Braswell N3150 with Intel NICs

bluepr0

@BlueKobold:

If I would not waiting on the new Supermicro Xeon D-1518, D-1528 or D-1548 platform upgrade that
will be launched at Q1/2016, I would personally also go with a SG-4860/SG-8860 or a self made C2758
pfSense box.

Oh, those CPUs are looking nice!. Do you think that it would be a good idea to mix into one of these a NAS and pfSense using ESXI 6.0? I read the integrated LANs like i350 have virtualisation capabilities so it will be the same as running it native (or almost, I guess… for the pfSense setup I mean)

I'm not too keen on having pfsense virtualised, but maybe is an interesting option as I also have a NAS running.

EDIT: how do you find out if a CPU has the QuickAssist? it's not listed in the ark.intel.com database

Sekrit

So perhaps you will be starting to install at first the pfSense inside of a VM and then you could read about the X11SBA-LN4F board in
the other thread about any kind of behaviors, perhaps you will turn around or change your mind and
the Intel Atom C2558 or C2758 platform will be seen in another total different light.

If I would not waiting on the new Supermicro Xeon D-1518, D-1528 or D-1548 platform upgrade that
will be launched at Q1/2016, I would personally also go with a SG-4860/SG-8860 or a self made C2758
pfSense box.

@BlueKobold you are very helpful. I am not going to rush and buy hardware at this moment. I read the X11SBA-LN4F thread and decided that it's not for me. N3150 board is also untested. New Xeon D series (35-45W) will require active cooling, so will C2758 (25W), not sure about C2558 (15W).  I will read more about pfSense in a VM.

Sekrit

Guys, what is the Intel's strategy for future of micro server CPUs?  Since they reduced the die size from 22 to 14nm, they came up with with new Atoms (X5 and X7) but with integrated video targeting tablets and Surface. Celeron N3000 series is the cousin of the new Atoms.  If you look into server Atoms, the last chip was launched in Q3 2013 (C27xx).  On the other hand, they are bringing down the Xeon series to small servers but these are not for the micro servers yet since D series are still require min 35W. Where is the new 14nm Atom for micro servers i.e. successor to Rangeley? Will it be SoC or not?  There are so many chips, I am lost.

cross

There are a lot of CPU's these days it is very difficult to keep up with.  I came across this information a few days ago during my searches for similar reasons and according to the "Intel Public Roadmap" the successor to the C2xxx series is supposed to be the Denverton platform based on 14nm technology.

Intel Roadmap:
http://www.intel.com/content/dam/www/public/us/en/documents/roadmaps/public-roadmap-article.pdf

Denverton News:
http://www.cpu-world.com/news_2015/2015102901_Some_details_of_Denverton_SoCs_for_microservers.html

They were originally hoping it would launch late 2015 but now apparently they are shooting for second half of 2016.  Really has not been a lot of updated news on it since Nov/Dec 2015.

Might be worth holding out for though, with support for up to 16 cores, more memory, and DDR4 - not that most people need that capability for a basic pfsense box but hey i'm not judging.  It will be interesting to see what the initial price point is since the motherboards for the C2xxx series have maintained the value for ~2 years now.  Hopefully they go easy on us consumers!

messerchmidt

if you want itx and a 14nm chip and intel lan, you either need to buy the expensive supermicro option or find a way to plug the 4x intel lan card to the itx asrock board.

if you dont mind going matx, this setup works as the matx board has a 16x slot (1x electrical)

this is running pfsense in a vm in windows server 16 tech preview 4 as server 2012 r2 would crash with hyper v

chris4916

@BlueKobold:

AES,

If you are using IPSec it will be a really good choice if you are using OpenVPN you will not benefit
from this feature and without Intel QuickAssist this might be so also later.

Very interesting and useful comments.
Still I don't understand this one about OpenVPN not faster with AES-NI.
From OpenVPN.net figures are quite different.

This said, I've no idea about Quickassist impact which may help even more.
I was here reacting only to the "OpenVPN with vs. without AES-NI", more with question mark that strong statement BTW.

Sekrit

@cross:

There are a lot of CPU's these days it is very difficult to keep up with.  I came across this information a few days ago during my searches for similar reasons and according to the "Intel Public Roadmap" the successor to the C2xxx series is supposed to be the Denverton platform based on 14nm technology.

Intel Roadmap:
http://www.intel.com/content/dam/www/public/us/en/documents/roadmaps/public-roadmap-article.pdf

Denverton News:
http://www.cpu-world.com/news_2015/2015102901_Some_details_of_Denverton_SoCs_for_microservers.html

They were originally hoping it would launch late 2015 but now apparently they are shooting for second half of 2016.  Really has not been a lot of updated news on it since Nov/Dec 2015.

Might be worth holding out for though, with support for up to 16 cores, more memory, and DDR4 - not that most people need that capability for a basic pfsense box but hey i'm not judging.  It will be interesting to see what the initial price point is since the motherboards for the C2xxx series have maintained the value for ~2 years now.  Hopefully they go easy on us consumers!

Thanks, that's the answer I was looking for. 
"Next year (2016), Atom C2000-series is going to be replaced with Harrisonville Platform and the next generation Atom SoCs, codenamed Denverton and Denverton-NS. These processors will be manufactured on 14nm technology."

Sekrit

I wanted to point out this post by jwt on another thread:

@jwt:

The i210 NICs only have 4 rx/tx queues, which is fine for the 4 core SoC (http://ark.intel.com/products/87261/Intel-Pentium-Processor-N3700-2M-Cache-up-to-2_40-GHz), but you'll find that future versions of pfSense have a minimum 4 core requirement (I might make it 8, I've not decided.)

As documented here: http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210-ethernet-controller-datasheet.pdf , there are only 4 tx and 4 rx queues on an i210.

The SoC is significantly slower than a 4 core Rangeley (1.6GHz on the N3700, 2.4Ghz on the C2558), and this will translate into real-world performance differences.  Someone pointed out 6W .vs 15W, and this is why.

Rangeley also has better (i350 .vs i210) NICs.  https://twitter.com/gonzopancho/statuses/643443335114424320

I also don't believe in integrated graphics on a standalone networking device.

That means we may not be able to run pfsense on 2 core C2338 (SG2220 and SG2440) in the future.  The change may come when Netgate replaces C2338 for the Denverton Atoms.

Sekrit

Comprehensive Guide to pfSense 2.3 Part 2: Hardware
Almost everything a newbie needs to know…
Youtube Video

Guest

Oh, those CPUs are looking nice!. Do you think that it would be a good idea to mix into one of these a NAS and pfSense using ESXI 6.0?

Installing a firewall inside of a VM might be discussed by two different camps, one vote for it and the other not.
But, if you are installing it at home, I think it could be a win for you, with a closer view on the electric power
usage within. And there was an interesting article about one of these SoCs at www.servethehome.com and
they where trying out this construct pfSense and a NAS in different VMs on the Xeon D-1500 platform.
But I was not finding it now in the minute, sorry for that.

I read the integrated LANs like i350 have virtualisation capabilities so it will be the same as running it native (or almost, I guess… for the pfSense setup I mean)

This should be answered by peoples who are running hyper-visors and VMs.

I'm not too keen on having pfsense virtualised, but maybe is an interesting option as I also have a NAS running.

As told above it might be interesting for home user pending on the electric power usage
to have a NAS and pfSense running in VMs, but perhaps there will be soon or nearly another
way be opened owed to this point. comment on that by @jwt

EDIT: how do you find out if a CPU has the QuickAssist? it's not listed in the ark.intel.com database

Not that we are talking here about two different things, there is an existing D-1500 platform and now
an upgrade to existing platform and one is Storage accelerated and the other one is network accelerated
not likes before one SKU for all! And the newer platform that is network accelerated, ending with an eight
likes Xeon D-15x8, only is coming together with; Servethehome article

It appears as though the next-generation Intel Xeon D-15×8 networking parts will have a similar impact on performance,
if not even greater with their support for DPDK and QuickAssist.

• AES-NI (likes before)
  Is actual used at the moment by pfSense
• Intel QuickAssist (new)
  pfSense team is working on, to insert it in the pfSense code
• Intel DPDK (for enabled software) (new)
  Is on the road map together with netmap as I am right informed
  As an example, it can be speeding up Layer3 routing and such things as i know, if the DPDK was
  used to write code or the API from this DPDK was used to write code, but this should be answered
  by an code writer and not by me. I don´t know writing code and programming.

Xeon D-15x1 = storage accelerated SKUs using the SPDK
Xeon D-15x8 = network accelerated SKus using the DPDK
Servethehome article

Very interesting and useful comments.

Surely, it was done by @cmb in another thread about VPN and AES-NI. AES-NI inoperative on pfSense 2.2?

Still I don't understand this one about OpenVPN not faster with AES-NI.
From OpenVPN.net figures are quite different.

This might be pending on the point that we are not talking about the same thing as I would imagine
for now, but let me try to explain it that it comes more clear to understand. There are two points here
we are talking about; OpenVPN & IPSec VPN and the usage and benefit from using AES-NI
So one time the usage of AES-NI and one time the benefits from using AES-NI would be the
both points to discuss here as I see it right. Please correct me if not so.

• OpenSSL is using AES-NI if it is present in the CPU or SoC and OpenSSL is used by OpenVPN
  but OpenVPN is only AES-CBC at this time and this might be not getting any benefit from the AES-NI

• IPSec is using AES-GCM and this is using AES-NI and will also benefiting from this.

Or if you need it more sliced and cut;

• OpenSSL is using AES-NI if it is present in the CPU or SoC
• OpenSSL is used by OpenVPN and this uses AES-CBC
• But AES-CBC is not getting no till only a very tiny benefit from AES-NI
• IPSec is using AES-GCM
• And AES-GCM is using the AES-NI instructions and getting also a huge benefit from that

Thats all, please don´t mix it up to hard or read something other out from this.

Or in shorter version:
IPSec is using AES-GCM and this will benefits from the AES-NI and let growing
up the entire throughput from normal 1x up to 4x or 5x.

OpenVPN is using AES-CBC but this is not benefiting from the AES-NI and there fore
there is no till only some benefit from the AES-NI usage.

This said, I've no idea about Quickassist impact which may help even more.

Ok but what should pump up both IPSec and OpenVPN? There are two ways to realize this.
OpenVPN also gets AES-GCM that is using the AES-NI instructions as said by @cmb in the
other thread and OpenVPN is also benefiting from them, or if not so, or not so fast
the Intel QuickAssist technology is ready to use in pfSense for compression and decompression
that might be speeding up also the OpenVPN without using AES-NI or without AES-GCM.

I was here reacting only to the "OpenVPN with vs. without AES-NI", more with question mark that strong statement BTW.

If only IPSec with AES-GCM is using AES-NI and speeding up VPNs by the AES-NI instruction set of
the CPU or Soc, but OpenSSL in or used by OpenVPN is only using AES-CBC and based on this there
will be only a little bit or no benefit from AES-NI there for. Please what was strong now from this statement?

That means we may not be able to run pfsense on 2 core C2338 (SG2220 and SG2440) in the future.

Can be but I think the comment was more related to the Intel i2xx LAN Ports and the NIC queues that will be
produced and must be handled by pfSense.

The change may come when Netgate replaces C2338 for the Denverton Atoms.

Why should they do so? If the intel Atom C2000 (Rangeley) SoCs become older they are cheaper
to buy and if they are sufficient enough to handle 1 GBit/s on the WAN and ~500 MBit/s (SG-4860)
VPN throughput it could be a really cheaper then now entry level, home usage or SOHO platform for
the pfSense store. And the Xeon D-15x8 SoCs are definitely more enterprise related, so the "Denverton"
platform might be a good chance to set up a Pro series between them, or am I wrong with this?

Sekrit

@BlueKobold:

The change may come when Netgate replaces C2338 for the Denverton Atoms.

Why should they do so? If the intel Atom C2000 (Rangeley) SoCs become older they are cheaper
to buy and if they are sufficient enough to handle 1 GBit/s on the WAN and ~500 MBit/s (SG-4860)
VPN throughput it could be a really cheaper then now entry level, home usage or SOHO platform for
the pfSense store. And the Xeon D-15x8 SoCs are definitely more enterprise related, so the "Denverton"
platform might be a good chance to set up a Pro series between them, or am I wrong with this?

Rangeley was manufactured 2 years ago on 22nm wafers and it is history for Intel. It's time for another tock. You may not be able to source it anymore.

BrunoSmi

Well, I've got Windows Server 2012 R2 running with Hyper-V on my CI323 nano after thinkering a bit.

The solution that I've used is to download all the Windows 8/8.1 drivers from the zotac site + the Intel chipset driver from JetWay site for NP591 board ( the newest inf driver on the JetWay site is dated 02.june 2016.) and integrated the divers into the install and boot wim files using dism.

After installing the Windows Server 2012 R2 did all the possible updates, and only then I've added the Hyper-v role to the Windows. I'm running a virtualized firewall on my CI323.
The next step is getting ESXI running on my CI323 or Hyper-v Server, the later could be a problem since the system crashes as soon as it's installed on first boot, so there is no possibility to update the server ( could try updating the server with VT turned off in BIOS).

ATM. I've installed Hyper-V Server 2012 R2, with VT disabled and updating Hyper-V, will post results if someone is interested.

Kind regards,
Bruno

Sekrit

I tried Jetway but decided to return it.  Instead, I changed my server to XeonE3-1245 and supermicro X11 motherboard with a 4 port intel LAN and running pfsense on Vmware under Windows 10.  Addons are snort, pfblocker and Squid proxy. It has been very stable and fast for 6 months.

netghost

Bruno
I have been trying to install ESXi 6.0 on the ci323 nano but with no luck. Everything I have tried so far ends up halting at" Relocating modules and starting up the kernel". Would like to know if you are able to install ESXi on it and how you went about it.

khorton

@Sekrit:

I tried Jetway but decided to return it.  Instead, I changed my server to XeonE3-1245 and supermicro X11 motherboard with a 4 port intel LAN and running pfsense on Vmware under Windows 10.  Addons are snort, pfblocker and Squid proxy. It has been very stable and fast for 6 months.

Which Jetway board did you have, and why did you decide to return it?

Sekrit

@khorton:

@Sekrit:

I tried Jetway but decided to return it.  Instead, I changed my server to XeonE3-1245 and supermicro X11 motherboard with a 4 port intel LAN and running pfsense on Vmware under Windows 10.  Addons are snort, pfblocker and Squid proxy. It has been very stable and fast for 6 months.

Which Jetway board did you have, and why did you decide to return it?

I had a Jetway JC320U93W-2930-B Intel Celeron N2930 Dual Intel LAN Fanless NUC

It generated too much heat. SO-DIMM was defective or the motherboard was causing memtest errors. SSD I received was DOA. The USB drive that I was using temporarily eventually failed too.  I had enough problems.  I wanted to give it a shot to vmware installation and never looked back.