Powerful Hardware Recommendation Please
-
Hello. This is my first post.
I would like to buy hardware for my home office router in the next month. Rather than focus on minimizing cost, I want sufficient computing power and throughput to:
-
Run at near full gigE speeds on the WAN and four LANs.
-
Support up to 10 simultaneous VPN connections.
-
Run an IPS on each gigE port with robust rule sets.
-
Have some remaining horsepower to add Splunk logging, SNMP and some other network monitoring capabilities in the future.
-
Low power and heat. Preferably under 30 watts or thereabouts.
-
Low noise. Fans are OK if they're not screamers.
I have been looking at the Supermicro A2SDi-8C-HLN4F C3758 Atom motherboard. I've learned that:
-
It's new and few people have had their hands on one.
-
The four gigE ports on the SoC are not yet supported by FreeBSD, but I intend to drop in an Intel 4-port i350 NIC to get going. I think it's reasonable to expect a working driver to be released in 2018.
-
It has Intel Quick Assist but there is no FreeBSD driver yet. QAT might be supported in the future, but I won't hold my breath. If a working driver is released, my VPN performance might significantly improve.
-
It is available from Supermicro as a system, but I don't understand why it costs almost $200 more than the chassis and motherboard alone. What am I missing?
I'd appreciate opinions on this motherboard and what other platforms I should consider.
Thanks in advance. -
-
If you try searching in google shopping for "5019A-FTN4", there is a $730 price.
-
Yes, I noticed that, but the seller has a ResellerRatings.com rating of 1 out of 10 with nearly 300 reviews. They have lots of very unhappy customers. I'll stick with Amazon, Newegg and eBay.
-
Low power is quite a headache.
C3758 is a 8 core like C2758. But C2758 has a low score 3162(https://www.cpubenchmark.net/cpu.php?cpu=Intel+Atom+C2758+%40+2.40GHz). C2758 is 20Watts, but even a 2 core i3-7100u has a higher benchmark than it.
(Minisys is selling i3-7100u boxes in aliexpress.com)Higher power choice is to use 8th generation i3/i5 with consumer grade motherboard(like Gigabyte Z370N WIFI mini-itx)
Or 7th generation i5 with Jetway industrial board(http://mitxpc.com/proddetail.php?prod=RS-NF594Q170) -
30watt envelope with full 1Gb, plus VPN, plus IPS is probably impossible with any non-ASIC technology for at least the next 5 years.
-
Ok, so I have to adjust my expectations. What if I reduced the throughput to 500 Mb and QAT worked. How far would I be from my requirements with a C3XXX solution? How helpful is adding cores and RAM to boost IPS performance?
I looked at the MITXPC system. It tops out at 32 GB of RAM where the Atom board supports 64 GB. How does that affect performance? It has no QAT, but does the more powerful CPU make up for that?
I chose a 1U form factor but that seems to limit me to a single PCIe slot which I would fill with an i350-AM4 board. If I had 2 slots, I could add a QAT card. Is there a FBSD driver for the card that's working well?
I'm not sure if I'm asking the right questions because there are so many variables that I don't have a handle on yet. Maybe I should start with power. How much TDP is it going to cost me to achieve my original requirements? This will be in a rack in a basement room with no air conditioning and a guest bed. It would be best if it didn't sound like a Harrier or melt to slag in the summer. Where should I set my max? 45W? 65W?
-
Don't get a C3xxx series system yet. It's unsupported and either won't work at all or will be limited and buggy for a while.
Also, your case calls for business use, not home lets-toy-with-the-network use. Have you checked https://store.netgate.com/pfSense/systems.aspx ?Regarding 'home made' hardware, it might be easier getting a 1U rack server with a Xeon E3 series CPU, maybe using SuperMicro's X10 or X11 series hardware. If you want front-access ethernet and serial, they have that too. One of the systems I used before the i5 and i3 based boxes were 'good enough' was a Xeon E3-12xx series CPU with a X10SLV-series ITX board in a SuperMicro 1U case (a very short one, it as smaller/shorter than the HP switches we use) with front I/O (only power was in the back). A small mSATA SSD and 16GB of RAM for plenty of IDS/IPS rules, logging and binaries running 24x7. We added a I2xx series 4-port PCIe card (you'll have to use a right-handed PCIe riser) for a total of six GbE ports. Then we often used two for independent GbE uplinks in a multi-WAN failover and the other four in a LAGG to a switch so that inter-subnet routing could be done relatively fast.
-
OK, I've abandoned the Denverton solution. I'll stick with tried-and-true.
Yes, I looked at the Netgate store, but I saw no specs that quantified performance. If I had to guess, it's probably the two XG-15xx Xeon-D systems that'd be in the running. Anyone here own one? What percentage of line rate do they process when just routing and again when VPNs are running?
Supermicro has an SYS-D5018-FN4T SuperServer with a Xeon D-1541, two 10GbE and two gigE ports. If I add 16 GB of RAM and an i350-AM4 card, will that do it?
-
I'm have what I believe are similar requirements and am researching a similar setup. Hope you don't mine me adding to this thread.
My environment
3 X Lan (1gb each)
– 1: Physically wired hosts (25-35 hosts, a mix of servers and clients - mostly HEAVY SMB traffic + client web browsing)
-- 1: Wifi - 5 x 802.11AC APs serving 20-40 clients, 3x SSIDs are separated to vlans for filtering
-- 1: Surveillance - 12x 1440P cameras dual streaming to a NVR, traffic is subnet local, but ad-hoc viewing and management passes through PFSense1 x Wan
-- currently ~300Mbps Down / 50Mbps UPPFSense Usage Pattern:
-- Static routing 'core' for traffic outlined above
-- traffic filtering across internal segments and WAN
-- NAT for WAN
-- VPN: OpenVPN mostly for remote management and occasional Large file access, typically only 1-3 users)
-- Misc (DHCP, DNS, NTP, Etc.)Looking to add:
-- Suricata (IDS / IPS- looking to run across all interfaces with varying public and custom rules list)
-- Squidguard (url filtering)
-- ntopng (reporting)Assuming I want to be able to run at / near line-rate, is the Xeon-D (1541) enough?
I am specifically looking at to leverage existing SFP+ ports and migrate to a LACP dot1q trunk of the above 3 'lans' onto the 'core' switch , which leads me to the server listed earlier (adding a SFP+ card) or looking at the over the top (1018D-FRN8T)https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm
The 1018D is getting into the cost territory of a HPE DL360 class server (replace with your preferred flavor), but cooling and noise in the 'LAN closet' (which is close to accurate) is also a consideration, which leads to the Xeon-D options. I 'could' build my own
M-ATX/ITX solution, but a commercial solution and rack mount form-factor is preferredThoughts?
-
In my knowledge of Security Onion and Snort, each 200Mbps for each snort process for 1 core. Suricata may be performing much better in multi-threads than Snort.
-
@wallacebw - please jump in. The more the merrier. I agree that our goals are similar.
I wish someone who knew would comment on the performance difference between pfsense on a D-1541 (8 cores, 16 threads, 2.1-2.7 GHz clock) and on a core i7-7700 (4 cores, 8 threads, 3.6-4.2 GHz clock).
@newabc - I'm not sure that Suricata is faster than Snort, based on this enlightening paper: Open Source IDS High Performance Shootout. Multi-threaded Snort (3.0) is in alpha release now.
-
@Paul
Thank you for let us know the Snort 3.0 alpha.
My knowledge was limited in stable version which Security Onion provided for a long time. -
@newabc - I'm not sure that Suricata is faster than Snort, based on this enlightening paper: Open Source IDS High Performance Shootout. Multi-threaded Snort (3.0) is in alpha release now.
You're quoting a paper that's almost three years old; it's completely irrelevant. Snort 3 was in beta 9 years ago, scrapped, and is still in alpha…
-
<snip>Assuming I want to be able to run at / near line-rate, is the Xeon-D (1541) enough?
I am specifically looking at to leverage existing SFP+ ports and migrate to a LACP dot1q trunk of the above 3 'lans' onto the 'core' switch , which leads me to the server listed earlier (adding a SFP+ card) or looking at the over the top (1018D-FRN8T)https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm
The 1018D is getting into the cost territory of a HPE DL360 class server (replace with your preferred flavor), but cooling and noise in the 'LAN closet' (which is close to accurate) is also a consideration, which leads to the Xeon-D options. I 'could' build my own
M-ATX/ITX solution, but a commercial solution and rack mount form-factor is preferredThoughts?</snip>
Your requirements mirror what I have in production right now. A few months ago I went with the Supermicro 5018D-FN8T and it's definitely more than able to handle that kind of load you mentioned.
It can also easily saturate my 250 Mbps upload using IPSec (haven't tried OpenVPN yet…) with plenty of CPU power to spare.
We had a thread going on there: https://forum.pfsense.org/index.php?topic=128646.15