

VAMike

@johnpoz:

That board looks like nice esxi host

Not really; the C2xxx series didn't have vt-d, only vt-x. If you're buying an ESXi host today it makes a lot more sense to go with a goldmont that has vt-d enabled than buy into the older architecture.

pwnell

Thanks for all your opinions… Much appreciated.

johnpoz

Not talking about the C2 series, talking about the D-1521 board you linked too.

Guest

I have built and used pfSense systems for many years, usually based on an i3 based high clock speed CPU to ensure I get 1Gbps throughput under varying configurations.

But under varying configurations means here the raw WAN throughput or am I wrong with this?

I am tempted to get a SG-4860 unit as I like the form factor and finding a decent small case with front facing network ports is a pain.  So I have a few questions:

There are many solutions to fit your needs in any kind of art and wise!

• The SG-4860 is able to get also in a 1U rack mount case with front I/O ports!
• You may also be able to buy the board only and let produce a custom case as
  you may want it in the desktop factor but w/ fron I/O ports! Schaeffer AG
• You may also be able to buy a small 1U dual board case and let only drill the
  front plate or panel as a custom work only on your "special" demands. Case & Frontpanel

1. After the initial year of support, am I free to install a stock community image on the device as I would do for a custom built system?

You are free to do so, but if they offer an ADI image that fits to their boards and came pre tuned I would be aware of
this was to feed any SG-unit.

2. Would the Atom 4-Core 2.4Ghz CPU be fast enough to sustain 1Gbps even with OpenVPN / IPSec, and packages running such as ntop?

I only know one person that was reporting to get with an SG-4860 nearly ~900 MBit/s over a 1 GBit/s symmetric
internet line, but not using PPPoE at all. And something likes ~470 MBit/s over IPSec VPN.
Link

3. Does the unit support the upcoming 2.5 requiring AES-NI?

Yes.

4. Is there any reason you would recommend building a custom system rather that purchasing the SG-4860?  Asking since I can build a mITX based i3-8100 4-Core 3.6GHz, 8GB RAM, 128GB SSD, 4 x Intel NIC system for about the same price as the SG-4860.  It will be larger and the ports will be in the back, which is a bit of a pain in my cabinet.

You must get the hardware to fit your needs and not sorted by brands, the one way is supporting the project and the other
way is supporting your budget and offers more options too.