First pfSense box - Xeon build
-
From what i am planning on building a ssd will be for the so, the 2.5 for cache.
I dont know if its possible.Or preferably just standard hdd. -
Hey everyone. Firstly, i must apologize for posting yet another thread about the same repetitive questions you have all seen for years! I have been reading for two days and it seems there is so much information on this board with so many opinions, it's really hard to figure out what to do. This will be my first pfSense box, but i am not a newb when it comes to BSD, or hardware. I have always believed in "future proofing" my builds for at least 5 years. With that said… I have a 200/200 line coming in on a standard cable modem but plan on upgrading to a 1/1gbit line in the future. I have decided i should just go for it and grab the equipment necessary to handle the full 1gbit up/down. I have very little information about the packages available on pfSense so far, but i would rather plan to use them, than not, and need them.
Nice then you will know that each installed packet will be narrow down the entire throughput of your pfSense.
So it might be better, if you are not holding now any kind of spare parts in your hands, that you think a second time
about that all. The Xeon is only 2 Core and is really only around 2.0GHz, that might be fine for 1 GBit/s at the WAN
interface, but together with all installed packets it might be not enough, as I see it right.TLDR; Looking to build 1gbit up/down with multiple packages enabled and a couple openVPN's.
You might be able to walk down the road with two CPU cores like Intel Core i3 is offering, but if it comes to
many packets I would set on 4 cores! Something likes a Intel Xeon E3-12xxv3 (4C/8T) @3,2GHz might be
the best bet at these days and nothing else will beat it. Power saving much more then the consumer CPUs
and really strong horse power delivering. Pointed to the OpenVPNs you should think an a quad core CPU with
HT if this is a main concern of your build.-looking at an Xeon E3 1220L (I have looked around, and it seems the single thread score on the V2 is lower than the original V1 it seems?) http://www.cpubenchmark.net/compare.php?cmp%5B%5D=2183&cmp%5B%5D=1197
-I am having a very hard time finding a capable Mobo in mini ITX form.. Any suggestions would be greatly appreciated. This is the only one i could find. http://ark.intel.com/products/59046/Intel-Desktop-Board-DQ77KB
Do you own this two spare parts (CPU & MoBo) or do you try it to buy?
-The onboard NIC's are:
LAN Chipset: Intel 82579LM
Second LAN Chipset: Intel 82574LI would give them a try first and then you might be able to get newer one(s) if really needed
Would you recommend getting a i350 pciE? I would much rather just use the dual intel NIC's if i can, but only if they will be efficient enough to handle the load. I have a feeling adding the Ethernet card will also cause problems with the small form factor.
Intel PRO/1000 PT Quad Port adapter
Intel I350-T2 (dual port) or i350-T4 (quad port)
pfSense shop low profile and Quad Port NIC based on Intel i350Pleas not that all three cards will be PCIe 2.0 x4 and so the mainboard should be sorted also with that
slot to let you install a card such this!-I would also like a few recommendations for some small form factor cases
Mini-ITX cases without any PCIe slot:
M350, Supermicro SC101iMini-ITX cases with an PCIe slot:
M300, Silverstone ML07 (SST-ML07B), Casetronic C137If anyone has other suggestions, i love the knowledge, so have at it!
I was not able to get out of your writings, that you want to buy that equipment or you have bought that equipment ready yet?
My personal choice would be;
- ASUS Q87T + Intel Xeon E3-12xxv3
- Jetway NF952-Q170 plus any CPU >3.0GHz
Each of them is offering you a total other way to go, but lets you also walk on the mini-ITX road, likes you want.
One is coming with enough Intel based NICs nad the other is able to hold a real PCIe x4 card if needed!
One is able to insert Intel i3, i5 and i7 and the other a really wide vary of CPUs till a Xeon E3-12xxv3 after an BIOS update.But all of them would be fine to route 1 GBit/s and let you install all packets you need and want.
-
Thank you so much for the detailed response. I do currently have a 1220L already(v1). I also have a 3770K that is much faster and uses a lot more power. I don't know where I got the idea that single thread rating meant more than a total rating when it came to pfSense. Either way, the v3 and v1 are all neck and neck on passmark rating so I am unsure how it won't keep up? I will check out your recommendations for mobo/CPU combos for sure!! Any suggestions for an SSD or does it not matter, just a reputable brand?
-
Thank you so much for the detailed response. I do currently have a 1220L already(v1).
Ah, ok this was mot clear to me! Intel DP77KB I can´t see that the Xeon is supported and also there is no ECC RAM support too!
Any suggestions for an SSD or does it not matter, just a reputable brand?
One of the board is able to hold a mSATA and another miniPCIe slot for a WiFi card!
The other one is able to hold "only" a miniPCie WiFi card. Usually it would be good to
go with a SSD that has TRIM support. Intel, Crucial, Samsung, OCZ, Transcend,… -
intel and samsung are the most reputable brands.
However running pfsense is not going to stress the device, so just get something thats affordable. However if the price isnt too big between diff models e.g. in my case I could have got a 30 gig ssd instead of 60 but was less than 5% cheaper, so I got the 60.
Pretty much any modern ssd now days should support trim and wear levelling technology.
-
@BlueKobold:
Thank you so much for the detailed response. I do currently have a 1220L already(v1).
Ah, ok this was mot clear to me! Intel DP77KB I can´t see that the Xeon is supported and also there is no ECC RAM support too!
Any suggestions for an SSD or does it not matter, just a reputable brand?
One of the board is able to hold a mSATA and another miniPCIe slot for a WiFi card!
The other one is able to hold "only" a miniPCie WiFi card. Usually it would be good to
go with a SSD that has TRIM support. Intel, Crucial, Samsung, OCZ, Transcend,…I did verify its supported . via the Intel web page. For 130 dollars I can put the 1220L to work and see how it runs. Can't hurt I guess. I have never been apposed to building multiple systems so I will for sure try another with the v3 of the 1220L
-
From what i have been reading, it seems that if you plan on running snort, few cores with higher Ghz is preferable to more cores chips.
Also good, if i understood it right, for traffic consisting mainly of small packets, inspected by snort. -
I'm liking the idea of that jetway 8 port mobo for 6th gen processors
Should I go for an i3 6100T or… -
From what i have been reading, it seems that if you plan on running snort, few cores with higher Ghz is preferable to more cores chips.
Also good, if i understood it right, for traffic consisting mainly of small packets, inspected by snort.Suricata is multi-threading, Snort will it be in some time as I know it, or it is perhaps also until now happened that it is multi-threading
so many things in pfSense will be at a change at this time. OpenVPN is also multi-threaded since 2.3 and so it might be a game changer
to own a CPU with more CPU cores, but actual you will be then not getting much profit out, and so it might be the best to be also future
proof, to get a strong and powerful CPU with a higher CPU frequency (GHz) paired together with some more CPU cores too!So you will be getting out now and in the future the best results! And with an looking eyes on power saving options it might be the best
to get an Intel Xeon E3 with 4 Cores and 8 Threads (HT). Actual one of the best options as I see it right, other might see it different and
for sure a cheaper Intel Core i3 could be also an interesting platform. And if AES-NI is also on board it might be a long time running box.I'm liking the idea of that jetway 8 port mobo for 6th gen processors
Should I go for an i3 6100T or…Would be a stronger system together with AES-NI and more GHz as I see it right and so the 1 GBit/s will be even reachable for you.
I did verify its supported . via the Intel web page. For 130 dollars I can put the 1220L to work and see how it runs. Can't hurt I guess. I have never been apposed to building multiple systems so I will for sure try another with the v3 of the 1220L
Ok if the 1220L will work on that board I would suggest to give them a try, for sure this makes sense for me.
- Intel DP77KB
Now only the right matching case will be the question - mSATA 32 GB or 60 GB or 120 GB (transcend)
16GB for plain install, 32GB for Snort, 60GB for Snort & Squid and 120GB for more users, services, HotSpot, Squid, Snort,….. - 2 x 4 GB RAM (fastest as the board will be supporting please) (DDR3-1600 in your case)
Often the CPU is not saturated but the memory system is! And with 8 GB you will be able to high up the mbuf size to 1000000 - Intel PRO/1000 PT refurbished or a refurbished Intel i350-T4 would my personal choice here
Often able to get for ~$50 or ~$120 so the pfSense Shop NIC in low profile format could also be interesting
- Intel DP77KB
-
@BlueKobold:
From what i have been reading, it seems that if you plan on running snort, few cores with higher Ghz is preferable to more cores chips.
Also good, if i understood it right, for traffic consisting mainly of small packets, inspected by snort.Suricata is multi-threading, Snort will it be in some time as I know it, or it is perhaps also until now happened that it is multi-threading
so many things in pfSense will be at a change at this time. OpenVPN is also multi-threaded since 2.3 and so it might be a game changer
to own a CPU with more CPU cores, but actual you will be then not getting much profit out, and so it might be the best to be also future
proof, to get a strong and powerful CPU with a higher CPU frequency (GHz) paired together with some more CPU cores too!So you will be getting out now and in the future the best results! And with an looking eyes on power saving options it might be the best
to get an Intel Xeon E3 with 4 Cores and 8 Threads (HT). Actual one of the best options as I see it right, other might see it different and
for sure a cheaper Intel Core i3 could be also an interesting platform. And if AES-NI is also on board it might be a long time running box.I'm liking the idea of that jetway 8 port mobo for 6th gen processors
Should I go for an i3 6100T or…Would be a stronger system together with AES-NI and more GHz as I see it right and so the 1 GBit/s will be even reachable for you.
I did verify its supported . via the Intel web page. For 130 dollars I can put the 1220L to work and see how it runs. Can't hurt I guess. I have never been apposed to building multiple systems so I will for sure try another with the v3 of the 1220L
Ok if the 1220L will work on that board I would suggest to give them a try, for sure this makes sense for me.
- Intel DP77KB
Now only the right matching case will be the question - mSATA 32 GB or 60 GB or 120 GB (transcend)
16GB for plain install, 32GB for Snort, 60GB for Snort & Squid and 120GB for more users, services, HotSpot, Squid, Snort,….. - 2 x 4 GB RAM (fastest as the board will be supporting please) (DDR3-1600 in your case)
Often the CPU is not saturated but the memory system is! And with 8 GB you will be able to high up the mbuf size to 1000000 - Intel PRO/1000 PT refurbished or a refurbished Intel i350-T4 would my personal choice here
Often able to get for ~$50 or ~$120 so the pfSense Shop NIC in low profile format could also be interesting
Thank you for your post! In order to boost a the processing power of this new box,I am able to get my hands on an E3 1265Lv2 for a very very good price. I would assume it's quite power enough, right?
- Intel DP77KB
-
Thank you for your post! In order to boost a the processing power of this new box,I am able to get my hands on an E3 1265Lv2 for a very very good price. I would assume it's quite power enough, right?
I'd rather have something like a 3.5GHz kaby lake i3 or pentium for the listed requirements. The improvements in the crypto processing in the latest intel processors and the better single thread performance will count for more than the extra cache and cores. If you've got your heart set on an E3, skip the L variants and get something clocked higher (and I'd personally get something newer than an ivy bridge).
-
So I just purchased a bunch of the accessories to go with this. A ubiquiti AP pro, ubiquiti 8 port managed edgeswitch, and all the parts to move forward with using the older e3 1220L. I will be picking up a 3770T soon which should undoubtedly be more than fast enough and has aes-ni . although some of you say grab a newer top of the line Intel and everything to match it, this 4 year old technology is well within its limits of pushing 1gbe IMO. I don't forsee pfSense outgrowing this equipments capabilities within the next 5 years.
Total setup:
I7 3770T
16 gigs of corsair memory
120 GB 850 msata
Intel thin mini itx DQ77KB
Silverstone pt13D case (looks fantastic!)
Silverstone NT07-115X coolerAlso picked up an arris sb6190
-
E3 1265Lv2
Get it! It scales from 2,5GHz to 3,5GHz and has 4C/8T (HT) and AES-NI on top too.
Silverstone pt13D case (looks fantastic!)
If this is the Silverstone case where you want to put outthe extra NIC with 2 or 4 Ports?
-
Also picked up an arris sb6190
Might want to see this:
https://www.dslreports.com/forum/r31079834-ALL-SB6190-is-a-terrible-modem-Intel-Puma-6-MaxLinear-mistake
-
Also picked up an arris sb6190
Might want to see this:
https://www.dslreports.com/forum/r31079834-ALL-SB6190-is-a-terrible-modem-Intel-Puma-6-MaxLinear-mistake
Thank you ! I have canceled the order for that. I assumed that all the great reviews of the smaller model that this one would accel. Do you have a suggestion?
@BlueKobold:
E3 1265Lv2
Get it! It scales from 2,5GHz to 3,5GHz and has 4C/8T (HT) and AES-NI on top too.
Silverstone pt13D case (looks fantastic!)
If this is the Silverstone case where you want to put outthe extra NIC with 2 or 4 Ports?
I don't need them to be honest. That's why I picked of the edgeswitch. What benefit is there to having them? Is there a specific configuration that you are referring to?
Thanks everyone for the knowledge and opinions! I love it. Keep it coming
-
Can someone please comment on my above comment? About not needing the extra ports. My whole system was designed around using Tue edgeswitch in it. Are there major benefits to hook up an AP or PC directly to a pfSense box?
-
Thank you ! I have canceled the order for that. I assumed that all the great reviews of the smaller model that this one would accel. Do you have a suggestion?
I don't, off the top of my head. I just switched from cable back to vdsl (slower speeds, but unlimited data) and have sidelined my cable modem. I was running a Zoom 5370 (16x4) that worked like a champ, but you'll have to do your own research for 24 or 32 channel downstream DOCSIS 3 modems. Just wanted to make you aware of the ongoing issue. It's not just the 6190; any modem with the Intel Puma 6 chipset is affected. Look for one with a Broadcom chipset if you need that many channels.
-
So all my parts have arrived . going to be building my new box soon here.. Going to try with the e3 1220L for shits and giggles. I want to benchmark it with a VPN running, snort and squid I think. Can anyone point me in the direction of a good guide on accurately testing throughput?
-
I am rather curious because i am also planning on a build based on a xeon.
Please post your progress.Thanks -
So the box is up, configured and paired with an 8 port Edgeswitch. I have an openvpn server running already, snort installed and i have ran some tests. Everything seems to be fantastic from what i can see. throughput of 940MB/s with snort and all. Haven't tested through a VPN yet though. On a side note, i have link aggregation setup from a FreeNAS box and my Edgeswitch and i was running some tests on that as well.. here are my results.
Interface Traffic Peak Total
lagg0 in 232.836 MB/s 233.663 MB/s 80.145 GB
out 5.025 MB/s 121.171 MB/s 9.453 GBem1 in 115.722 MB/s 116.433 MB/s 50.142 GB
out 3.949 MB/s 22.756 MB/s 3.619 GBem0 in 117.335 MB/s 117.338 MB/s 30.032 GB
out 1.075 MB/s 80.398 MB/s 5.835 GBFully saturated 100% across both connections.
obviously, this isn't even doing anything to pfSense though, as it's running all through locally via the switch. Due to only having two NICS on the pfSense box, the only way i can test my throughput of pfSense is to do a makeshift configuration with a computer connected to the WAN and another connected to the LAN.. unless im missing something :)
Question/verification.. Snort only watches the WAN, correct?