First pfSense Build - Hardware recommendations and access points
-
- Is 16GB overkill for sure? I'm happy to get a single 8gb stick and upgrade later if needed - i think less than 8gb is too low but as whosmatt pointed out, 16gb may be too much (it would save me around £35 dropping the extra 8gb
Honestly, for most uses, I think 8GB is too much. Certainly it won't hurt, but I've got 4GB in my home build and more than 3GB of it sits unused. At work, we're running 1GB of RAM in our VMs that handle a couple hundred machines in about 15 subnets and it's never been a problem.
-
Honestly, for most uses, I think 8GB is too much. Certainly it won't hurt, but I've got 4GB in my home build and more than 3GB of it sits unused. At work, we're running 1GB of RAM in our VMs that handle a couple hundred machines in about 15 subnets and it's never been a problem.
I agree that the 8GB may be a little over kill still - a 4GB module is £19.99 compared to £34.99 for 16GB so i would pay more to upgrade later if needed (compared to 16GB being twice the 8GB price) - at that point i see no gain in going lower
Dropping to 8GB however has allowed me to budget in a better PSU than the original although a 250W PSU running this system seems like i'm going to be throwing power away due to the lower efficiency with such low power hardware involved (i'm expecting to see around 20W at the wall on average)
On the power front if anyone has similar specs and would like to share power usage that would be great
Jamie
-
I agree that the 8GB may be a little over kill still - a 4GB module is £19.99 compared to £34.99 for 16GB so i would pay more to upgrade later if needed (compared to 16GB being twice the 8GB price) - at that point i see no gain in going lower
Dropping to 8GB however has allowed me to budget in a better PSU than the original although a 250W PSU running this system seems like i'm going to be throwing power away due to the lower efficiency with such low power hardware involved (i'm expecting to see around 20W at the wall on average)
On the power front if anyone has similar specs and would like to share power usage that would be great
Jamie
Yeah, no reason not just to go for the price sweet spot as far as RAM is concerned. I just see a lot of people spec'ing 16GB of RAM for a home build.. if you look at the pfSesnse store offerings, the highest level of hardware has 16GB and is meant to serve many thousands of clients potentially. Don't mean to harp on it too much, just trying to educate people about the real RAM requirements of pfSense.
I'd get the best (highest efficiency) PSU you can fit into your budget, obviously. Sadly, I think there's a dearth of high efficiency PSUs designed to service low power systems unless you go with a PicoPSU or something like that. Maybe I missed it in a previous post, but which case did you choose (or have you chosen one yet)? With a Mini-ITX board that doesn't need PCI-e expansion cards or active cooling, you could potentially go with a DC power supply. 20 Watts should be easily handled by a 12V 4A power brick (with plenty of headroom), for example.
-
The case I was looking at is in the original post, I put hyperlinks to the majority of the parts but here is the link again: here
It's just a small 1u case with dual 40mm fans - should be enough to cool this but again I'm open to suggestions
Jamie
-
i am an overkill kind of guy - good pick. buy ecc ram while your doing it. i would go for a 256gb ssd for not much more
for wifi AP, netgear r7000 AC1900 using ddwrt or tomato, add a cheap usb powered laptop cooler below to keep the temps down
pick a switch
-
The case I was looking at is in the original post, I put hyperlinks to the majority of the parts but here is the link again: here
It's just a small 1u case with dual 40mm fans - should be enough to cool this but again I'm open to suggestions
Jamie
Oh, right, 1U. I get these build threads confused sometimes.
-
OK so my network has crippled today and the Internet is pretty much unusable as it stands (wireless with no Internet, websites not loading) so I think it's time to up my schedule a little
I'm looking to get this system on order next week so any more recommendations would be appreciated
I am aware the server case fans will most likely be as noisy as sin so I have found some noctua quiet fans that I can order if needed
The picoPsu's look good but are almost the cost of a 1u PSU in the UK (£20 at the cheapest) so I'm thinking I may just cause more issues due to power bricks and the horrible connectors that come with them.
Granted I will lose some efficiency from using a 1u PSU but for the sake of keeping things simple I think I'm going to grab one anyway
My main concern is the PSU noise as I am used to a silent system with a PSU fan that is turned off most the time. I've heard they sound like a jet engine but never actually used a 1u case or fans for comparison
Any comments on the PSU fan noise to expect? I can potentially see the need to replace the PSU fans
Jamie
-
CPU/Mobo: ASRock C2750D4I Avoton C2750 8 Core (here)
Supermicro C2758 mobo
pfSense SG-4860/SG-8860Memory: 16GB Crucial ECC Unbuffered DDR3 8 GB 1600 MHz UDIMM (here)
It might be more pointed to the circumstance how many traffic will be generated but also good for;
- high up the mbuf size to 1000000
- high up the Squid RAM amount
- more RAM for all other usages (caches, RAM disks)
- DHCP & DNS entries must be stored to be able to cache
PSU: 320W 1U Flex ATX (here)
To much in my eyes, a smaller one likes the 160 Watt PicoPSU would be enough.
I am fairly sure i can install pfSense on the SSD and use the SSD for cache if needed but please correct me if i am wrong
This router will need to handle the following:
ipSec Site-to-SiteAES-NI would here more useful to speed up the IPSec VPN part, the Supermicro C2758 comes with AES-NI!
OpenVPN - potentially
Only raw CPU power and Cores are counting
Squid - potentially but not needed
DarkStat
Snort
Country Block- firewall only & VPN 2 GB - 4 GB
- firewall, Squid 4 GB - 8 GB
- Squid, Snort & VPN 4 GB - 8 GB
- Squid, Snort, pfBlockerNG & VPN 8 GB or more
WiFi or WLAN APs would be better in my eyes as an external device likes;
- UBNT WLAN APs
– UniFi series
- MikroTik WiFi APs
– MikroTik RB953GS-5HNT-RP &
– MikroTik R11e-5HacT (802.11 (a/n/ac)) -
To my understanding the C2750 supports AES-NI? It's on the Intel spec page for it unless there is something the motherboard needs to do also?
I know the system has no quick assist but isn't it AES-NI that does the encryption for ipsec and OpenVPN?
-
To my understanding the C2750 supports AES-NI? It's on the Intel spec page for it unless there is something the motherboard needs to do also?
No, the C2750 (Avoton) is not supporting AES-NI only the C2758 (Rangeley) is supporting AES-NI!
I know the system has no quick assist but isn't it AES-NI that does the encryption for ipsec and OpenVPN?
AES-NI is speeding up the VPN tasks for sure, IPSec more then OpenVPN but Intel QuickAssist is
able to compress or decompress data packets more and perhaps it will be also a gain for other things. -
Not to argue but are you sure?
http://ark.intel.com/products/77987/Intel-Atom-Processor-C2750-4M-Cache-2_40-GHz
The last spec states AES-NI support for the chip?
And if the chip supports it then the system should surely? -
I'm very pleased with my current setup. Thought I'd share.
Firewall: PC Engines APU2C4
AP: Ubiquiti AP-AC-LR
Switch: Dlink DGS-1100I admit the switch isn't the best, but there kind/sorta manager switches that support gigabit and are very affordable.
-
I built an overkill pfSense setup in late 2013 for about $700 USD.
- 2U case (Rosewill? Aren't too many good manufacturers out there).
- CPU: Intel Xeon (Haswell) quad core @ 3.1GHz.
- Mobo: Some SuperMicro server motherboard. 4 Intel i250 Gigabit NICs. Separate IPMI port.
- RAM: 16 GB ECC Kingston DDR3 (Japanese Elpida chips).
- Storage: 64GB Crucial SSD I had lying around.
- PSU: Seasonic 80+ Gold. Can't remember the output.
To this day, it's been overkill for my home setup. The 16 GB of RAM isn't even close to touched. The CPU isn't even close to utilized. The machine idles at maybe 50W, possibly due to the case fans. I'd like something that barely sips power (<10 Watts) and maybe go with fanless. The 2U case is too big: I'd rather go with 1U next time or even a SOHO sized unit like the 4860 that isn't rack-mount. It's hard to DIY for 1U unless you buy the case and mobo together (Supermicro? Dell?)
To be fair, I haven't really fine tuned Snort or done much more basic firewalling and pfBlocker with lots of rules for malware C&C blocking (and Spamhaus DROP, Abuse.ch, and other IP block lists). I just enabled FreeRADIUS for a WPA2-Enterprise EAP-TLS setup.
I plan on building or buying a lower power rig and migrating to that hardware. The 4860 in the pfSense Store looks nice and has 6 ports, which would come in handy so I can have separate DMZ and Internal Server zones, WAN, LAN, Guest Wi-Fi, Dev/Test zone, etc.
But I don't need that much CPU or RAM. Until the day I get Google Fiber as well as have some kids or something.
I'll use the current server for an OwnCloud build (and get another HDD or two).
-
- 2U case (Rosewill? Aren't too many good manufacturers out there).
- CPU: Intel Xeon (Haswell) quad core @ 3.1GHz.
- Mobo: Some SuperMicro server motherboard. 4 Intel i250 Gigabit NICs. Separate IPMI port.
- RAM: 16 GB ECC Kingston DDR3 (Japanese Elpida chips).
- Storage: 64GB Crucial SSD I had lying around.
- PSU: Seasonic 80+ Gold. Can't remember the output.
With that hardware you will be able to use pfSense as a full UTM device! With Snort, Squid, ClamAV
and pfBlocker-NG.To this day, it's been overkill for my home setup. The 16 GB of RAM isn't even close to touched. The CPU isn't even close to utilized. The machine idles at maybe 50W, possibly due to the case fans. I'd like something that barely sips power (<10 Watts) and maybe go with fanless. The 2U case is too big: I'd rather go with 1U next time or even a SOHO sized unit like the 4860 that isn't rack-mount. It's hard to DIY for 1U unless you buy the case and mobo together (Supermicro? Dell?)
- high up the mbuf size to 1000000
- increase the amount of RAM for Squid if it is in use
- set more RAM for RAM disks if in usage
Hold that machine and after a longer time you will be the lucky one of us!
To be fair, I haven't really fine tuned Snort or done much more basic firewalling and pfBlocker with lots of rules for malware C&C blocking (and Spamhaus DROP, Abuse.ch, and other IP block lists). I just enabled FreeRADIUS for a WPA2-Enterprise EAP-TLS setup.
What about Squid & SquidGuard or Dansguardian and ClamAV and Snort?
I plan on building or buying a lower power rig and migrating to that hardware. The 4860 in the pfSense Store looks nice and has 6 ports, which would come in handy so I can have separate DMZ and Internal Server zones, WAN, LAN, Guest Wi-Fi, Dev/Test zone, etc.
Please search first the forum for reaching full GBit/s over PPPoE if you use it!
But the unit looks fine for me.
Here is another one for ~$700 (Supermicro SYS-E300-D8)But I don't need that much CPU or RAM. Until the day I get Google Fiber as well as have some kids or something.
A powerful CPU able to drive pfSense as a full UTM and much RAM likes 8 GB or 16 GB will be not a bad thing
as I see it right it is more for long time usage and installing more packets if wished or needed in some days
and if electric power is cheap where you are living it may be a real gain to go a long time period with that
set up! $700 : 120 month = ~$6 a month for a full UTM device is a really cheap price in my eyes!