Advice for home use

Pippin

Hi,

depending on your subscribed speeds from your ISP

Currently 16/2,5 but if it can do 50/50 for future then I'm ok.

So I would need Squid and pfBlockerNG, the rest is built in, nice…

Would it be useful to use 8 GB RAM or would 4 GB be enough? (have enough lying around here)
I ask because I read that one can use RAM to offload var and tmp, would it make sense or 32 GB DOM is sufficient?

Also, would Snort make sense for home use?
Still reading up on what is possible...

Thank you.

fohdeesha

Depending on packages using even 2gb ram can end up being wasteful for 100mb connections so no worries there. Ive got 100/100 at home on a 1gb stick of ram and it sits at about 10% memory usage with var and temp offloaded into memory, typical/default var and temp sizes are like 100mb so its not much of a burden.

Obviously memory intensive packages like deep packet inspection stuff (suricata) or content caching will increase this requirement. But even so 4gb will satisfy 90% of those packages typical use configs on a home connection, if you're just running squid and DNS caching you shouldn't have an issue and should be able to set squids memory usage (how much cached information it keeps hot in ram) pretty liberally.

Regarding snort, deep packet inspection/intrusion detection certainly isn't needed for home usage and is overkill 99% of the time (in a home environment), but it certainly does provide a warm fuzzy feeling and you'd be surprised how much stuff ends up in the blocked logs. If you have capable hardware (you certainly do) there's not many downsides to clicking the install package button, configuring some rules lists and going off to the races

Pippin

I like warm fuzzy feelings so snort it is  :)
Will put 2x 2 GB then and will look for a case which is the only thing I don`t have.

Thank you for the useful info.

Pippin

Ok, i read that onboard RT nic is maybe not so good?

This board, N3150N D3V, has a PCI slot with a ASM1083 PCI Express-to-PCI Bridge

• Support PCI bus 33 MHz
• Support 3 PCI Masters
• SSC Support
• CLKRUN Support
• PME Support

33 Mhz 32 bit = 133 MB/s
Does this mean that 1 Gb/s can not be reached if i put a PCI card?

Just in case the RT does not get to 1 Gb/s LAN side or somewhere near that, would it be better to put a PCI card?

Thank you.

Pippin

Never mind, i think wrong way  :)
There`s a switch, 1810 V2 in between.

fohdeesha

As you notice older plain PCI bus is limited to 133MB/s, but that's megaBYTES per second.

gigabit lan however is gigaBIT, which is 125megaBYTES per second, so an ethernet card with a single gigabit ethernet port will not be bottlenecked by a PCI slot. a card with two gigabit ports however will obviously not be able to saturate both ports at once as you're approaching double the speed of the PCI bus.

However some good news, Realtek interfaces are hit and miss as you note, but that doesn't mean always bad. Googling for your board brought up a couple threads on this very forum, and include a fellow user that says he's using both onboard realtek interfaces with no issues at all -

https://forum.pfsense.org/index.php?topic=105114.msg601520#msg601520
(bottom post)

Hope that helps!

(but also as you note, if your house computers are connected to a gigabit switch and then the switch is connected to the router, local lan traffic will never hit the router anyway, only wan traffic destined outside of your subnet will, and only if your WAN connection is close to gigabit will it matter if you can sustain that saturated speed across them :) )

Pippin

Yes, i found some posts, looks like i`m ok with this board.

@fohdeesha:

but that's mebaBYTES per second.

Or MiB ?

Just kidding, i know the difference  ;)
Somewhere next week the case will arrive, then the fun can start  :)

fohdeesha

that's what I get for replying on my phone  ;D

2 inch keyboards! but yes, you're gonna have a great time with pfsense  8)

Pippin

You know you can also talk to your phone right?  ;D

Pippin

The case arrived and I installed PFS with USB stick after first update BIOS to latest F3.
But first i got a ERROR 19 and a quick search seemed to indicate that it could be because of USB 3.
So I stick it in a USB 2 port and then install went fine :)

Decided to put a SSD instead of the DOM and now I read that TRIM is not enabled:

:tunefs -p /dev/ufsid/57137fa8f265f119
tunefs: POSIX.1e ACLs: (-a)                                disabled
tunefs: NFSv4 ACLs: (-N)                                   disabled
tunefs: MAC multilabel: (-l)                               disabled
tunefs: soft updates: (-n)                                 enabled
tunefs: soft update journaling: (-j)                       enabled
tunefs: gjournal: (-J)                                     disabled
tunefs: trim: (-t)                                         disabled
tunefs: maximum blocks per file in a cylinder group: (-e)  4096
tunefs: average file size: (-f)                            16384
tunefs: average number of files in a directory: (-s)       64
tunefs: minimum percentage of free space: (-m)             8%
tunefs: space to hold for metadata blocks: (-k)            6408
tunefs: optimization preference: (-o)                      time
tunefs: volume label: (-L)

Anyone know if enabling TRIM still works if I follow this:
https://forum.pfsense.org/index.php?topic=97554.msg543373#msg543373

So I would need to start at step 3.
Are there any more tunings to be done before putting it to it`s final location?

Edit:
SSD does support TRIM:

:camcontrol identify /dev/ada0
pass0: <corsair force="" ls="" ssd="" s9fm02.6=""> ACS-3 ATA SATA 3.x device
pass0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
protocol              ATA/ATAPI-10 SATA 3.x
device model          Corsair Force LS SSD
firmware revision     S9FM02.6
serial number         xxxxxxxxxxxxxxxxxxx
cylinders             16383
heads                 16
sectors/track         63
sector size           logical 512, physical 512, offset 0
LBA supported         117231408 sectors
LBA48 supported       117231408 sectors
PIO supported         PIO4
DMA supported         WDMA2 UDMA6
media RPM             non-rotating

Feature                      Support  Enabled   Value           Vendor
read ahead                     yes      yes
write cache                    yes      yes
flush cache                    yes      yes
overlap                        no
Tagged Command Queuing (TCQ)   no       no
Native Command Queuing (NCQ)   yes              32 tags
NCQ Queue Management           no
NCQ Streaming                  no
Receive & Send FPDMA Queued    no
SMART                          yes      yes
microcode download             yes      yes
security                       yes      no
power management               yes      yes
advanced power management      yes      no      0/0x00
automatic acoustic management  no       no
media status notification      no       no
power-up in Standby            no       no
write-read-verify              no       no
unload                         yes      yes
general purpose logging        yes      yes
free-fall                      no       no
Data Set Management (DSM/TRIM) yes
DSM - max 512byte blocks       yes              8
DSM - deterministic read       no
Host Protected Area (HPA)      yes      no      117231408/117231408
HPA - Security                 no</corsair>

Pippin

Enabling TRIM worked.
Very nice (: