Hardware for gbit wan?
-
For a 1Gbps WAN throughput plus accommodating resource intensive packages like Snort and Dansguardian I highly recommend a second generation i7 with 8GB RAM to start. My present dedicated pfSense with 16GB RAM and second generation i5 CPU works fairly well but the CPU run around 35-40% on a good load of constant 50Mbps as I have OpenVPN, Squid, Dans(with clamd) and Snort installed that uses a lot of CPU cycles. PowerD is enabled but on heavy load it uses full power.
I have noticed increased CPU usage with the recent updated Snort version. Plus Dansguardian antivirus scanning takes a toll on the CPU as well. The graph below shows CPU usage for 2 TVs running Netflix HD movies at the same time and some browsing. The "video" network is excluded from Dansguardian so its a pure WAN throughput with Snort (Do not evaluate stream inserted packets against the detection engine… checked)
My viewpoint of the old saying "pfSense will run on old hardware" has changed recently. Yes, it will run on old hardware but very few run just the base image without any packages. Packages have caught up in CPU usage with recent updates. My recommendation for any new user is to start with G530 or i3 as the base and work up the numbers to i5/i7 depending on what kind of packages will be handled by the system.
For your 1Gbps WAN I highly doubt you wont have any packages installed. You need at least Snort sooner or later.
-
To get a better idea of what is needed here I think its important to know how "gigabit" traffic is planned to be pulled on this network. If I were a betting man, I bet this "gigabit" of traffic is going to be going across from this and that computer on the same subnet and same switches. Which means that when doing 2 full disk copies from two SATA drives on computer A to 2 other SATA drives on computer B full tilt at about a gigabit throughput his total CPU load is going to be about .5%
Now, if he has a google gigabit ISP provisioned (I'll bet he doesn't) then yes. Might start needing all that CPU.
Here at the house I have about 10 computers on 3 interfaces and separate subnets and a bunch of VPN running and I never see more than 5% CPU utilization. Of course, I came to my senses long ago about snort. I don't install it.
Even with all the TON of simultaneous Hulu, Steam gaming, X-Box, youtube, VPN, you name it that actually does pass through between LAN and WAN > internet, this box is idling 99% of time. Thats with Dansguardian, squid, clamav scanning everything and tons of SSL being used, openvpn and IPsec. My house just isn't quite a corporation.Here at the house, I use an old AMD 2.5GHZ dual core with 4GB ram and 500 GB SATA HD for cache. All GB interfaces and all Intel there. Most of my traffic, except the VPNs, do an end run around pfsense. It would be quite different story if I had a gigabit INTERNET connection here and 300 employees on that link.
-
Well his original post mentions "hardware that can handle gbit wan, in and out."
What you are mentioning is internal LAN throughput which is handled by the switch and has to do more with the switch than with pfSense. pfSense will barely even look at internal lan to lan data as that's not it's function.. unless you have Snort assigned to internal LAN to scan all data.
My post has been on pure WAN throughput. No one cares what kind of pfSense hardware is there for internal LAN to LAN data transfers as it makes no sense. Your switch CPU is used entirely for that process… unless you have switch ports directly attached to the pfSense router and using it as an all-in-one system. Even then I highly doubt CPU usage will cross anything over 2-3% for internal LAN transfers.
WAN throughput needs CPU cycles.. not LAN. The faster the CPU higher is the WAN throughput.
BTW.. you didn't mention what is your WAN speed :)
-
its gonna be setup in a home enviroment with a few servers, linked together with 3 gigabit switches + the pfsense box, nothing too demanding. What are the advantages with snort over the regular spi(?) firewall?
-
Without Snort your system is just a basic firewall with some advanced capabilities than a Linksys/D-Link router. A basic SOHO router is sufficient in that case. ;)
If there is no thought on extra security and functionality then I guess you can go for an i3 processor. It will serve your needs for a good long time.
-
My opinion on snort is that its a CPU hog. It will absolutely destroy the usefulness of the internet in an environment full of skype, chat, gaming of all sorts etc and especially where you don't want to introduce latency. You, your friends or your kids will be sitting around wondering why some game or application is being such a pain when suddenly one day you realize >snort.
I also think it gives people a false sense of security. If you want more security, separate your play nets and your work nets, physically. -
HA! :D
Snort needs to be configured like any other package. Any blocks through Snort is designed to save you from potential harm. You decide what kind of policies you want to set for you to be safe from them. Of course there are false alerts that you can easily suppress. Make a list of the false alerts for safe keeps that you can use if you reinstall Snort later.
-
If you fill your environment full of gaming, P2P, sketchy downloads, java, flash, active-x and the like and you run snort, its like smoking, while eating a Double Quarter Pounder with cheese and feeling healthy because you order a diet Soda. Quad Core i7 + Snort won't save you. Again - differing philosophy. At least he has choices.
-
9 kids (including my brother's kids ;)) in the house on weekends and now week nights as well due to summer holidays. 7 LED Smart TVs, 7 Blu-rays, 3 PS3s, 2 XBoxes, 2 Wiis, 8 laptops, 7 desktops, 5 high end Servers. My WAN network typically runs at full 50Mbps bandwidth (will move to 75Mbps soon) non stop (P2P downloads at nights) for the entire week/month. Kids playing online games, watching HD movies, downloading, uploading, LAN parties.. etc.
My 5 bedroom house is packed all day these days but I have yet to see Snort being the issue. It was earlier.. definitely.. but I have fine tuned it to work perfectly and the same time ensure my kids and nephews are safe while having fun :)
-
Serious people on main subnet - All unix/linux/bsd variants. Thats one interface. I hold the admin passwords.
Play Time kiddy crap and windows junk all segregated to another interface. Let it get hacked. Its a certainty. I really don't care. I have to wipe those computers every 6 months or year anyway.
Visitors on third interface/subnet. Who knows what those yahoos get up too either. And who cares?
All of them are fire-walled from each other. No two subnets can communicate.
Only the interface/subnet running unix-like OSs with zero games and standard packages can access the PFsense interface.
I don't need Snort. I like segregation better.
If I was admin for an office environment full of windows computers where the idiot users had admin privileges and kept pressing the "OK - Install" button every time they got a pop-up or were burning through all the office bandwidth with P2P, youtube vids, facetime or skyping their GFs, then I'd need snort. Snort is expensive because hardware is expensive.
-
Ha! .. You therefore have a domain and you control all user privileges :).. the admin is the idiot in my network to leave something on for dumb users to install. I lock down everything.
My network is segregate into 5 subnets LAN, VoIP, Video, HVAC, Servers. No guests… don't want anyone accessing my network.. they can use their smartphones.. hehe
Signing out from this thread.. as its going in a different "Snort" direction ;) The OP has enough info to decide on what he needs to get.
-
thanks for all the answers guys. To sum up, an i3 with a fairly low tdp value along with a compatible motherboard and some intel nics will handle pfsense with gbit wan in/out just fine if it doesnt have the snort package installed?
-
Yeah - Since its going to be your internet we are talking about, I'd try to find a mobo with all solid capacitors and a good solid power supply. Gigabyte makes boards like that and so does Asrock and others. If you keep the CPU power requirements low you can get a very reliable power supply in lower watt rating so less $$$. My reasoning is that by the time you need to upgrade, the hardware people are throwing away will be more powerful than the expensive stuff you would buy today. Do pay attention to the type of slots on the board. If it has built in video thats good. Its better to have your NIC cards in PCIe slots than PCI. An empty PCIe x16 video slot can take a cheap 2 port x4 NIC card. Your simi-useless PCIe 1x slots are great for cheap 1 port NIC cards. If they are all Intel, you should be safe.
-
thanks for all the answers guys. To sum up, an i3 with a fairly low tdp value along with a compatible motherboard and some intel nics will handle pfsense with gbit wan in/out just fine if it doesnt have the snort package installed?
It is just perfect.. I have used an i3 with Snort, Squid, Dans(clamd) and pfBlocker. No hiccups.. runs smoothly. It has enough power for even more resource hungry packages.
-
Yeah - I finally saw my dual core Athlon home router go above 5%. Maxed out to 100% :(
Of course, I had to open 2 terminals and run two separate threads of openssl benchmarks to get there… :P -
On the topic of Snort performance, 100/10 Mbps line topped to max with torrent traffic hits full usage on the core running Snort on my G630T (2.3Ghz), meaning that I'm pushing the CPU to it's max performance with Snort. I haven't tested it with a 1 Gbps link on the WAN side so I can't say where the absolute max is with Snort on that CPU.
Even a faster CPU will cap out at 200-500 Mbps range per Snort monitor (Source: http://mikelococo.com/2011/08/snort-capacity-planning/). Meaning that for a 1 Gbps link you will have to somehow divide the traffic into 3-4 streams and have 4 or more cores to handle the load.
But then again, there's no need to run Snort on your home network.
-
so autumn is around the corner and im gonna start ordering stuff, is it safest to go with z77 or maybe even z67? or is pfsense definetly compatible with z87?
-
I might suggest avoiding z87 if it's LGA1150; according to a post in my thread (whereupon I had hastily purchased hardware to replace failing equipment),
All Haswell boards with intel nics come with i21x, this is still not supported in 2.1.
Ivy/Sandy bridge boards with intel will have either 82574L, 82579V and/or 82579LM which will work.If you were intending to use the onboard NIC anyways… if you planned on slapping some PCIe NICs in there, then knock yourself out. pfSense 2.1 booted just fine on a z87/LGA1150 board for me, it just wouldn't detect the onboard NIC (which I required).
-
I have a intel quad nic iam planning to use but i would like to use the built in nics aswell :/