Looking to move pfsense from vm to hardware - solutions under $300?

albatorsk

I can recommend Partaker B5, a Celeron N3150 based mini-PC i got a few months ago. It's got dual gigabit NICs, and the CPU has AES-NI, so it has no problems shovelling ~100Mbps OpenVPN traffic back and forth.

The only "downside" to it is that it has RealTek NICs. I say that in quotes since I can't really tell if it actually is a downside anymore. Since pfSense 2.3, I have no problem getting the full 1Gbps throughput.

You can pick it up from Aliexpress or similar for roughly 200 USD.

icest0rm

@albatorsk:

I can recommend Partaker B5, a Celeron N3150 based mini-PC i got a few months ago. It's got dual gigabit NICs, and the CPU has AES-NI, so it has no problems shovelling ~100Mbps OpenVPN traffic back and forth.

The only "downside" to it is that it has RealTek NICs. I say that in quotes since I can't really tell if it actually is a downside anymore. Since pfSense 2.3, I have no problem getting the full 1Gbps throughput.

You can pick it up from Aliexpress or similar for roughly 200 USD.

interesting option…I'm just not too attracted in buying from aliexpress because of long delivery time (if you don't choose a courier) and duty expenses....correct?

bytecode

AliExpress shipping time depends on the vendor, the Qotom shop on AliExpress selling the J1900 boxes actually gauranteed 9 day delivery which sounded great, better than the usual 1 to 2 month wait time from AliExpress.

albatorsk

Exactly. Now I don't remember what vendor I got mine from, but I selected DHL shipping, and had it in my hands a week after ordering.

icest0rm

@albatorsk:

Exactly. Now I don't remember what vendor I got mine from, but I selected DHL shipping, and had it in my hands a week after ordering.

yeah DHL shipping should do the trick…it just cost a little (around 30$ depending on vendor)...

what aboud customs?

mauroman33

Totally agree with albatorsk.

I've just ordered the second one for the summer house; the first one was delivered in 5 days:
http://www.aliexpress.com/store/product/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/1383581_32354251046.html

I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

guardian

Can recommend this one… Fast delivery, nice little box, intel nics works well.
https://forum.pfsense.org/index.php?topic=113308.0

Paint

@richtj99:

I have a 100 meg connection for the WAN & 1000gb on the LAN.  I would rather get something a little more future proof which is why i cant tell if something like this:

https://www.amazon.com/Firewall-Micro-Appliance-Intel-PFSense/dp/B01AJEJG1A/ref=sr_1_1?ie=UTF8&qid=1468435409&sr=8-1&keywords=pfsense

Quad Core Celeron J1900 Bay Trail 2.0GHz, 2MB L2 Cache
4 Gigabit ethernet Intel NIC ports
4GB DDR3 RAM
8GB mSATA SSD
Fanless and silent operation

Would have the 'ommph' i am looking for?

take a look at my recent build. I have a 150/150 mbit FiOS Fiber connection and Gigabit LAN

https://forum.pfsense.org/index.php?topic=113610.0

It is future proof for your needs and exceeds the speeds you currently have. I can OpenVPN into my network and download/upload at my full WAN speeds (150/150)

icest0rm

@mauroman33:

Totally agree with albatorsk.

I've just ordered the second one for the summer house; the first one was delivered in 5 days:
http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURn

I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

What about CPU missing AES-NI?
How much did you pay for customs?

mauroman33

@icest0rm:

@mauroman33:

Totally agree with albatorsk.

I've just ordered the second one for the summer house; the first one was delivered in 5 days:
http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURn

I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

What about CPU missing AES-NI?
How much did you pay for customs?

There is the AES-NI support because the CPU is the Celeron N3150.
I did'nt pay customs fee because they have declared a value of USD30.

duren

If by future proofing you mean speed wise, check this out…

1. This thread says a Zotac CI323 nano will do 3-400mbps
2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.

So the conclusion I'm reaching is
1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.

Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

Of course, price is also a consideration..

100-150 US gets you a J1900 or N3150
300 US gets you an i7-4500U
350-500 US gets you Atom C2xxx systems.

mauroman33

@duren:

If by future proofing you mean speed wise, check this out…

1. This thread says a Zotac CI323 nano will do 3-400mbps
2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.

So the conclusion I'm reaching is
1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.

Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

Of course, price is also a consideration..

100-150 US gets you a J1900 or N3150
300 US gets you an i7-4500U
350-500 US gets you Atom C2xxx systems.

Sorry, I don't agree with the first two points of your conclusions because as albatorsk said "Since pfSense 2.3, I have no problem getting the full 1Gbps throughput."
So when you write "If you want 100mbps…" that's only an OpenVPN matter for CPUs like J1900, N3150 or 4500U.

Pippin

@duren:

So the conclusion I'm reaching is
1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do.
2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
3. If you want 1gpbs over OpenVPN, AES-NI is KEY….......
See the OpenVPN tests in 4.

Have Gigabyte N3150N-D3V here, so cannot write about the others.
2x Realtec 8111G nics.

1. Yes
2. No, it will happily saturate 1 Gbps (948 Mbps), maybe even more but I no have faster network to test.
3a. That article from Jan Just Keijzer (who wrote some very nice books about OpenVPN) was written at least 5 year ago. Not all is current info.
3b. OpenVPN:
Following test was done in a client to client scenario. Meaning, on the OpenVPN server there is an extra decrypt+encrypt going on compared to client to server, Because of the packets flowing between two clients. Client to server scenario, I haven't tested yet but I would think that throughput would go up.
My tests with following settings:
Server:

Remote Access (SSL/TLS+User Auth)
udp
tun
tls static key 2048
Diffie Hellman 2048
Certs 2048
Encryption AES-256-CBC
Auth digest SHA512
prng RSA-SHA512 32
fast-io
comp-lzo no
tls-version-min 1.2 or-highest

Both clients:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 192.168.11.200 1194 udp
lport 0
verify-x509-name "OVPN-SERVER-CERT" name
auth-user-pass
ns-cert-type server
comp-lzo no
prng RSA-SHA512 32
tls-version-min 1.2 or-highest

The iperf result was 160 Mbps.

When encryption is disabled, "auth none" "cipher none", throughput is 270 Mbps. I did not test with other crypto settings. Here one gets an idea for what impact crypto/hashing has.

The second idea is the difference between 948 Mbps normal and 270 Mbps OpenVPN (unencrypted). Mainly caused by packets travelling between kernel and userland, and OpenVPN`s internal fragmenting and defragmenting, here CPU power (of single core!!!) comes into play.

When version OpenVPN 2.4 is ready, bringing AES-GCM, it is expected that throughput will go up.

Once OpenVPN supports AES-NI

See 3a above.
It does already or more accurate OpenSSL does. When AESNI is supported then one no needs to set any hardware crypto options in pfSense/OpenVPN. OpenSSL will automatically use it when available.

The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

I see no problems with the 2 RT nics 8111G on my board. I left settings at default because fiddling with them brought no benefit in my case.
Off course I have no comparison to this board with Intel nics but I have a feeling it would not be very different.

duren

mauroman, thank you for the correction. I scanned through the thread too fast  :-[

Pippin, thank you for the confirmation, much appreciated.

Pippin

Welcome.

One thing to add, keep in mind that this was without any other packages installed and no other traffic flowing.

icest0rm

@mauroman33:

There is the AES-NI support because the CPU is the Celeron N3150.
I did'nt pay customs fee because they have declared a value of USD30.

I sent you a PM

mauroman33

@icest0rm:

@mauroman33:

There is the AES-NI support because the CPU is the Celeron N3150.
I did'nt pay customs fee because they have declared a value of USD30.

I sent you a PM

I answered you

edwardwong

@Pippin:

The second idea is the difference between 948 Mbps normal and 270 Mbps OpenVPN (unencrypted). Mainly caused by packets travelling between kernel and userland, and OpenVPN`s internal fragmenting and defragmenting, here CPU power (of single core!!!) comes into play.

When version OpenVPN 2.4 is ready, bringing AES-GCM, it is expected that throughput will go up.

The other issue probably related to process threading, the "pf" is now capable to support multi-threading, while as what I remember OpenVPN doesn't, for those low end ATOM devices we usually need 1-2 core's power to have NAT running at 1Gbps throughput, which means if we allow only single core operation the NAT probably will be cap at ~700Mbps, and OpenVPN will have more impact because it's adding burden on the CPU as well.