Looking to move pfsense from vm to hardware - solutions under $300?
-
Totally agree with albatorsk.
I've just ordered the second one for the summer house; the first one was delivered in 5 days:
http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURnI'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.
What about CPU missing AES-NI?
How much did you pay for customs? -
Totally agree with albatorsk.
I've just ordered the second one for the summer house; the first one was delivered in 5 days:
http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURnI'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.
What about CPU missing AES-NI?
How much did you pay for customs?There is the AES-NI support because the CPU is the Celeron N3150.
I did'nt pay customs fee because they have declared a value of USD30. -
If by future proofing you mean speed wise, check this out…
1. This thread says a Zotac CI323 nano will do 3-400mbps
2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.So the conclusion I'm reaching is
1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).
Of course, price is also a consideration..
100-150 US gets you a J1900 or N3150
300 US gets you an i7-4500U
350-500 US gets you Atom C2xxx systems. -
If by future proofing you mean speed wise, check this out…
1. This thread says a Zotac CI323 nano will do 3-400mbps
2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.So the conclusion I'm reaching is
1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).
Of course, price is also a consideration..
100-150 US gets you a J1900 or N3150
300 US gets you an i7-4500U
350-500 US gets you Atom C2xxx systems.Sorry, I don't agree with the first two points of your conclusions because as albatorsk said "Since pfSense 2.3, I have no problem getting the full 1Gbps throughput."
So when you write "If you want 100mbps…" that's only an OpenVPN matter for CPUs like J1900, N3150 or 4500U. -
So the conclusion I'm reaching is
1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do.
2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
3. If you want 1gpbs over OpenVPN, AES-NI is KEY….......
See the OpenVPN tests in 4.Have Gigabyte N3150N-D3V here, so cannot write about the others.
2x Realtec 8111G nics.1. Yes
2. No, it will happily saturate 1 Gbps (948 Mbps), maybe even more but I no have faster network to test.
3a. That article from Jan Just Keijzer (who wrote some very nice books about OpenVPN) was written at least 5 year ago. Not all is current info.
3b. OpenVPN:
Following test was done in a client to client scenario. Meaning, on the OpenVPN server there is an extra decrypt+encrypt going on compared to client to server, Because of the packets flowing between two clients. Client to server scenario, I haven't tested yet but I would think that throughput would go up.
My tests with following settings:
Server:Remote Access (SSL/TLS+User Auth) udp tun tls static key 2048 Diffie Hellman 2048 Certs 2048 Encryption AES-256-CBC Auth digest SHA512 prng RSA-SHA512 32 fast-io comp-lzo no tls-version-min 1.2 or-highestBoth clients:
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA512 tls-client client resolv-retry infinite remote 192.168.11.200 1194 udp lport 0 verify-x509-name "OVPN-SERVER-CERT" name auth-user-pass ns-cert-type server comp-lzo no prng RSA-SHA512 32 tls-version-min 1.2 or-highestThe iperf result was 160 Mbps.
When encryption is disabled, "auth none" "cipher none", throughput is 270 Mbps. I did not test with other crypto settings. Here one gets an idea for what impact crypto/hashing has.
The second idea is the difference between 948 Mbps normal and 270 Mbps OpenVPN (unencrypted). Mainly caused by packets travelling between kernel and userland, and OpenVPN`s internal fragmenting and defragmenting, here CPU power (of single core!!!) comes into play.
When version OpenVPN 2.4 is ready, bringing AES-GCM, it is expected that throughput will go up.
Once OpenVPN supports AES-NI
See 3a above.
It does already or more accurate OpenSSL does. When AESNI is supported then one no needs to set any hardware crypto options in pfSense/OpenVPN. OpenSSL will automatically use it when available.The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).
I see no problems with the 2 RT nics 8111G on my board. I left settings at default because fiddling with them brought no benefit in my case.
Off course I have no comparison to this board with Intel nics but I have a feeling it would not be very different. -
mauroman, thank you for the correction. I scanned through the thread too fast :-[
Pippin, thank you for the confirmation, much appreciated.
-
Welcome.
One thing to add, keep in mind that this was without any other packages installed and no other traffic flowing.
-
There is the AES-NI support because the CPU is the Celeron N3150.
I did'nt pay customs fee because they have declared a value of USD30.I sent you a PM
-
There is the AES-NI support because the CPU is the Celeron N3150.
I did'nt pay customs fee because they have declared a value of USD30.I sent you a PM
I answered you
-
The second idea is the difference between 948 Mbps normal and 270 Mbps OpenVPN (unencrypted). Mainly caused by packets travelling between kernel and userland, and OpenVPN`s internal fragmenting and defragmenting, here CPU power (of single core!!!) comes into play.
When version OpenVPN 2.4 is ready, bringing AES-GCM, it is expected that throughput will go up.
The other issue probably related to process threading, the "pf" is now capable to support multi-threading, while as what I remember OpenVPN doesn't, for those low end ATOM devices we usually need 1-2 core's power to have NAT running at 1Gbps throughput, which means if we allow only single core operation the NAT probably will be cap at ~700Mbps, and OpenVPN will have more impact because it's adding burden on the CPU as well.
