Fanless gbit pfSense router?
-
Hello, i have been looking at the Intel DQ77KB motherboard with two 1 gbit interfaces and then i found this pre-built box with Core i5-3470T (2.9-3.6 GHz):
http://www.atlastsolutions.com/fanless-thin-mini-itx-pc-core-i5-16gb-128gb-ssd-intel-dq77kb/Would this be able to route 1gbit full duplex (2gbit?) or would i need a PCIe card for that? http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/pro-1000-pt-dp.html
-
The two built in ports and the i5 should handle it (one would think).
-
I think that board uses 82579V NICs. I'm not 100% sure that those work in 2.0. You might need to run 2.1.
In terms of "routing", that is a fairly trivial task for a system like this. "Firewall" isn't much harder. If you're including VPN, traffic shaping, squid, snort, etc. then likely not.
-
I think its two different ethernet controllers, one is Intel 83574L and the other Intel 82579LM. They seem to support some offloading but maybe not as good as others.
It would do routing and firewall/NAT, just for my home, nothing complicated.
-
I think its two different ethernet controllers, one is Intel 83574L and the other Intel 82579LM. They seem to support some offloading but maybe not as good as others.
I second that.
-
Sorry, I misspelled, it should be Intel 82574L and Intel 82579LM.. Anyways, the question is would it route/firewall/NAT 1gbit? With todays hardware is it really important that the NIC is on PCIe like the Hardware Sizing Guidance says? http://pfsense.org/index.php@option=com_content&task=view&id=52&Itemid=49.html
The CPU has AES-NI so it should handle OpenVPN much better than my current Asus router atleat.
Im thinking about buying and building this:
Case: Akasa Euler
Motherboard: Intel DQ77KB
CPU: Intel Core i5-3470T
HDD: Crucial m4 32GB mSATA SSD
RAM: Corsair 8GB (2X4GB), 1600MHz -
Yes - It will handle it. Get the I5 fast as you can within your power/heat budget. You will enjoy the headroom.
-
Indeed, the hardware guidelines are unfortunately a little outdated. The i5 can very easily firewall/NAT 1Gbps. The lowliest Sandy Bridge CPU like a G530 can manage 1Gbps with plenty of cycles to spare. See: http://forum.pfsense.org/index.php/topic,45439.0.html
I'm not sure of the status of AES-NI support. Last I looked it wasn't working but was being actively worked on. Either way the raw power of that CPU will provide some pretty high numbers for VPN.
Steve
-
Yes - It will handle it. Get the I5 fast as you can within your power/heat budget. You will enjoy the headroom.
And what would the headroom be used for? pfSense can route many mbps of data on a measly P4 or Atom chip!
Unless you're running a large network with hundreds of users, anything more than an i3 is wasted (and wasted for a long time to come).
-
When he starts trying to route "1gbit full duplex" from a WAN through a LAN, with a few packages running you will find out quickly why you need headroom. I guess I could assume thats not what he plans to do, but why would he mention it then?
-
A lot of folks here have a notion that anything above an Atom is waste. Its not all about single or multi threaded. The CPU cycle speeds have a lot to do with the processing as well. Atom was designed for power saving (a couple of yrs back) and still is designed to save power.. no doubt about it. Hey, even Windows runs fairly ok on Atom. i3/i5 is a different breed.. so as Xeon. Not trying to lecture anyone but my point is i3/i5, in certain situations, is a better option to go for than an Atom. An i3 may in fact be more effective in power savings than an Atom. An i5, may be not, but is still very effective.
To Steve's and kejianshi's point, for a gigabit WAN throughput a G530 or an i3 are best candidates. Folks have tested them on 1Gbps (search the forums). But keep in mind.. we are talking about processor strength on WAN throughput processing only. When you start to add in resource hungry packages (even if they are single threaded) like Snort, Dansguardian with clamd, Squid, pfBlocker.. you are taxing the processing "times" of the CPU which it would normally use to process WAN throughput.
For a sweet 1Gbps WAN throughput and making a complete UTM with all packages on it, I will definitely recommend i5 for best "response" times. When I say "response" I mean the UTM processing the data from WAN, pfblocker checking allowed IP range, Snort processing it, Dansguardian checking for proper site access, then clamd doing a virus scan on it, lastly Squid caching it.. before you even see the page load.
Face it, you are not going to save even 50 bucks in annual electricity by under powering from an i5 to i3 or Atom.
-
Completely agree. Also I totally understand why there are so many questions asking essentially the same thing. I'd love to see some real throughput tests on a range of fully loaded systems. By fully loaded I guess I'm talking, Squid, Squidguard, Snort, HAVP - the full UTM setup. Currently there are vague numbers from systems that aren't really comparable.
Steve
-
I have a fully loaded system working beautifully. Its on a VM with Intel(R) Xeon(R) CPU X5550 @ 2.67GHz. Has pfBlocker, Snort, Dans (with clamd for virus scans), Squid. and OpenVPN. But I have a 50Mbps (still thinking about that 75Mbps upgrade) connection. RCN cable here isn't that great even though they are fiber optic. I start to get very high ping times and packet loss on higher download speeds. It's an ISP issue and they have acknowledged it. So I wouldn't be the best candidate to run any tests.. lol
On a side note, I think HAVP should be phased out. Dans with clamd does a better job along with the role of SquidGuard.
-
A lot of folks here have a notion that anything above an Atom is waste. Its not all about single or multi threaded. The CPU cycle speeds have a lot to do with the processing as well. Atom was designed for power saving (a couple of yrs back) and still is designed to save power.. no doubt about it. Hey, even Windows runs fairly ok on Atom. i3/i5 is a different breed.. so as Xeon. Not trying to lecture anyone but my point is i3/i5, in certain situations, is a better option to go for than an Atom. An i3 may in fact be more effective in power savings than an Atom. An i5, may be not, but is still very effective.
To Steve's and kejianshi's point, for a gigabit WAN throughput a G530 or an i3 are best candidates. Folks have tested them on 1Gbps (search the forums). But keep in mind.. we are talking about processor strength on WAN throughput processing only. When you start to add in resource hungry packages (even if they are single threaded) like Snort, Dansguardian with clamd, Squid, pfBlocker.. you are taxing the processing "times" of the CPU which it would normally use to process WAN throughput.
For a sweet 1Gbps WAN throughput and making a complete UTM with all packages on it, I will definitely recommend i5 for best "response" times. When I say "response" I mean the UTM processing the data from WAN, pfblocker checking allowed IP range, Snort processing it, Dansguardian checking for proper site access, then clamd doing a virus scan on it, lastly Squid caching it.. before you even see the page load.
Face it, you are not going to save even 50 bucks in annual electricity by under powering from an i5 to i3 or Atom.
I'm the opposite, one of my -isms is "Friends don't let friends buy atom", especially when a local microcenter has dual ivy bridge cores @2.6Ghz for $35 and 1155 motherboards for <$50. Without even checking benchmarks I'm sure that is at least twice as powerful as any atom.
The last couple generations of atoms had no real improvements, maybe centerton or whatever its called with out of order and some real core improvements might be ok.
As for the OP, one of my pfsense boxes is basically what you are considering: DQ77KB inside the same akasa euler (really nice case) i3-3220T, msata ssd. I also installed an AR9280 minicard for wifi AP someday, but drivers in 2.0.3 are not stable at all even with forced G so its not being used yet.
Its only on an ~80Mb fiber link for now, but it screams though everything.
I hope they come out with a Q87 thin itx board, because I can't find the Q77 anymore and the haswell i3s now have AES-NI standard. i3-4130 ~$125 for amazing single threaded performance (3.4Ghz) and its ready for big VPN acceleration whenever that makes it into stable.
-
I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3 ;D ) and swear by it.
Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.
-
I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3 ;D ) and swear by it.
Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.
what about ram amounts? I'm thinking I want to build a nice(ish) UTM…
-
Ram is cheap, get lots. ;)
If you have a new build with current technology RAM then just fill it. RAM in £/MB is more expensive in older modules.
If you want to run Snort and Squid I would look at 4GB.This is getting a bit OT but there is still one area where the Atom is king; very low power consumption passively cooled setups.
Yes the Akasa euler can do it for 35W 'real' CPUs but there's cost involved there. The Atom currently fills a niche between the Alix and significantly more expensive passive cooling solutions that can handle higher TDP. A niche that will hopefully be filled by the new Alix board. ;)Steve
-
I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3 ;D ) and swear by it.
Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.
what about ram amounts? I'm thinking I want to build a nice(ish) UTM…
Start with 4GB. My sweet spot is 6GB ;D. Snort, Squid, dans with clamd, pfBlocker.. all run like smooth butter and memory usage sits between 40 to 43%. I have kept 8GB just because I have extra in my server and its a VM. RAM usage is between 30 to 33%. If needed I will pull it down to 6GB.
-
Any idea what it peaks at?
Unused RAM is doing no good to anyone. ;)Steve
-
I think its wise to keep 25% in reserve to handle momentary spikes in memory usage. Could be wrong.