Fanless gbit pfSense router?
-
When he starts trying to route "1gbit full duplex" from a WAN through a LAN, with a few packages running you will find out quickly why you need headroom. I guess I could assume thats not what he plans to do, but why would he mention it then?
-
A lot of folks here have a notion that anything above an Atom is waste. Its not all about single or multi threaded. The CPU cycle speeds have a lot to do with the processing as well. Atom was designed for power saving (a couple of yrs back) and still is designed to save power.. no doubt about it. Hey, even Windows runs fairly ok on Atom. i3/i5 is a different breed.. so as Xeon. Not trying to lecture anyone but my point is i3/i5, in certain situations, is a better option to go for than an Atom. An i3 may in fact be more effective in power savings than an Atom. An i5, may be not, but is still very effective.
To Steve's and kejianshi's point, for a gigabit WAN throughput a G530 or an i3 are best candidates. Folks have tested them on 1Gbps (search the forums). But keep in mind.. we are talking about processor strength on WAN throughput processing only. When you start to add in resource hungry packages (even if they are single threaded) like Snort, Dansguardian with clamd, Squid, pfBlocker.. you are taxing the processing "times" of the CPU which it would normally use to process WAN throughput.
For a sweet 1Gbps WAN throughput and making a complete UTM with all packages on it, I will definitely recommend i5 for best "response" times. When I say "response" I mean the UTM processing the data from WAN, pfblocker checking allowed IP range, Snort processing it, Dansguardian checking for proper site access, then clamd doing a virus scan on it, lastly Squid caching it.. before you even see the page load.
Face it, you are not going to save even 50 bucks in annual electricity by under powering from an i5 to i3 or Atom.
-
Completely agree. Also I totally understand why there are so many questions asking essentially the same thing. I'd love to see some real throughput tests on a range of fully loaded systems. By fully loaded I guess I'm talking, Squid, Squidguard, Snort, HAVP - the full UTM setup. Currently there are vague numbers from systems that aren't really comparable.
Steve
-
I have a fully loaded system working beautifully. Its on a VM with Intel(R) Xeon(R) CPU X5550 @ 2.67GHz. Has pfBlocker, Snort, Dans (with clamd for virus scans), Squid. and OpenVPN. But I have a 50Mbps (still thinking about that 75Mbps upgrade) connection. RCN cable here isn't that great even though they are fiber optic. I start to get very high ping times and packet loss on higher download speeds. It's an ISP issue and they have acknowledged it. So I wouldn't be the best candidate to run any tests.. lol
On a side note, I think HAVP should be phased out. Dans with clamd does a better job along with the role of SquidGuard.
-
A lot of folks here have a notion that anything above an Atom is waste. Its not all about single or multi threaded. The CPU cycle speeds have a lot to do with the processing as well. Atom was designed for power saving (a couple of yrs back) and still is designed to save power.. no doubt about it. Hey, even Windows runs fairly ok on Atom. i3/i5 is a different breed.. so as Xeon. Not trying to lecture anyone but my point is i3/i5, in certain situations, is a better option to go for than an Atom. An i3 may in fact be more effective in power savings than an Atom. An i5, may be not, but is still very effective.
To Steve's and kejianshi's point, for a gigabit WAN throughput a G530 or an i3 are best candidates. Folks have tested them on 1Gbps (search the forums). But keep in mind.. we are talking about processor strength on WAN throughput processing only. When you start to add in resource hungry packages (even if they are single threaded) like Snort, Dansguardian with clamd, Squid, pfBlocker.. you are taxing the processing "times" of the CPU which it would normally use to process WAN throughput.
For a sweet 1Gbps WAN throughput and making a complete UTM with all packages on it, I will definitely recommend i5 for best "response" times. When I say "response" I mean the UTM processing the data from WAN, pfblocker checking allowed IP range, Snort processing it, Dansguardian checking for proper site access, then clamd doing a virus scan on it, lastly Squid caching it.. before you even see the page load.
Face it, you are not going to save even 50 bucks in annual electricity by under powering from an i5 to i3 or Atom.
I'm the opposite, one of my -isms is "Friends don't let friends buy atom", especially when a local microcenter has dual ivy bridge cores @2.6Ghz for $35 and 1155 motherboards for <$50. Without even checking benchmarks I'm sure that is at least twice as powerful as any atom.
The last couple generations of atoms had no real improvements, maybe centerton or whatever its called with out of order and some real core improvements might be ok.
As for the OP, one of my pfsense boxes is basically what you are considering: DQ77KB inside the same akasa euler (really nice case) i3-3220T, msata ssd. I also installed an AR9280 minicard for wifi AP someday, but drivers in 2.0.3 are not stable at all even with forced G so its not being used yet.
Its only on an ~80Mb fiber link for now, but it screams though everything.
I hope they come out with a Q87 thin itx board, because I can't find the Q77 anymore and the haswell i3s now have AES-NI standard. i3-4130 ~$125 for amazing single threaded performance (3.4Ghz) and its ready for big VPN acceleration whenever that makes it into stable.
-
I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3 ;D ) and swear by it.
Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.
-
I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3 ;D ) and swear by it.
Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.
what about ram amounts? I'm thinking I want to build a nice(ish) UTM…
-
Ram is cheap, get lots. ;)
If you have a new build with current technology RAM then just fill it. RAM in £/MB is more expensive in older modules.
If you want to run Snort and Squid I would look at 4GB.This is getting a bit OT but there is still one area where the Atom is king; very low power consumption passively cooled setups.
Yes the Akasa euler can do it for 35W 'real' CPUs but there's cost involved there. The Atom currently fills a niche between the Alix and significantly more expensive passive cooling solutions that can handle higher TDP. A niche that will hopefully be filled by the new Alix board. ;)Steve
-
I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3 ;D ) and swear by it.
Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.
what about ram amounts? I'm thinking I want to build a nice(ish) UTM…
Start with 4GB. My sweet spot is 6GB ;D. Snort, Squid, dans with clamd, pfBlocker.. all run like smooth butter and memory usage sits between 40 to 43%. I have kept 8GB just because I have extra in my server and its a VM. RAM usage is between 30 to 33%. If needed I will pull it down to 6GB.
-
Any idea what it peaks at?
Unused RAM is doing no good to anyone. ;)Steve
-
I think its wise to keep 25% in reserve to handle momentary spikes in memory usage. Could be wrong.
-
Here are the screenshots of my UTM. Network activity has gone down drastically this week due to schools re-opening. Last month was modest as well.. just shy of 350GB.. as we were on family vacations.
-
2
-
3
-
Yeah - Similar here. I like to have a safety buffer also.
-
My memory consumption goes up and down depending on how much cache is in the RAM. Old data flushes out periodically and brings down the usage. Snort has come a really long way from its initial days where 2GB was just not enough to load it and would crash while turning on the service. It's not like that anymore since 2011.
-
Same same… Goes up to 75% and then pops back down to 25% periodically.
Disk usage is slowly creeping up to 20% (Its a newly installed SSD - Will take time. I'm usually faster to adopt but SSD has been a bumpy ride)
My screaming processor is a dual core AMD, but you know what? I like it. Its impressively stable for garbage that costs abut the same as a couple cups of coffee. And I'm passionately in love with Mushkin Server Ram. -
At full WAN capacity. Keep in mind in fully loaded UTM with all resource hungry packages running. Maxed my WAN at 51.73 Mbps.
Hardware is begging for more WAN throughput :D
-
No doubt is working well ;)
-
If we do the math..
8% of CPU was able to do 50Mbps of WAN throughput. So my UTM could do just about ….hmmm...
100/8=12.5 times 50Mbps .. that's 625Mbps before it runs out of CPU cycles. Keeping in mind that the Xeon is way more powerful than an i3 and i5, plus it's fully loaded with all resource hungry packages running at full power. I suspect it can reach 1Gbps if I let go of Snort and Dans with clamd.