Purchase appliance or custom build?
-
A co-worker is looking to setup pfsense at his home where he is setting up a home lab that is all gigabit ethernet on the LAN side. He has dual WAN links that are around 15Mbps max and will have a max of 2 VPN connections at any time. He wants to get near gigabit speed for any file transfers, etc between networks on the LAN side.
He is looking for something with at least four gigabit NICs. Two for dual WAN and two for redundant LAN connections to managed gigabit switches.
Also, he wants to be able to run the following packages:
arpwatch
bandwidthd
cron
darkstat
filer
HAVP antivirus
iperf
iftop
mtr-nox11
nmap
netio
ntop
pfBlocker
Postfix Forwarder
spamd
snort or suricata
stunnel
tinc
zebedeeHe was looking at a Soekris net6501, but I didn't think it would be able to meet his needs. We were looking at some Hacom appliances but the prices were a bit steep for him. He wants it to be as quiet as possible and not draw too much power also (over $0.40/kWh here!).
I have been looking at different boards with embedded processors (Atom, Celeron, APU), and mini-ITX desktop boards, and also looking at what I have available for use.
I have a Supermicro PDSBM-LN2+, Xeon 3060 2.40 GHz, so he would need a dual gigabit NIC, a case, and a power supply. This would probably have the lowest upfront cost, but not sure how much power it would require. I plan to get a Kill-a-Watt and test it when I have the chance.
Edit: Also have a Supermicro C2SEA, which is still LGA775, but has the ability to run 45nm processors. Though it has a single onboard Realtek NIC instead of dual onboard Intels like the PDSBM-LN2+, but it does have more PCI and PCIe slots.Would he be better off building on a current embedded or mini-ITX desktop platform, or using the Supermicro + Xeon, or go the appliance route? Which hardware would be not have too much upfront cost, be reasonably quiet, not a power hog, and be able to run all the packages he wants and give him close to gigabit speeds between LANs?
-
Gigabit on lan side is easy. You can get dual/quad nics also which means you don't need many slots.
Looking through your list, the key packages to watch are:
suricata/snort
and HavpSnort loves memory(imo have a minimum of 4gig of ram), HAVP eats a bit of processor power.
Aggregated, he has a total of 30mbps on the WAN side, most modern hardware will hit this without even trying.
Personally, as this is not a work installation, I'd build something based on a haswell celeron or pentium. You can probably get the parts for about the same as the soekris and end up with much more power on demand, and about the same power at idle.
-
If you're spending someone else's money, appliance.
Spending your own, build. Especially if you don't care about rack mounts, purchase orders or support contracts.
There is just no contest on what picking your own parts can do, the price/performance isn't even in the same league. You can save a ton on certain parts if you check the grey/spare/used markets, and those parts work just fine despite any FUD. -
Thanks for the replies!
I totally agree with the picking your own parts concept, just wanted to get confirmation so I can convince my co-worker that would be the way to go.
Besides the above spare/used parts I have access to, I may be able to salvage an i3-530 or i5-650. Though the only mini-ITX 1156 board I see available is the Intel DH57JG, micro-ATX boards are abundant.
I will look into newer parts as well (haswell, etc), just trying to help keep the cost down while being able to perform as requested.
-
He is looking for something with at least four gigabit NICs. Two for dual WAN and two for redundant LAN connections to managed gigabit switches.
This requires clarification. I looks like you may be planning only a single LAN interface arranged in a LAGG(teamed) to give redundancy? If that's the case then you will only ever have to deal with 30Mbps of throughput which lowers your hardware requirement considerably.
If, however, you are going to use two Gigabit LAN interfaces then you may need 1000Mbps between them, massively more powerful hardware required. ;)Steve
-
use two Gigabit LAN interfaces then you may need 1000Mbps between them, massively more powerful hardware required.
I believe this is what he wants, he may want more than two LAN interfaces but two is the minimum requirement. I will ask for clarification.
Thanks!
-
Here is a drawing of what he intends to do. Each LAN interface will be setup with subinterfaces for different VLANs. He wants as close to gigabit as possible between VLANs.
-
Definitely need the Xeon or something of similar power for that.
Steve
-
If you're spending someone else's money, appliance.
Spending your own, build. Especially if you don't care about rack mounts, purchase orders or support contracts.
There is just no contest on what picking your own parts can do, the price/performance isn't even in the same league. You can save a ton on certain parts if you check the grey/spare/used markets, and those parts work just fine despite any FUD.And then, if you encounter issues, be sure to blame the hardware, and not pfSense, OK?
-
-
More mysterious clues! ;)
I'm waiting.
Steve
-
@gonzopancho:
If you're spending someone else's money, appliance.
Spending your own, build. Especially if you don't care about rack mounts, purchase orders or support contracts.
There is just no contest on what picking your own parts can do, the price/performance isn't even in the same league. You can save a ton on certain parts if you check the grey/spare/used markets, and those parts work just fine despite any FUD.And then, if you encounter issues, be sure to blame the hardware, and not pfSense, OK?
Depends if its really the hardware's fault, isn't that what this forum is for? Sometimes it turns out to be the driver pfsense is using, in which case its freebsd's fault :)
I'm not trying to crap on you guys, its just the market reality for DIY builders right now. If you can get decent internet speeds (big if…) and start doing more things the appliances are either underpowered or significantly more expensive.
I point technically inclined people straight to pfsense because you can do a ton with it and not pay the crazy cisco tax for baseline networking functions, but by the same token I really can't steer them at most prebuilts. Your dell 1U is a lot better deal than the netgate atom stuff though.
-
@gonzopancho:
If you're spending someone else's money, appliance.
Spending your own, build. Especially if you don't care about rack mounts, purchase orders or support contracts.
There is just no contest on what picking your own parts can do, the price/performance isn't even in the same league. You can save a ton on certain parts if you check the grey/spare/used markets, and those parts work just fine despite any FUD.And then, if you encounter issues, be sure to blame the hardware, and not pfSense, OK?
Depends if its really the hardware's fault, isn't that what this forum is for? Sometimes it turns out to be the driver pfsense is using, in which case its freebsd's fault :)
I'm not trying to crap on you guys, its just the market reality for DIY builders right now. If you can get decent internet speeds (big if…) and start doing more things the appliances are either underpowered or significantly more expensive.
I point technically inclined people straight to pfsense because you can do a ton with it and not pay the crazy cisco tax for baseline networking functions, but by the same token I really can't steer them at most prebuilts. Your dell 1U is a lot better deal than the netgate atom stuff though.
All the Dell 1U does is fund the project. They were given to us by a customer. We refurb them, load pfSense, and ship them (in the custom box we had done.)
If by "netgate atom stuff" you mean the FW-7541, then … it's what we use internally (currently).
But better stuff is on the way, and buying it helps fund the project.
And there are three 1Gbps FTTH providers in Austin. Grande has it now, AT&T this summer, Google by the end of the year.
-
@gonzopancho:
Definitely need the Xeon or something of similar power for that.
Wait a couple weeks.
More mysterious clues! ;)
I'm waiting.
Steve
Definitely will be up to waiting to see also, my co-worker won't be purchasing, testing, and implementing his setup until late May.
As a side note, I ran iperf through a testbed pfsense setup I have at work (PDSBM-LN2+ w/Xeon 3060). The onboard intel 82573 NICs are setup as WAN and LAN, and I have an intel pro/100 PCI NIC as OPT1. I ran iperf between LAN and WAN to see if it could NAT/FW at gigabit speed. If I remember correctly, iperf results were around 850-900Mb/s, while pfsense webgui traffic graphs were showing around 950Mb/s and cpu at 100%.
-
Got a Kill-A-Watt and measured idle power draw of several different types of hardware for general comparison. Looks like I need to replace my current setup before I spend too much on additional electricity usage.
Initial setup
Case: eMachines micro-ATX mini tower
Motherboard: Supermicro PDSBM-LN2+
CPU: Intel Xeon 3060
PSU: Enermax EG465P-VE 460W
Disk: Western Digital 80GB HDD
NICs: Dual onboard Intel 82573L WAN/LAN, Intel Pro/100 PCI for WiFi APCurrent setup same as initial except
PSU: Antec VP450 450WTest setup 1 same as initial except
Case: ABMX rackmount 1U
PSU: Ablecom 520W 1U
NICs: Intel Pro/1000 MT PCI-X in PCI slotTest setup 2
Case: generic ATX tower
Motherboard: Supermicro C2SEA
CPU: Intel Q8300
PSU: Antec Neopower 650 Blue 650W
Disk: Seagate 7200.12 500GB HDD
NICs: Onboard Realtek RTL8111C for LAN1, Intel Pro/1000 PT x2 for WAN1/WAN2, Intel Pro/1000 CT for LAN2Idle power draw
Initial setup: 70W
Current setup: 61W
Test setup 1: 69W
Test setup 2: 54Wand just for grins
Dell Optiplex 980/i3-530/pfsense: 36W
Dell Optiplex 980/i3-530/Win7: 34W
HP 8200 Elite/i5-2500/Win7: 24W
HP 8200 Elite SFF/i5-2400/Win7: 25W
