RaspberryPi model 2 6x the power for running pfsense on

fragged

I've bought two Pi's for the fun of it. I don't have extra server hardware around to play around with Linux so I bought a Pi. Now one runs irssi and offers a backup node to SSH back to home for tunneling RDP through SSH (normally I use a VM running on my desktop as the Pi really lacks in the CPU department). The second one runs NTP with GPS time source and lighttpd + cron to host a IP blocklist for pfBlockerNG on pfSense (which runs on a mini-ITX / Pentium G630T box).

The minimum requirement for running pfSense on any hardware for me would be two half decent GigE NIC's that are not connected to the CPU/SoC through USB :)

firewalluser

@ kroberts
So far its dead out of the box. I need to double check my old 2gb micro sd card which came from my htc hero phone is not the problem but the Rpi's support SDR50 which is UHS-1 (~22MBps) iirc so it should be ok but as I'd tried the OS'es which would fit on the microsd card ie not the latest raspberian or ubuntu snappy and seeing on one of the rpi2 threads that some of the images have not been updated to work, thats likely to be the reason why so until so bigger micro sd's arrive I've yet to test the latest version of raspberian, ubuntu or anything which should be capable of running linux with the arm7 kernel files.

The ODroid looks interesting for the Gigbit nic and yes I can post results just let me know what tests to carry out. I saw an interesting thread on the rpi forums lastnight about fast or slow silicon. I dont know how true it is, but apparantly some silicon can be fast and some slow which explains why some models overclock faster than others. Plus with other sites suggesting things to remove or change with different versions like removing bash for dash, a few Mb of ram saved here and there can get freed up and so on making the experience a little better.

The Turbo mode certainly helps with variable overclocking and its surprising just how responsive the experience becomes, I was surprised to find out they even do heat sinks and fans for them.

I wonder what your broadband throughput is at your home

I get 4.52Mbps and this wont be changing for a few more years to come as there simply is not the infrastructure where I am, in fact my old home can only get 1-2 Mbps net access as its right on the end of the line and I know that used to be a party line going back over 35 years ago with little change to the physical wiring.

But I had to pop down to London on Sat drop some things off (so past the London Eye, Houses of Parliament etc ie tourist route in at 11pm) and the thing that hit me was, yes I can get full signal, could I get any form of data, no, plus the office blocks blocking the GPS didnt help the satnav either, so whilst its safe to say we can get good speed with 4G and other new tech, its just not reliable enough to be useful in some places and its why this early adopter is no longer buying the hype from so many high tech companies beit hw or sw.

I wasted so much on tech that for me its time to find something that will work to my satisfaction so starting with the lowest cost option and working up until I find something good enough for my needs, but I am steering aware from US tech after the Snowdon revelations where possible, or going for stuff that cant become a liability ie no intel vpro/amt as this provides out of band remote support, nice for keeping your bank depts PC's all up to date without having to be physically in front of them, but knowing that cpu microcode is updated theres an unaccountable untrusted risk with that sort of stuff now.

Edit. Just saw this which shows methods to put your own back doors into CPU's danluu.com/cpu-backdoors/ .
AFAIK the main thing we have to contend with is the bootloader in the RPi as everything else like black bin boxes which could present a risk excluding bugs yet to be discovered in code, can be removed mostly.

kroberts

Dead out of the box: Are you using a pi 2 distro on it? I understand many/most pre-xisting distros won't work on pi 2.

I'd hang on to that 2gb sd card, I can't seem to find them around here. I'd love to have a box of 1-2g cards for installs and the like.

The only benefit I see to what Snowden did is now we have more information about how to build our firewalls. I don't completely trust the NSA any more than anyone else, but what concerns me more is whether the NSA can keep the information they learn about me out of the hands of others. And whether all the information he took with him was all that accurate in the first place. Seems to me that it would be awfully convenient for the NSA if they could send off a circus act with a lot of facts they know are out there or are suspected, plus credible but tainted information about what they really care about and then pretend to go after his blood. Not saying I believe he is one exactly, every action he has taken shouts that he knows he's in the moral wrong. But I don't trust any news that came out of the NSA, the CIA or any other security service. They never give the whole, untainted truth.

The NSA has hooks into our ISPs, and China manufactured most of the hardware and much of the software we use. IMO there are lots of black hats out there, not sure if I trust any government or company entirely on that. Even when they tell the truth it's tainted to give the impressions they want to give.

Not trying to make conspiracy theory discussion here.

Tests: Just tell us how it's configured (nat, number of firewall rules, ISP specified throughput, etc) and what actual performance you see. I don't think there's much more that would apply to a pi.

I've never heard of fast or slow silicon. Variations in manufacturing process changes specs of components slightly, which limits the overclocking speed. I'm a server guy, so I have never overclocked anything for any reason. I want it to last as long as possible.

A pi might be able to route <5mbps, not sure but it seems reasonable from what experience I have with pi speeds. If you can get pfSense to work on it acceptably then it might actually be a better option than a SOHO router.

Just as a frame of reference I have 60/10 by contract now, actually usually tests at around 65/15 with Midcontinent Cable in the USA. They offer 200 mbps right now. They promise gigabit speeds before two years is out. This is not just for cities, a lot of rural areas get the same treatment. I know people quite some distance from town who get rock solid 100mbps service from them. And my cell phone regularly tests at 30 mbps or better.

I know what you're talking about with the party line. I remember my home as a boy, my parents complaining about neighbors listening in on their phone calls. I also remember them being excited when private lines came in, and how some of the neighbors didn't seem so excited. Funny now, but I didn't understand it then.

I hope you get your pi working. Nothing sucks more than having your toy broken right out of the box.

firewalluser

Tests: Just tell us how it's configured (nat, number of firewall rules, ISP specified throughput, etc) and what actual performance you see.

Will do, but wont be for a while now as other things have cropped up. :(

check out http://berryterminal.com/doku.php/berryboot its quite good and was using this on the 2gb to overcome the 3gb size of raspbian, ie boot from berry on 2gb, install raspbian on a usb memstick although dont know if the memstick will be too slow or not.

The new R-API is NOT 6x faster.

That's pure hype.

firewalluser

The 6 times fasters is the result of some tests carried out using multi threading benchmarking software like SysBench, its not pure hype.
The Neon enabled multicore video codecs can be over 20x faster, yet other single threaded benchmarks only show a 1.5x faster result.

Whats also been interesting is seeing how raspbian (debian) has been optimised since I last played with it when the RPI model b came out, they have cut the bloat from it quite well.

Edit.
Found some networks stats for the rpi, www.hauweele.net/~gawen/blog/?p=34, suggests 94Mbps without any I/O.

also found this blog where someone has freebsd running on it with a simple pf. blog.khubla.com/freebsd/simple-pf-for-raspberry-pi
Will be interesting to see how these fair with pfsense if I can get it to run.

Does anyone know if trying to use the nano version of pfsense on a pi would be better or stick with the main version of pfsense?

I'm not familiar with the diffences, so although I've got some scripts together to quickly config and setup these rpi's in a variety of ways, freebsd would have to be my weakest OS, then Linux, then Windows and I'm still learning pfsense as always.

TIA.

kejianshi

Looks like it would make a pretty good small scale Asterix server or router/firewall for a slow internet connection.

messerchmidt

a nice cheap and low power a squid 3 or openvpn server

there is a ddwrt distro for this unit (from the older pi, works here)

firewalluser

Using USB3 Gigabit nics will give you yet faster throughput compared to using USB2 10/100 nics.
Other tricks to speed it up include little things like switching off the a time (noatime) and dir a time (nodiratime) as the SD writes slow things up a bit. You'll get faster write speeds from a usb external hd than a SD card write, even a 100Mb/s write speed class 10 microsd card is still slow than a 7 year old usb wd external hd.

kroberts

The pi2 has usb 2.0 ports. Also i believe the sd card is hooked to the usb hardware which means that the entire filesystem/built-in ethernet/plugin drives/plugin nics are running off the same chip, which was chosen because it's cheap rather than because it's fast. So whatever the max bandwidth of that chip, that's probably the max theoretical bandwidth of all your i/o combined.

So you want to spend $50 usd or so to get a basic pi2 going, plus buy 1 ethernet nic, put everything together and try to get pfsense going on it. Or, buy a plug and play wifi router from amazon for $20?

stan-qaz

Or grab a refurbished HP or Lenovo small form factor desktop from NewEgg or off ebay for around $100 and have a lot more flexibility. More power use but you can cut that back by unplugging all the hardware you don't need running.

@stan-qaz:

@kroberts:

There are countless really neat ideas for the pi. I use one as a stratum 1 time server and two for dns/dhcp failover pairs.

The time server is interesting, do you use it as an NTP server for pfSense and what did you add to the basic Pi to get the time sync?

It's not that interesting. We're looking at doing a GPS-disciplined clock (oscillator) as a lure for the Minnowboard Max.

@messerchmidt:

a nice cheap and low power a squid 3 or openvpn server

there is a ddwrt distro for this unit (from the older pi, works here)

Good, Fast, Cheap: pick two.

stan-qaz

Following some of the tips in another topic here on NTP and GPS I've been looking at this module, either as an add-on to a Pi or directly into my pfSense box.

https://www.adafruit.com/products/746

Not bad for $40 with a $4 antenna cable converter and a $13 external antenna.

kroberts

That adafruit one is the one I have on my pi. Without the antenna it's nearly worthless unless you have a lot of visible sky.

I agree that a stratum 1 time server is not all that interesting. It's interesting to set up, but after that it just sits there, you check every week or 3 to make sure it's still a stratum 1 and otherwise you forget about it.

The only reason I support a pi as the time server is because I don't like all my eggs in one basket. A pi + gps is a stratum 1 time server for around $100 all in. That makes it MUCH cheaper than any other standalone time server I've seen, and AFAIC any functionality it doesn't have doesn't matter to me.

A good time source is important for my work, otherwise I wouldn't bother. It was a neat project for the pi, and now that's sitting in a pile of other pi's doing similarly trivial stuff.

I'm probably going to switch to minnowboard for some of my little stuff, but none of this will be any sort of router for me. There's lots of good router hardware out there, and purpose-built router hardware kicks ass over non-router hardware.

@kejianshi:

If pfsense ran on a RaspberryPi I'm sure it would get used to death by home users assuming it wasn't flakey and slow.

It will be slow. That's why we're not interested.

We have pfSense running on the BBB internally.

(If you've not noticed: http://store.netgate.com/BeagleBoneBlack.aspx)

charliem

@gonzopancho:

It's not that interesting. We're looking at doing a GPS-disciplined clock (oscillator) as a lure for the Minnowboard Max.

As in a Thunderbolt equivalent? A Soekris with a clock-block? (http://www.febo.com/time-freq/ntp/soekris/) Or just a GPS tacked onto a Minnowboard?

stephenw10

That's cool. :)

Steve

@charliem:

@gonzopancho:

It's not that interesting. We're looking at doing a GPS-disciplined clock (oscillator) as a lure for the Minnowboard Max.

As in a Thunderbolt equivalent? A Soekris with a clock-block? (http://www.febo.com/time-freq/ntp/soekris/) Or just a GPS tacked onto a Minnowboard?

If you really care about NTP (or ntimed https://github.com/bsdphk/Ntimed) you know that the PPS output you could get off "just a GPS tacked onto a Minnowboard (I said 'Max', but whatever) is good, but not great. What I'm describing is a GPSDO
http://tf.nist.gov/general/pdf/2297.pdf

Yes, a lot like a Trimble Thunderbolt. Way better than your Soekris with a Clock-block. (I've seen it all before, son.)

charliem

@gonzopancho:

[If you really care about NTP (or ntimed https://github.com/bsdphk/Ntimed)
[/quote]

I don't: as you said, it's not that interesting. GPS / PPS units these days make it easy enough to get all the precision, accuracy & stability you need for ntpd. ntimed may change that though, as will PTP.

What I'm describing is a GPSDO

Yes, a lot like a Trimble Thunderbolt.

Great, I look forward to taking a close look and comparing them, if your design makes it to production.

Way better than your Soekris with a Clock-block. (I've seen it all before, son.)

It's not my Soekris, but it was a cool exercise to read about. I'm glad you feel you have enough experience to pull it off; it's quite hard to do well.