The perferct pfSense box 2016?

edwardwong

@mattlach:

@edwardwong:

Actually the history of FreeBSD's pf becomes "multi-threading capable" was just about a year, for pfSense it's v2.2, so really not that long time ago.

You are confusing multithreading capability of the operating system itself, and that of pf, the software that handles firewall/NAT and other IP transactions.

FreeBSD itself has been able to run multithreaded code since the introduction of SMP systems, some point in the 90's.

pf, the software that puts the pf in pfSense - however - has only very recently been multithreaded.  (And I am still not convinced it does it well, based on previous statements I have read that pf just wasn't suitable for multithreading.  (Not all code is, in fact most code has trouble in one way or another with threading)

It is a common misconception in hardware circles, that if only software developers weren't lazy, all code would be better threaded, and able to fully take advantage of their many core systems..  The truth is that a lot of workloads simply can not be threaded.

No….I didn't confuse.....see my phrase 'FreeBSD's pf becomes "multi-threading capable"' , which I was focused on PF. I knew *BSD has multithreading capability long time ago but not for PF. If I remember correctly PF started to have multithreading support was since FreeBSD 10, which is what 2.2 based on.

bigsportsman

2 8GB RAM Module, DDR3L 1600MHz  Kingston, KVR16LN11/8 
1 AMD FX-6-Core Black Edition, 6-Core Processor, AMD FX-6300
1 Asus M5A97 LE R2.0, MotherBoard, Asus M5A97 LE R2.0
1 PRO/1000 PT Quad Port Server Adapter, Ethenet Card, Intel D47316-004
1 ATX Mid Tower Case, Computer Case, Deep Cool TESSERACT BF
1 2 TB HDD/64MB Cache SATA, Hard Drive, Toshiba P300 HDWD120XZSTA

Total $409.23
Avg Cost per item $58.46

I have been monitoring this pfsense box and have not even come close to 10% total usage with heavy usage.  I have OpenVPN, Backup, RRD Summary and full Squid Packages running. I have 38 varying devices from phones to computers to bluray players to chromecast. With almost all of them running internet connected activities at the same time my cpu maxed out at about 11% my memory max was around 14% and load average is now about 5.2.  This is truly overkill for a system like this but I just needed the functionality and I wanted some level of "future proofing" for the next 5 years.  Most of these parts were on sale so it is a good setup for me. All other networking is gigabit with cat6 cables and wireless ac access point.  My backups are sent to my CentOS box nightly with 1TB dedicated to just these files to keep some archives "just in case" (I'm a bit paranoid).  That CentOS box has 5 4TB HD's in RAID 5 and that is box is also encrypted archived at friends house several miles away on his CentOS box (his is archived on mine also).

Guest

Axiomtek has also very nice boxes in the desktop or 19" 1U form factor.
With additional add on modules for the "R" (rack mount) series
NA342 & NA342R
NA361 & NA361R

rahvin

@mattlach:

I recently did a similar build, but I opted for a low power full Haswell chip instead of Atom.  (I'm a little bit biased when it comes to Atom based chips and their capabilities).

Avoton though technically an Atom was designed as a server chip. Intel severely limits how this chip can be used because of how good it is. It's not as good as a Xeon but it's a very good low power chip designed for server applications. TDP is 20W if I recall correctly at 2.4ghz and its got 8 real cores (no hyperthreading fake cores) supports all the virtualization extensions AES extension, and up to 64gb of ECC memory. You won't find all that in anything but a Xeon at twice the price and 2 to 4 times the power consumption.

Avoton is the perfect firewall chip IMO. Pfsense even sells one as their highest end hardware. https://store.pfsense.org/XG-2758/

Guest

Avoton though technically an Atom was designed as a server chip.

Both are "server grade" SoCs and both are Intel Atom platforms, they are split into two platforms
Avoton is more for servers likes Apache and Samba servers or NAS devices and the Rangeley is more
for network appliances such as firewalls and routers.
Rangeley comes with AES-NI and Intel QuickAssist
Avoton comes with AES-NI and TurboBoost

Intel severely limits how this chip can be used because of how good it is. It's not as good as a Xeon but it's a very good low power chip designed for server applications. TDP is 20W if I recall correctly at 2.4ghz and its got 8 real cores (no hyperthreading fake cores) supports all the virtualization extensions AES extension, and up to 64gb of ECC memory. You won't find all that in anything but a Xeon at twice the price and 2 to 4 times the power consumption.

Yes this might be right on the first look, but on the second view a real Xeon E3-12xxv3
is really heavy routing multiple 1 GBit/s at the WAN and strong enough to run a fully
featured pfSense UTM device. There will be nothing you are missing. And better then
the common Intel Core i3, i5 and i7 CPUs related to the power consuming.

Avoton is the perfect firewall chip IMO. Pfsense even sells one as their highest end hardware. https://store.pfsense.org/XG-2758/

It is the Intel Atom C2x58 ("Rangeley") platform
or SoC and not the Avoton which they are selling !

jusjay

I wanted a simple, reasonably low energy use set up. Went for the following, using vlans with the switch:

$175  PC:  Intel NUC BOXNUC5PPYH Barebone Kit - Pentium N3700
$20    RAM:  Kingston SO-DIMM KVR16LS11/4 135V (Low Voltage) 4G DDR3 1600 Notebook Ram
$25    SSD:  32Gb SATA3 2.5inch
SWITCH:  I already had a D-Link DGS-1100-16 16 Port Gigabit Switch, so used that. Otherwise would have used something like:
$34  TP-Link TL-SG105E 5-Port Gigabit Easy Smart Switch
–-------------------
$254  TOTAL

Works just fine for me.

Zebibyte

Here is what I ordered direct from PC Engines, with 2 extra AC adapters, it was $196 including 3 day shipping from Switzerland to Oregon

http://pcengines.ch/apu2c4.htm

1      apu2c4  APU.2C4 system board 4GB
1      case1d2u        Enclosure 3 LAN, alu, USB
3      ac12vus2        AC adapter 12V US plug for IT equipment
1      msata16d        SSD M-Sata 16GB MLC Phison

Without the extra AC adapters, I think this would ship for about $170.  It can run a couple hundred mbps worth of OpenVPN, and about 600mbps of basic NAT/routing traffic at about 8w total consumption.

lra

@Zebibyte:

It can run a couple hundred mbps worth of OpenVPN, …

I agree a great little board… but that seems quite high for OpenVPN on that board, how did you test ?

I would not expect any more than 40 Mbps for a single OpenVPN connection.

Guest

I would not expect any more than 40 Mbps for a single OpenVPN connection.

The APU2 comes with 4 Core CPU and only the PPPoE WAN part is single core using, the entire
OpenVPN part is fully multi CPU core usage and so you will see perhaps numbers owed to this
circumstance that you was not expecting before. But I would be counting more on the AES-NI
and IPSec (AES-GCM) that should be more pushing the entire VPN part, for sure not OpenVPN
but really fast.

lra

@BlueKobold:

I would not expect any more than 40 Mbps for a single OpenVPN connection.

The APU2 comes with 4 Core CPU and only the PPPoE WAN part is single core using, the entire
OpenVPN part is fully multi CPU core usage and so you will see perhaps numbers owed to this
circumstance that you was not expecting before. But I would be counting more on the AES-NI
and IPSec (AES-GCM) that should be more pushing the entire VPN part, for sure not OpenVPN
but really fast.

I just tested my APU2, (on Linux in my test), disabled lzo-compression, "cipher AES-256-CBC" and consistently saw 58-62 Mbps using iperf.  Note iperf was not running on the APU2, and the APU2 was an OpenVPN server.

My version of iperf did not support randomized data, so I had to disable lzo-compression for a closer real-world test.

@BlueKobold, looking at "htop" on the APU2, it seemed only one core was running at 50-100% during the test.

lra

@lra:

@BlueKobold:

I would not expect any more than 40 Mbps for a single OpenVPN connection.

The APU2 comes with 4 Core CPU and only the PPPoE WAN part is single core using, the entire
OpenVPN part is fully multi CPU core usage and so you will see perhaps numbers owed to this
circumstance that you was not expecting before. But I would be counting more on the AES-NI
and IPSec (AES-GCM) that should be more pushing the entire VPN part, for sure not OpenVPN
but really fast.

I just tested my APU2, (on Linux in my test), disabled lzo-compression, "cipher AES-256-CBC" and consistently saw 58-62 Mbps using iperf.  Note iperf was not running on the APU2, and the APU2 was an OpenVPN server.

My version of iperf did not support randomized data, so I had to disable lzo-compression for a closer real-world test.

@BlueKobold, looking at "htop" on the APU2, it seemed only one core was running at 50-100% during the test.

Update,

I retested on the APU2 running iperf3 (client) on the APU2 itself, while the remote end iperf3 (server) bound to the tunnel IP of the OpenVPN client, the result was 92 Mbps.

It seems testing downstream off an external interface made the test somewhat "choppy" so a consistent, solid stream did not happen (a short pause every few seconds) and hence slower throughput.