Hardware for gbit wan?
-
Iam looking for hardware that can handle gbit wan, in and out. Ive been looking at these:
http://ark.intel.com/products/53492
http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-board-dh77eb.htmlbut iam kind of lost in the jungle of cpus and would like some input.
Would this handle gbit wan in/out and throughput to lan? i dont think ill be running snort or any other heavy packages, atleast for now.
-
Gigabit WAN doing what? Simple Firewall/NAT is trivial for that CPU. If you're talking about traffic shaping, VPN, Snort, Squid, etc. then you're in for disappointment.
-
Gigabit WAN doing what? Simple Firewall/NAT is trivial for that CPU. If you're talking about traffic shaping, VPN, Snort, Squid, etc. then you're in for disappointment.
probobly just a simple firewall/nat, maybe som redundancy with another wan, nothing too heavy. Are there other alternatives?
-
If you are getting it on the cheap, I'd say it will make a nice rig. Throw 4 pcie 1x intel NIC cards from ebay in there and you will have a very fast and configurable pfsense. It will probably be complete overkill for your needs for a long time. Plus its older, so you will probably not be pulling your hair out trying to figure how to make it compatible. Its more than likely out of the box good to go with PFsense. So, thats good.
It uses more power than a smaller fanless ATOM board, but I'm assuming you are getting a pretty great deal on your price. Like used?
(The people who would want a 4 core i7 with 32GB of ram, 4 Soekris cards, quad 500GB SSDs etc etc etc are doing abit more than you will care about)
-
If you are getting it on the cheap, I'd say it will make a nice rig. Throw 4 pcie 1x intel NIC cards from ebay in there and you will have a very fast and configurable pfsense. It will probably be complete overkill for your needs for a long time. Plus its older, so you will probably not be pulling your hair out trying to figure how to make it compatible. Its more than likely out of the box good to go with PFsense. So, thats good.
It uses more power than a smaller fanless ATOM board, but I'm assuming you are getting a pretty great deal on your price. Like used?
(The people who would want a 4 core i7 with 32GB of ram, 4 Soekris cards, quad 500GB SSDs etc etc etc are doing abit more than you will care about)
sounds good to me and no i wont be getting some kind of special price. Are there already-made products out there that would work just as good? perheps the upcoming Alix board? The old one seems abit outdated
-
I don't like Alix. They have no CPU for much at all.
If I needed small and fanless (which is a really good way to go sometimes) also, I'd look at something like this.http://www.ebay.com/itm/Jetway-5x-Gigabit-LAN-Mini-ITX-NF99FL-525-AD3RTLANG-/400341503353#vi-content
I would want it with the 3 x Gb LAN Ports (AD3INLANG, Intel 82541PI Gigabit Ethernet Controller) option to keep it all Intel.
Its all Intel, old enough to have full support and if you also get a reliable fanless power supply for it, it should be absolutely bullet proof.
This will take full installs, most packages and will run just fine. Reliable reliable reliable and fast.It will cost considerably more than what you initially looked at, will have less CPU but it shouldn't break for no reason.
-
You won't get Gigabit throughput from any Atom based board, nor I expect from the new Alix board (though obviously that remains to be tested). You can use a slower, cheaper Sandy bridge CPU and still achieve 1Gbps, the G530 for example has been shown to be capable. You are limiting your options when it comes to running packages though.
Steve
-
Yeah - For someone who didn't apparently jump through whoops checking for hardware compatibility, his first pick looked pretty good to me. I like the relatively high per-core clock too. 3.0GHZ should do the trick. (unless you just must have something tiny)
-
For a 1Gbps WAN throughput plus accommodating resource intensive packages like Snort and Dansguardian I highly recommend a second generation i7 with 8GB RAM to start. My present dedicated pfSense with 16GB RAM and second generation i5 CPU works fairly well but the CPU run around 35-40% on a good load of constant 50Mbps as I have OpenVPN, Squid, Dans(with clamd) and Snort installed that uses a lot of CPU cycles. PowerD is enabled but on heavy load it uses full power.
I have noticed increased CPU usage with the recent updated Snort version. Plus Dansguardian antivirus scanning takes a toll on the CPU as well. The graph below shows CPU usage for 2 TVs running Netflix HD movies at the same time and some browsing. The "video" network is excluded from Dansguardian so its a pure WAN throughput with Snort (Do not evaluate stream inserted packets against the detection engine… checked)
My viewpoint of the old saying "pfSense will run on old hardware" has changed recently. Yes, it will run on old hardware but very few run just the base image without any packages. Packages have caught up in CPU usage with recent updates. My recommendation for any new user is to start with G530 or i3 as the base and work up the numbers to i5/i7 depending on what kind of packages will be handled by the system.
For your 1Gbps WAN I highly doubt you wont have any packages installed. You need at least Snort sooner or later.
-
To get a better idea of what is needed here I think its important to know how "gigabit" traffic is planned to be pulled on this network. If I were a betting man, I bet this "gigabit" of traffic is going to be going across from this and that computer on the same subnet and same switches. Which means that when doing 2 full disk copies from two SATA drives on computer A to 2 other SATA drives on computer B full tilt at about a gigabit throughput his total CPU load is going to be about .5%
Now, if he has a google gigabit ISP provisioned (I'll bet he doesn't) then yes. Might start needing all that CPU.
Here at the house I have about 10 computers on 3 interfaces and separate subnets and a bunch of VPN running and I never see more than 5% CPU utilization. Of course, I came to my senses long ago about snort. I don't install it.
Even with all the TON of simultaneous Hulu, Steam gaming, X-Box, youtube, VPN, you name it that actually does pass through between LAN and WAN > internet, this box is idling 99% of time. Thats with Dansguardian, squid, clamav scanning everything and tons of SSL being used, openvpn and IPsec. My house just isn't quite a corporation.Here at the house, I use an old AMD 2.5GHZ dual core with 4GB ram and 500 GB SATA HD for cache. All GB interfaces and all Intel there. Most of my traffic, except the VPNs, do an end run around pfsense. It would be quite different story if I had a gigabit INTERNET connection here and 300 employees on that link.
-
Well his original post mentions "hardware that can handle gbit wan, in and out."
What you are mentioning is internal LAN throughput which is handled by the switch and has to do more with the switch than with pfSense. pfSense will barely even look at internal lan to lan data as that's not it's function.. unless you have Snort assigned to internal LAN to scan all data.
My post has been on pure WAN throughput. No one cares what kind of pfSense hardware is there for internal LAN to LAN data transfers as it makes no sense. Your switch CPU is used entirely for that process… unless you have switch ports directly attached to the pfSense router and using it as an all-in-one system. Even then I highly doubt CPU usage will cross anything over 2-3% for internal LAN transfers.
WAN throughput needs CPU cycles.. not LAN. The faster the CPU higher is the WAN throughput.
BTW.. you didn't mention what is your WAN speed :)
-
its gonna be setup in a home enviroment with a few servers, linked together with 3 gigabit switches + the pfsense box, nothing too demanding. What are the advantages with snort over the regular spi(?) firewall?
-
Without Snort your system is just a basic firewall with some advanced capabilities than a Linksys/D-Link router. A basic SOHO router is sufficient in that case. ;)
If there is no thought on extra security and functionality then I guess you can go for an i3 processor. It will serve your needs for a good long time.
-
My opinion on snort is that its a CPU hog. It will absolutely destroy the usefulness of the internet in an environment full of skype, chat, gaming of all sorts etc and especially where you don't want to introduce latency. You, your friends or your kids will be sitting around wondering why some game or application is being such a pain when suddenly one day you realize >snort.
I also think it gives people a false sense of security. If you want more security, separate your play nets and your work nets, physically. -
HA! :D
Snort needs to be configured like any other package. Any blocks through Snort is designed to save you from potential harm. You decide what kind of policies you want to set for you to be safe from them. Of course there are false alerts that you can easily suppress. Make a list of the false alerts for safe keeps that you can use if you reinstall Snort later.
-
If you fill your environment full of gaming, P2P, sketchy downloads, java, flash, active-x and the like and you run snort, its like smoking, while eating a Double Quarter Pounder with cheese and feeling healthy because you order a diet Soda. Quad Core i7 + Snort won't save you. Again - differing philosophy. At least he has choices.
-
9 kids (including my brother's kids ;)) in the house on weekends and now week nights as well due to summer holidays. 7 LED Smart TVs, 7 Blu-rays, 3 PS3s, 2 XBoxes, 2 Wiis, 8 laptops, 7 desktops, 5 high end Servers. My WAN network typically runs at full 50Mbps bandwidth (will move to 75Mbps soon) non stop (P2P downloads at nights) for the entire week/month. Kids playing online games, watching HD movies, downloading, uploading, LAN parties.. etc.
My 5 bedroom house is packed all day these days but I have yet to see Snort being the issue. It was earlier.. definitely.. but I have fine tuned it to work perfectly and the same time ensure my kids and nephews are safe while having fun :)
-
Serious people on main subnet - All unix/linux/bsd variants. Thats one interface. I hold the admin passwords.
Play Time kiddy crap and windows junk all segregated to another interface. Let it get hacked. Its a certainty. I really don't care. I have to wipe those computers every 6 months or year anyway.
Visitors on third interface/subnet. Who knows what those yahoos get up too either. And who cares?
All of them are fire-walled from each other. No two subnets can communicate.
Only the interface/subnet running unix-like OSs with zero games and standard packages can access the PFsense interface.
I don't need Snort. I like segregation better.
If I was admin for an office environment full of windows computers where the idiot users had admin privileges and kept pressing the "OK - Install" button every time they got a pop-up or were burning through all the office bandwidth with P2P, youtube vids, facetime or skyping their GFs, then I'd need snort. Snort is expensive because hardware is expensive.
-
Ha! .. You therefore have a domain and you control all user privileges :).. the admin is the idiot in my network to leave something on for dumb users to install. I lock down everything.
My network is segregate into 5 subnets LAN, VoIP, Video, HVAC, Servers. No guests… don't want anyone accessing my network.. they can use their smartphones.. hehe
Signing out from this thread.. as its going in a different "Snort" direction ;) The OP has enough info to decide on what he needs to get.
-
thanks for all the answers guys. To sum up, an i3 with a fairly low tdp value along with a compatible motherboard and some intel nics will handle pfsense with gbit wan in/out just fine if it doesnt have the snort package installed?
