Hardware recommendation?
-
I ran some tests on my X750e you may have read the results already. It had a replacement CPU in it, a pentium-M at 1.5GHz.
It acheived around 50Mbps VPN traffic: http://forum.pfsense.org/index.php/topic,20095.msg166634.html#msg166634
and could potentially do ~650Mbps between interfaces.That would be plenty to max out your WAN connection with VPN traffic but it would restrict your internal traffic between your LAN and, say, a DMZ.
Steve
-
Yeah that would be as much as I would use.
So one of the questions I am wondering now is whether I need gigabit interfaces on the firewall.
The other thing I am wondering is whether a single core is really enough. Based on what you are saying I am thinking I might want to invest in a dual core platform for extra headroom. Plus there are only a few e series fireboxes on ebay and they are just out of my budget which is around $100 to $120.
-
What about a firebox peak x5500e? Would that be enough power?
What are the specs of the peak e series boxes?
Update
I also found an x550e just now.
-
The peak-e series are almost identical to the core-e series. They have the same motherboard and chassis and hence the same NICs. The differences are they have a faster CPU, 2GHz Pentium-M vs 1.3GHz Celeron-M, more ram 1GB vs 512MB and they have a additional crypto accelerator card with big impressive looking chips on it! Those things are worth almost precisely nothing if you're running pfSense. ;) The extra ram is useful but memory is dirt cheap these days anyway. The CPU is 533MHz FSB and isn't correctly supported by the est(4) driver so you can take advantage of speedstep. The crypto card is not supported (no surprise there) but worse than that it throws continuous errors if you leave it in.
On top of all that they cost a small fortune when new and people are reluctant to sell them for a realistic price.
I have several of these boxes and haven't paid more than £50 and that was the X5500e which probably wasn't worth it. ::)More recently there have been some XTM5 boxes on ebay (in the UK) which sold very cheaply. They are still current though so have real value.
Steve
Edit: I just had a look on Ebay.com and people seem to be asking for crazy money, $1000 for an x750e. :o
-
When you mean the crypto card you are NOT talking about the Nitrox right?
The reason I ask is I just made an offer on an X550e and won it on accident so unless I back out I am stuck with it. I would make the upgrades to it. But it would fit my needs as refered to above right? And thinking about it now, the number of VPNs is more like 4 MAX rather than 10.
-
The x550e should be fine especially if you swap out the cpu.
The peak-e had an additional and far more powerful encryption accelerator card that I know almost nothing about despite having one right here.Steve
-
Will the board in the x????-e boxes take the fastest Pentium M in Dothan series or is it limited to the SL7SM 2.0ghz chip?
-
I've not tried anything faster than the 2GHz CPU that comes in the peak-e. I believe one user tried a 2.1GHz CPU, you'd have to search for that. There is a huge premium to be paid for the fastest Pentium-M chips, those <2GHz are far cheaper but almost as powerful and I mean FAR cheaper. I think I paid £3 for the 1.7GHz chip I'm running now.
The problem is this. The bios code in the box does not correctly pass CPU frequency and voltage information via ACPI to the OS. When the est(4) was written, presumably who ever was writing it also has this problem, it had included within it frequency vs voltage values hard-coded for the Pentium-M. However information is only included for those chips with a 400MHz FSB perhaps because they were released first. I've yet to find a way of telling est what values to use at run time. Thus if you want to take advantage of speedstep, save some Watts and keep the CPU cooler you need a 400MHz FSB chip:
http://en.wikipedia.org/wiki/List_of_Intel_Pentium_M_microprocessors#.22Dothan.22_.2890_nm.29Steve
-
I am guessing there is no chance of est(4) getting an overhaul? Maybe is FreeBSD 9?
Yeah I see what you mean, I can grab a 2ghz chip for around $15 but the 2.1ghz+ are up in the $50 - $60.
-
It would be more likely that an overhaul of est(4) would actually remove the hardcoded values. They only seem to be there as work around for a bad bios coding. The way this is supposed to work is the bios passes infomation to the OS via ACPI. The bios should contain the information for all the CPUs it supports.
The other possibility would be to add the values to the module yourself and recompile it. This probably isn't that difficult but would require some time studying the code. I had thought about doing that myself a few times but the performance increase just isn't worth it IMHO. ;)Steve
