Suggestion for 10gbe
-
I just found out that my ISP can offer me a whoooping 10gbe for the same price as i pay now for 1gbe.
Now i need some new hardware for a pfsense that can handle 10gbe throughput and ive been looking at the following boards.
X10SDV-TP8F = Xeon D-1518 (4/8) 2x10gbe sfp+
A2SDi-H-TF = Atom c3758 (8/8) 2x10gb Base-t
A2SDV-8C-TLN5F = Atom c3758 (8/8) 4x10gbe Base-tThay are all in my budget, they have atleast 2 10gbe ports and im actually leaning towards the d-1518 because it has sfp ports built in and is the cheapest.
But will it be able to handle VPNs (only for remote management and speed doesnt matter), VLAN, IDS/IPS with squid or Suricata, pfBlockerNG? -
You will basically want as fast a CPU as you can get to get close to 10GbE line rate.
I'm not sure anything will do it with Snort. Lot of variables there though.
I can only dream of bandwidth like that! ;)
Steve
-
As @stephenw10 stated, 10Gb is going to take beefy hardware. Use this list as a guide to picking a CPU: https://www.cpubenchmark.net/singleThread.html
Notice there is an i3 in the top 20 that is priced very reasonably - Microcenter has had them on sale under $150 (In store only, stinks if you don't have a Microcenter near you).
Also split the load. Don't run everything on one box. Build the i3 box to do your routing, NAT, firewall and do everything else on a second pfSense instance (DHCP, DNS, VPN, IPS/IDS, etc.). pfSense runs great in a VM and a single interface VM is perfect for running a "services only" instance of pfSense. Or if you have an existing pfSense box, convert it to running all your other stuff and move the routing/NAT/firewall to the new box.
-
there isn't many hardware with a public pfsense release that will do true 10gbe. (minimum packet size)
see: https://forum.netgate.com/topic/132394/10gbit-performance-testing
above is running a faster xeon d-1541 -
The OP in that thread is running a D-1518 which has a slightly faster base clock than the D-1541 but it has no Turbo so the 1541 should be faster for a single thread. It also has half the number of cores. All his cores were being used at 100% in his test too so more probably would have helped.
It would be interesting to compare directly though.
Steve
-
I agree with has been written here so far. As someone who currently uses D-1518 based setup I can confirm that this hardware is capable or moving 10Gbit/s across the firewall even with Snort enabled, but with standard size ethernet packets (e.g. 1500 bytes). As you decrease the packet size, however, the amount of packets you are able to move across the firewall starts to become the limitation. My thread that @heper linked to provides some rough numbers based on some basic testing I did at 10Gbit. I think for an average case usage scenario where you don't see yourself maxing out the a 10Gbit connection regularly, the D-1518 would probably work fine. Otherwise, I do recommend faster hardware as well, both more cores and cores operating at higher frequencies. More cores should help to process the traffic in the NIC queues - for 10Gbit NIC hardware I have seen that it's possible to use up 16 separate queues (and maybe even more). If you are set sticking with Supermicro, here's an alternative suggestion that looks nice, but is probably a bit more expensive (next generation Xeon-D):
https://www.supermicro.com/products/motherboard/Xeon/D/X11SDV-8C-TP8F.cfm
https://ark.intel.com/products/136434/Intel-Xeon-D-2146NT-Processor-11M-Cache-2_30-GHzHope this helps.
-
This post is deleted!