Frankensteining a dedicated router PC –> HW questions
-
Disclaimers:
-
I'm brand new to this community and have no prior experience with building a router
-
I searched before posting, but my notion of logical search terms may not jive with the posting lexicon here
-
I'm a networking amateur, but a fast learner
I wish to build a dedicated router out of components I have on hand, with minimal additional expense if possible. My cap for expenses is $150, since that's the entry point for decent used routers that will require less fiddling.
I need advice on the relative importance of hardware components, excluding NICs. Almost everything I have is server-grade with Intel dual onboard NICs, plus I have some good Intel fiber and copper expansion NICs on hand.
1. CPU & chipset: What is the relative importance of CPU speed, number of cores, and instruction sets? Would it be a waste to use a dual-CPU board for this project? My choices in the closet are a Prescott P4, Core2 Quad, dual Harpertown Xeon, & dual Westmere Xeon. If I could dedicate my old Apple xServe dual G5 PPC to this project, that would be ideal, as I have little I can do with it anymore (but I suspect the Linux kernel for PPC is too old for pfSense).
2. Memory: Is there any benefit in using ECC? It seems redundant given the fault-tolerance built in to TCP/IP. My choice of CPU & mobo will determine in part whether ECC RAM gets "wasted" on this box. How much is too much RAM? I could redistribute sticks to other machines, or populate my dual Westmere with >96GB.
3. I/O & storage: Should I care? I have unused 3GB/s SAS RAID I can put to use, but a simple SATA drive would be easier.
Here's what I will be using on the network:
-
Managed gigabit switch (HP 4000M) with 2 VLANs and multiple trunked (aggregated) ports
-
4G/WIMAX failover WAN
-
single 802.11AC WAP with about 6 simultaneous heavy users
-
Windows Server 2012 R2 ADDC
-
Exchange Server 2013 (< 20 accounts)
-
Dynamic DNS, port forwarding, VPN, SNMP
-
small webserver (homepage for a small startup business that does zero business over the web)
-
Lots of remote desktopping & telnetting
-
Media server streaming HD to up to 4 clients simultaneously
-
NAS backups approx. 3TB/day
I think I gave enough details to elicit focused reponses. Cheers!
-
-
-
More cores means you can run higher speed connections, or more packages
-
More clock speed means your peak speeds can be quicker, and latency could be lower when running packages like suricata (packet inspection based IDS/IPS)
-
AES-NI support means there is less load on the CPU when you're hooking up to a VPN or creating one
-
-
At first pfSense is not Linux based its FreeBSD based and so the latest Linux Kernel would be not interesting
here in that game. My english is not fine and so my language skills are not so well formed, sorry for that at
first. What exactly do you want to realize now? Building a pfSense box for $150 or set up pfSense in a VM?Managed gigabit switch (HP 4000M) with 2 VLANs and multiple trunked (aggregated) ports
This is a Layer2 switch for 10/100 MBit/s connections, is this right? So if so, it would be a really gain for your
entire network and the most parts you named here, if you will be buying a Layer3 GB LAN switch!- Cisco SG300-xx (best switch ever with nearly wire speed)
- D-Link DGS1510-xx (Budget but with 10 GBit/s capabilities)
So the switch is then routing the entire LAN traffic and the pfSense would be only for the WAN - LAN traffic.
And then $150 would be comming closer to your needs and let you reaching your goal.single 802.11AC WAP with about 6 simultaneous heavy users
ac WiFi = ~1300 MBit/s throughput : 6 users = ~200+ MBit/s for each user, but with your switch
with only 10/100 MBit/s capacities the entire switch would be the bottleneck, please think about.Media server streaming HD to up to 4 clients simultaneously
But not all together with this on top for only $150 as I see it right. Ok together with a
Layer3 Switch that does the entire LAN routing on GB basis, no problem.NAS backups approx. 3TB/day
3 TB daily routing through the pfSense firewall? And then on top streaming 4 HD films simultaneously?
Many NAS devices are capable of an hardware upgrade to 10 GBit/s and a D-Link DGS1510-20 is serving
two SFP+ ports that this masses of data will be fast as able saved by yours.or perhaps you would be the lucky one i you set up pfSense in a VM with a 4 Core Xeon CPU and nearly
3GHz of clock frequency. This would be enough for all then. -
@BlueKobold:
At first pfSense is not Linux based its FreeBSD based and so the latest Linux Kernel would be not interesting
here in that game.Sorry, I was being sloppy and admittedly uninformed on that point. Do I have any hope of employing my G5 Xserve as a pfSense box, or is that fraught with complications that a person unskilled in FreeBSD like me should avoid?
What exactly do you want to realize now? Building a pfSense box for $150 or set up pfSense in a VM?
At the moment I am leaning more toward setting up a dedicated physical machine, since I hate to see perfectly good equipment go unused. I am willing to consider a VM, but for now I want to stick with the original questions of provisioning the right combination of hardware to this project.
This is a Layer2 switch for 10/100 MBit/s connections, is this right?
It is an old switch, for sure, but still quite capable. I have fully populated it with gigabit copper and fiber modules, so it should serve me well until I make the move to 10GBe.
3 TB daily routing through the pfSense firewall? And then on top streaming 4 HD films simultaneously?
I tried to give worst-case conditions, although it is highly unlikely that 4 users will be streaming video at 4 a.m. while the backups are running….
or perhaps you would be the lucky one i you set up pfSense in a VM with a 4 Core Xeon CPU and nearly 3GHz of clock frequency. This would be enough for all then.
Referring to my OP, two of my options are a dual-chip 4-core Xeon and a dual-chip 6-core Xeon. This is basically the whole point of my questions: what balance of CPU power, memory overhead, and I/O bus throughput do I need to get the job done without wasted excess capacity? Surely 12 Xeon cores would be a waste of a mainboard for a pfSense router, right? I'd prefer to put that 12-core machine to use as my VM repository (of which pfSense could be one of the VMs, if we want to go off on that tangent…)
-
AES-NI support means there is less load on the CPU when you're hooking up to a VPN or creating one
This is exactly the kind of tip I was hoping to elicit. I never would have thought of this on my own. This means my Westmere-EP Xeon will be a much stronger candidate than the older stuff. I'm starting to think a VM may be the smarter implementation….
-
Go with the 4 Core Xeon and 8 GB of RAM if you can fiddle it together and insert a SSD if you
have one lying around, this would be the best option as I see it right. If you have more RAM
to insert, it would not be the worst, the RAM is likes a puffer for data running through the
firewall and with 3 TB of backup data it would be not running fine smooth and liquid for
you if then peoples would be streaming 4 times HD videos. And yes for sure the most
benefit for your firewall you will get from the AES-NI and Intel QuickAssist, but with
2 Xeon CPUs and 4 Core you will be also getting enough power for all, pending on the
GHz of this CPUs. -
@BlueKobold:
Go with the 4 Core Xeon and 8 GB of RAM if you can fiddle it together and insert a SSD if you
have one lying around, this would be the best option as I see it right. If you have more RAM
to insert, it would not be the worst, the RAM is likes a puffer for data running through the
firewall and with 3 TB of backup data it would be not running fine smooth and liquid for
you if then peoples would be streaming 4 times HD videos. And yes for sure the most
benefit for your firewall you will get from the AES-NI and Intel QuickAssist, but with
2 Xeon CPUs and 4 Core you will be also getting enough power for all, pending on the
GHz of this CPUs.Just to clarify, the only machine in the bunch that has the AES-NI instruction set is a dual SIX-core Xeon (3.4GHz) with 96GB RDIMMs and a SAS array. Seems like overkill for a dedicated router/firewall. Methinks I should virtualize pfSense and run it on a fraction of this computer….
-
Just to clarify, the only machine in the bunch that has the AES-NI instruction set is a dual SIX-core Xeon (3.4GHz) with 96GB RDIMMs and a SAS array. Seems like overkill for a dedicated router/firewall. Methinks I should virtualize pfSense and run it on a fraction of this computer….
Total overkill, virtualise away. PFsense works well virtualised.