Proper NIC, and microSD support?

stephenw10

An Intel Pro/1000 PT NIC will work fine, many people are using them.

If you are running from flash memory, such as an SD card, you should be using the NanoBSD variant of pfSense. That will write onto an SD card no problem, you can write it to anything. As long as the SD card slot connected via USB and is able to be set as bootable in the server it should be fine. Though I've never tested it.  ;) Doing this will avoid any issue you may have had with the disk controllers which can cause problems on very new hardware. I don't believ the disk controller in the gen8 microserver is supported yet for example.

A question here though is why you are using such a powerful box for a 100Mbps connection? Do you need wirespeed between internal interfaces? How many interfaces do you need? I'm unsure as whether the built in Broadcom NICs are supported, a similar question was asked earlier today.

Steve

biggsy

Had you considered just making a pfSense VM?

The 3.1 GHz quad core DL320 does seem a bit like overkill.

Vigger

Thanks for your response :)

Okay, i don't know if the DL320e uses a USB backend for the microSD slot but it might.

As far as i know HP only uses 2 drivers for all their SAS controller cciss (<= G5) and hpsa (>= G6), so the hpsa should work shouldn't it?
If the microSD card works, i don't think i'll be installing any drives anyway.

First of, i want to make sure we are not misunderstading things, by 100mbps i mean megabytes per second and not megabit so my taget speed is atleast 800 megabit/ps (should i have written uppercase 100MB/s?) so is the PT card still usable for this?

One reason is i know from experience that i should always buy the double of what i think i need because i usually have a steep learning curve when playing around with new things and quickly find new ways to use them and the needs usually skyrocket along with me learning new stuff.
I tried it recently when buying one of the servers, i thought 32gb mem and 2x quad core cpu's was more than enough, but all that is used up by now.

So i have learned a little overkill is a good thing. but do you honestly think i should buy the 2gb mem/dual core version instead? could save me $200.

I don't plan on using the 2 built in ports as i don't feel like they can be as good as a dedicated card, therefore i'm looking for a dualport intel card :-)

Vigger

@biggsy:

Had you considered just making a pfSense VM?

The 3.1 GHz quad core DL320 does seem a bit like overkill.

I read here somewhere that using pfsense in a vm is a bad idea perfomance vise, plus i think physically splitting things up makes it all "better", it feels more right.

Do you think the 3.4 Ghz dualcore is a better solution?

stephenw10

Ah, 100MBps is a different matter then.  :)

I would expect the disk controller to work in some mode may you may not be able to use all of its raid features for example. As you say that problem goes away if you're booting from SD.

A little extra headroom is always a good thing but this could be a lot of overkill. You haven't mentioned if you want to run packages, Snort Squid etc, but those will significantly increase the hardware requirement if you do. For just plain firewall/NAT the dual core CPU would be more than enough for 1Gbps throughput. In fact a 3.4GHz dual core CPU will probably be faster than a 3.1GHz quad core because the pf process runs as a single thread.

Intel NICs are always prefered but Broadcom are considered second best and I would have no worried using the on-board NICs if they're supported.

There is some overhead to running virtualized but not too much. There are people here running firewalls at >5Gbps virtualized because currently the drivers under ESXi are able to work with newer 10GbE hardware.

Steve

Vigger

Sorry for the confusion :-(

That is exactly what i mean, currently i will only need very basic NAT'ing but as soon as i start poking around in there i will learn about other exciting things which may require more resources. I just want to be absolutely certain that i will not have to upgrade the machine anytime soon.

FYI: the quad core has intel turbo boost which goes up to 3.5 Ghz.
I just want a good, know, supported, 1Gb NIC thats my only interest.
Obviously i would like a 10Gb network at home, but as far as i know 10G equipment is relatively expensive so my goal is to utilize the 1G network to it's max.

Any suggestions regarding a widely supported not too expensive 1G nic?

Thanks for your time so far :)

@stephenw10:

Ah, 100MBps is a different matter then.  :)

I would expect the disk controller to work in some mode may you may not be able to use all of its raid features for example. As you say that problem goes away if you're booting from SD.

A little extra headroom is always a good thing but this could be a lot of overkill. You haven't mentioned if you want to run packages, Snort Squid etc, but those will significantly increase the hardware requirement if you do. For just plain firewall/NAT the dual core CPU would be more than enough for 1Gbps throughput. In fact a 3.4GHz dual core CPU will probably be faster than a 3.1GHz quad core because the pf process runs as a single thread.

Intel NICs are always prefered but Broadcom are considered second best and I would have no worried using the on-board NICs if they're supported.

There is some overhead to running virtualized but not too much. There are people here running firewalls at >5Gbps virtualized because currently the drivers under ESXi are able to work with newer 10GbE hardware.

Steve

stephenw10

If you go with the more powerful machine and the find that even after adding various things you're still only using 10% of its resources you can always switch to running as a VM and run other VMs on the same hardware.

I've still got sections of 100Mb ethernet here at home (don't think I have any 10base2 left….) and the fastest connection I could get is ~100Mbps if I wanted to pay for it. 10Gb is way way off!  ::)

Go with Intel NICs. Pretty much any Gigabit NIC i350 or older should be good. The newer, cheaper i210 is not supported currently. Search the forum to make sure. The Pro/1000 PT is widely used.

Steve

bryan.paradis

What is your WAN speed? 1Gigabit symmetrical? Or do you mean you want the LAN network to be 1gigabit or 10 gigabit.

Vigger

OK i think i'll just buy the quad core version, it's only $800 anyway. i wont use it for VM's though, i have two nice DL380's with better supported hardware and better specs :)

And i think i'll give the PT card a chance and see how it performs it is an old card after all.

I only have 30/30 Mb/s connection on the wan side so that is not a problem, it's only between machines on the LAN i need high speeds.

Thank so much for your help,

stephenw10

If you are only planning to have a single internal interface, LAN, then the traffic through the box can only ever be 60Mbps total. In that case your hardware will be way way overspecified. You could easily pass that traffic with an Atom.
Since you clearly have a fair collection of hardware and services going on you may well want to segregate your network into, say, servers, clients, VoIP, wifi etc in which case it would be slightly more justified.

Steve

vman76

The PT guard will do just fine. Right now, I'm using it in my poweredge 1950 which is currently servicing 1,400 college students they're pushing it to a steady 400 Mbps and 40,000 PPS without it dropping a packet.  I got 960 Mbps out of it for a sustained 5 minutes of testing using iperf before I deployed it in production.

Vigger

@stephenw10:

If you are only planning to have a single internal interface, LAN, then the traffic through the box can only ever be 60Mbps total. In that case your hardware will be way way overspecified. You could easily pass that traffic with an Atom.
Since you clearly have a fair collection of hardware and services going on you may well want to segregate your network into, say, servers, clients, VoIP, wifi etc in which case it would be slightly more justified.

Steve

Oh i think i might have overlooked the most obvious problem with this setup.
So if device A was downloading data from server A
while device B was downloading data from server B then the 2 devices would each download with 31.25 MB/s?

If so i might have to ask a new question, can i do it here or should i make a new topic?
I honestly don't know how to solve this problem, but couldn't i buy a 1Gb switch which had a single 10Gb port (optical?) which i hook up to my router and thus up to 5 devices at a time would be able to draw the max 125MB/s?
Or is there some other option?

@vman: Thanks! :)

stephenw10

I don't totally understand your question. Where are devices A and B and servers A and B?

If you have only two interfaces in the firewall, WAN and LAN, then traffic between devices in the internal network does not flow through the firewall at all. Only traffic that flows in or out of the WAN goes through the firewall and with your 30/30 Mbps connection that means the total firewall throughput, in both directions simultaneously, can be 60Mbps.

If you have multiple internal networks separated by multiple interfaces on the firewall then traffic between those networks obviously has to go through the firewall. That traffic could be at Gigabit wirespeed in both directions and you could have many connections between many interfaces so firewall hardware requirements are significantly higher.

So really it depends how many interfaces you're planning to have.

Steve