Start building a 6-port firewall
-
Was previously using Mikrotik RouterBoard, not bad indeed (I have rb2011uias-2hnd-in & rb450g) but NAT performance not meeting my requirement, so I decided to build a new one. In my previous job I already built a few pfSense box v1.2 and felt it's a decent one, so I am planning to go back to pfSense (esp. with the new multi-thread supported pf)
I really wanted to have Intel Rangeley board as my dream firewall, but they are really expensive, Supermicro has multi-ethernet Rangeley motherboard…..but it's mATX, too bad I can't get a smaller case for this. ALIX kits are not bad as well but only 3 ethernet available, so I have to pick something else (but I would recommend it to friends which don't need too many ports). Remaining choices are some other Atom CPU like D510/D525/D2500 and Celeron 1037U, eventually I picked this:
Celeron 1037U, 1GB DDR3 SO-DIMM memory, 6 x Intel Pro 1000 GbE, with onboard CF and mini pci-e slots (see attached image)
In terms of specification, D525 is similar to Celeron 1037U, but I see that 1037U has lower TDP as well as the support of "dynamic frequency scaling" which can save me more power when idle.
After installing nanoBSD version pfSense 2.2.1 to CF card, I connect it to my home broadband and have my first trial. The preliminary result is already blowing me away (see picture).
But....a better test is still needed, so I've setup iperf test to test the NAT performance (with only 1 single LAN->NAT rule).
Client side: Mac Pro late 2014 (using on board Gigabit ethernet, configured as LAN side)
Server side: Macbook Pro retina mid 2014 (Thunderbolt Gigabit ethernet, configured as WAN side)
Client connecting to 10.10.10.10, TCP port 5001
TCP window size: 1.00 MByte (WARNING: requested 1.00 MByte)[ 4] local 192.168.200.11 port 50327 connected with 10.10.10.10 port 5001
[ ID] Interval Transfer Bandwidth
[ 4] 0.0- 2.0 sec 225 MBytes 944 Mbits/sec
[ 4] 2.0- 4.0 sec 224 MBytes 942 Mbits/sec
[ 4] 4.0- 6.0 sec 224 MBytes 941 Mbits/sec
[ 4] 6.0- 8.0 sec 224 MBytes 942 Mbits/sec
[ 4] 8.0-10.0 sec 221 MBytes 927 Mbits/sec
[ 4] 10.0-12.0 sec 224 MBytes 942 Mbits/sec
[ 4] 12.0-14.0 sec 224 MBytes 942 Mbits/sec
[ 4] 14.0-16.0 sec 224 MBytes 941 Mbits/sec
[ 4] 16.0-18.0 sec 224 MBytes 942 Mbits/sec
[ 4] 0.0-20.0 sec 2242 MBytes 940 Mbits/secI also tried with 64KB TCP Window, which yields to a almost identical result, so I would believe 940Mbps NAT throughput is the limit.
In BIOS I've enabled those C3/C5/C7 + enabling other power management options + enabling powerd in pfSense, so I can see the 1037U will drop from 1.8GHz to the lowest 100MHz while idling. So when I just started to run the first round, iperf was showing only about 300Mbps max. speed, but it goes up quickly when I started the 2nd round immediately. From system monitoring, system load was never going beyond 0.5.
-
Hi, where did you purchase your unit from?
-
Hi, where did you purchase your unit from?
I bought it from Taobao.com, but if you are not living in China/HK/Taiwan, you might want to look at AliExpress, like this one:
http://www.aliexpress.com/store/product/kvm-virtual-firewall-server-with-Ivy-Bridge-Celeron-1037U-low-power-CPU-support-ROS-Mikrotik-PFSense/1295458_2011098687.html -
Just did another test in early morning, I can see that it's pushing to the limit (during speed test CPU usage bumps up to 50-70%)