INTEL OR AMD, Single thread or Multi thread, Suggest a Hw config.
-
Also the Avoton server based Atom CPU's support AES-NI. But yeah, basically if you care about high openvpn throughput then make sure you get a chip with hardware encryption (AES-NI) !
I run an Ivy Bridge i5 because (at the time) it was the lowest end cpu line that supported AES-NI! Thankfully with Haswell they dropped AES-NI down to the i3 range, though. There are also several 'embedded' intel SKU's with AES-NI as well. You can always check on ARK though.
-
Also the Avoton server based Atom CPU's support AES-NI. But yeah, basically if you care about high openvpn throughput then make sure you get a chip with hardware encryption (AES-NI) !
I've been looking at Avoton, and the pricing is just way too far out there, I could get a high end i5 quad core (possibly even i7!)+ motherboard for the same price as one on a motherboard.
-
I've been looking at Avoton, and the pricing is just way too far out there, I could get a high end i5 quad core (possibly even i7!)+ motherboard for the same price as one on a motherboard.
Yeah, this is real un fortunate :(
THIS Supermicro board features a Sandy Bridge based Pentium B915C, which does include AES-NI. The motherboard it is on has 6, yes SIX Intel NIC's! 2 I210's and 4 I350's! It's pretty expensive though, but would be one heck of a sweet pfSense platform!
-
The one thing these "embedded" options lack is upgradability.
If I get an i3 now, I can go to an i7 later as my needs increase. Not so with Avoton.
I love the idea of a multithreaded low power monster, but not at a price where I can get much more bang for buck with about the same idle power consumption and the ability to upgrade.
-
PFSense 2.2 should be a lot more thread friendly, and will be out this summer/year. ghz is important, but don't completely write off a quad core if you plan on keeping it for a while and possibly having it do more work, like VPN, proxy, snort, etc. If you put a 5 year life time on the box, where do you see your bandwidth needs in that time?
When I chose a CPU, I just went for 2.8ghz+ and at least a dual core.
-
I've been looking at Avoton, and the pricing is just way too far out there, I could get a high end i5 quad core (possibly even i7!)+ motherboard for the same price as one on a motherboard.
Yeah, this is real un fortunate :(
THIS Supermicro board features a Sandy Bridge based Pentium B915C, which does include AES-NI. The motherboard it is on has 6, yes SIX Intel NIC's! 2 I210's and 4 I350's! It's pretty expensive though, but would be one heck of a sweet pfSense platform!
That board is "expensive" because it has an Intel Quick Assist ("Cave Creek") on-board. When I (eventually) get the work done to incorporate this into FreeBSD (and thus, pfSense), it will make sense.
But I took the decision to support AES-NI first (limited resources, remember?) because it is more generally applicable.
-
Ok pfsense at this time is not highly multithreaded, so fewer fast cores are currently better than many slow cores.
false. At this time, the only part of pfSense 2.1 that isn't multi-threaded is the pf packet filter.
The rest scales very well with multiple cores.Really for your throughput with VPN you should be looking at a haswell i3 if budget allows. This would give you aes ni for the VPN, and fast single core performance
Be aware that at this time, only OpenVPN is accelerated with AES-NI. We're working on accelerating IPSEC.
In terms of ram, that is highly dependent on whether or not you choose to run snort.
Allow:
2-4 gig for squid
2-4 gig for snort6 gig seems to be the sweet spot for running both
There are reasons that the C2758 in the pfSense store has 8GB (and 8 cores, and supports AES-NI and QuickAssist).
We know what is coming. :-)
Jim
-
@gonzopancho:
Ok pfsense at this time is not highly multithreaded, so fewer fast cores are currently better than many slow cores.
false. At this time, the only part of pfSense 2.1 that isn't multi-threaded is the pf packet filter.
The rest scales very well with multiple cores.Really for your throughput with VPN you should be looking at a haswell i3 if budget allows. This would give you aes ni for the VPN, and fast single core performance
Be aware that at this time, only OpenVPN is accelerated with AES-NI. We're working on accelerating IPSEC.
In terms of ram, that is highly dependent on whether or not you choose to run snort.
Allow:
2-4 gig for squid
2-4 gig for snort6 gig seems to be the sweet spot for running both
There are reasons that the C2758 in the pfSense store has 8GB (and 8 cores, and supports AES-NI and QuickAssist).
We know what is coming. :-)
Jim
Sorry Jim,
I meant to say:
1. Snort is single threaded as is pf
2. Squid benefits mostly from 2 threads, as opposed to more (in my personal experience)
3. Quick assist is a good explanation of why this board is so expensive - I question whether it is necessary for a school at this time. -
Yeah, I definitely wouldn't go single core unless you have that harwdare to hand already. As Jim said the pf process is limited to a single thread (but not for too much longer) but there are many processes running especially if you're using packages.
I don't agree about AES-NI though. You can push 50Mbps of OpenVPN traffic using only software on an Atom D525! Yes, AES-NI will reduce the CPU loading a VPN connection introduces but unless you're planning to get a faster WAN connection it's not something I would consider a priority in selecting a CPU. The G2020, for example, would have no problems. It has more than 5X the single thread performance of a D525.
Steve
-
stephenw10…whats your take on j1900 or c1037un?
both are low power...how will they fare against the G2020? -
I've not used either, or the G2020! ;)
You mean the Gigabyte board specifically of the CPU? The board has Realtek NICs which I would try to avoid if possible. I think there is a thread here discussing it.Both the C1037 and the J1900 are substantially less powerful, in processing terms, than the G2020. See:
http://www.cpubenchmark.net/compare.php?cmp[]=2131&cmp[]=1988&cmp[]=1839
Edit: URL won't format properly. >:(
The J1900 is particularly weak in the single thread benchmark but scores reasonably because it's quad core.
Although the G2020 is a 55W TDP CPU that does not mean it will draw anything like that in normal use. Unless you have a very strict power requirement, like you're running from solar, then I would not expect it to be expressively expensive to run. There are other threads here comparing the G2030 with the G2030T in terms of power consumption where the savings were minimal.Steve
-
I am presently running on G2020 with idle power of 44W I am attracted only because of low power consumption and the dual nic's readily available on-board..
has any body compared performance of Athlon x2 270 vs G2020..pl let me know? -
How is it enough for 100 desktop computers share a dual lan firewall, why not considering making it 4 lan or 6 lan?
-
How is it enough for 100 desktop computers share a dual lan firewall, why not considering making it 4 lan or 6 lan?
Because, even with a Single-WAN router, the bottleneck is usually the WAN connection itself, that is unless you have a connection faster than 1gbit!