Study for new build 1000/10

Guest

I have been reading and studying about a new build i will begin, but altough i read almost all the topics about it, i still havent made a decision.

Some set ups are similar but each is also varying from all others pending on the installed packets, users, used protocols,
clients machines and so on and so on.

Got Vodafone 1000/100 in December and realized that no matter what, my sempron 3850 was unable to get past 800 download and got me full upload(105). Been using flawessly Pfsense for two years until now, previously on a 100/10 connection by coaxial.

Are you using PPPoE?

On PFsense when i engage on speedtests i see the cpu going to 100%, just like in system diagnostics.

Sorry nothing to see from here, I mean no pictures available! Did you enable PowerD (high adaptive)

-Routing gigabit
-UTM (SNORT, suricata, packet inspection, etc.)
-web filtering and cache
-still a margin for future packages
-VPN for heavy torrenting of non illegal contents

UTM might be something likes; IDS/IPS (Snort or Suricata), Squid & SquidGuard, pfBlockerNG, ClamAV (HAVP)
so each of this packets is narrowing down the entire throughput of the WAN speed. To know each packet before it is installed
will be the best for us to tell you something that matches well.

Budget is a concern, but i want a future proof of about 3 years at least.

With the Intel Xeon E3-1230v3 you will be perhaps 5 years on the road and a refurbished one will be enough
it must be not a brand new one in my eyes. But then you get 4 real Xeon cores, 8 Thread, hyper threading,
EEC RAM support and against the consumer cpu´s a real 24/7 running fast system. From 3,2GHz - 3,6GHz
this will be really doing all what you want to install and run.

I took a look at c2758 platform, but here in Europe (Portugal) somethings have a bigger price than «normal» i suppose.

With that you will not be getting the full 1 GBit/s at the WAN and together with the other installed packets you may loose more
throughput then you can imagine now. I would be afraid to use that board. Perhaps a nice one for Untangle or your Sophos UTM!

I plan on using a dual 1u chassis (with 2 itx mb, one for PFsense and my more exposed lan, the other with Sophos, for my more guarded «inner» lan -and learning purpose).

Don´t do it, in some situations you will be happy with that or in a smaller amount of set up it will be a must be or the best way to
go with, but here you will be only at home as I see it is this right? Then let one be the Firewall and one for a test lab or for playing
around with it, but nothing more.

My main question is about what cpu, but feel free to come forward with any other objections.

Very old school and also perhaps expensive, but the Intel Xeon E3-1230v3 would be my main choice on that.
Please don´t get me wrong but CPU core is not the same as CPU core! There are differences between the CPUs
for sure and an Intel Xeon E3-12xxv3 is at this moment the best way you can walk on, nothing beats that CPU!

datum

@BlueKobold:

I have been reading and studying about a new build i will begin, but altough i read almost all the topics about it, i still havent made a decision.

Some set ups are similar but each is also varying from all others pending on the installed packets, users, used protocols,
clients machines and so on and so on.

Got Vodafone 1000/100 in December and realized that no matter what, my sempron 3850 was unable to get past 800 download and got me full upload(105). Been using flawessly Pfsense for two years until now, previously on a 100/10 connection by coaxial.

Are you using PPPoE?

On PFsense when i engage on speedtests i see the cpu going to 100%, just like in system diagnostics.

Sorry nothing to see from here, I mean no pictures available! Did you enable PowerD (high adaptive)

-Routing gigabit
-UTM (SNORT, suricata, packet inspection, etc.)
-web filtering and cache
-still a margin for future packages
-VPN for heavy torrenting of non illegal contents

UTM might be something likes; IDS/IPS (Snort or Suricata), Squid & SquidGuard, pfBlockerNG, ClamAV (HAVP)
so each of this packets is narrowing down the entire throughput of the WAN speed. To know each packet before it is installed
will be the best for us to tell you something that matches well.

Budget is a concern, but i want a future proof of about 3 years at least.

With the Intel Xeon E3-1230v3 you will be perhaps 5 years on the road and a refurbished one will be enough
it must be not a brand new one in my eyes. But then you get 4 real Xeon cores, 8 Thread, hyper threading,
EEC RAM support and against the consumer cpu´s a real 24/7 running fast system. From 3,2GHz - 3,6GHz
this will be really doing all what you want to install and run.

I took a look at c2758 platform, but here in Europe (Portugal) somethings have a bigger price than «normal» i suppose.

With that you will not be getting the full 1 GBit/s at the WAN and together with the other installed packets you may loose more
throughput then you can imagine now. I would be afraid to use that board. Perhaps a nice one for Untangle or your Sophos UTM!

I plan on using a dual 1u chassis (with 2 itx mb, one for PFsense and my more exposed lan, the other with Sophos, for my more guarded «inner» lan -and learning purpose).

Don´t do it, in some situations you will be happy with that or in a smaller amount of set up it will be a must be or the best way to
go with, but here you will be only at home as I see it is this right? Then let one be the Firewall and one for a test lab or for playing
around with it, but nothing more.

My main question is about what cpu, but feel free to come forward with any other objections.

Very old school and also perhaps expensive, but the Intel Xeon E3-1230v3 would be my main choice on that.
Please don´t get me wrong but CPU core is not the same as CPU core! There are differences between the CPUs
for sure and an Intel Xeon E3-12xxv3 is at this moment the best way you can walk on, nothing beats that CPU!

Thanks Bluekobold for your answer.

As you said each Pfsense is implemented according to each user purpose, it is because the software is so robust and 'plastic', without doubt one of the best (the best for me :) ).

1)I am not using PPPoE

2. Yes PowerD enabled, is there any other way to check cpu usage?

3)right now i have both Snort and Suricata enabled, but i will chose from one of them, will install Squid & SquidGuard, pfBlockerNG, ClamAV (HAVP)

4)My thoughts exactly, the only question is that if can buy for 180 euros/dollars a i3 @ 4.0ghz, i could save 120 euros/dollars if i buy the Xeon. Refurbished ones, cost slightly the same, and due to that, i prefer to buy a new one. I have not seen a 1230 below 250 euros/dollars. Maybe i must look further.
The motherboard is server grade. I also believe there is something different in xeon. The AM1 platform was a surprise, not server grade but rock solid.

5)Been using Sophos as a transparent something.Without DHCP just inspecting packages through a bridge.So exactly not as a router.

Thanks again, cheers

Guest

If you are not using PPPoE perhaps out with the AM1 platform or the Intel Core i3, perhaps I mean!
You should install all packets you will need and then do a measuring if that throughput will be enough for you then.

datum

Right now the consistent result is about 600-700 mb with all the packages running.
Tryed them off and apparantly it only took a 5% hit in perfomance.Hardly noticeable.
But the cpu always at 100% when the test is done.

This with a 4c @ 1.6.
So definetely thats the bottleneck.

I could go for the 5350, but as i said not sure about  400 mhz more.

Guest

Right now the consistent result is about 600-700 mb with all the packages running.

What are the packet you installed?

Tryed them off and apparantly it only took a 5% hit in perfomance.Hardly noticeable.
But the cpu always at 100% when the test is done.

Did you enable;

• PowerD (high adaptive)
• mbuf size to 250000 or 500000 (4 GB RAM) or 1000000 (8 GB RAM)

This with a 4c @ 1.6.
So definetely thats the bottleneck.

Could really be!

I could go for the 5350, but as i said not sure about  400 mhz more.

It could also be that your memory system was saturated. But a stronger CPU will be
here the game changer as I see it right.

whosmatt

What are your NICs?  Having server class NICs could make a huge difference in CPU overhead if you don't already have them. (edit: NM, see that you do)  Also, there's now a 5370 available, 4 cores at 2.2GHz in the same thermal envelope.

whosmatt

@BlueKobold:

It could also be that your memory system was saturated.

That would not surprise me at all.  I'm also running AM1 and it's quite limited in memory speed as far as today's systems go.

datum

Hi, thanks to you all for input.
Been testing the setup and im quite satisfied.
Wanted to try kaby lake at 180 euros before commit to a 300 euros xeon.
Overkill but with some ponderation.

Got myself a i3 7320, that peaks to 4 ghz.
Put 4gb x2 of ram ddr4at 2133 in dual channel.

Bought also a 30 euros 32 gb m.2 (6gb) ssd.

Kept the 2.5 laptop hdd, but didnt notice any change due to the hard disk change as far as i know, and as far as speed goes.

I noticed the the cpu never goes beyond 50% in speedtests, contrasting with my previous rig that went 100% all the way.

I kept Snort, suricata (i now that keeping both at the same time is stupid, but i wanted to keep it like it was at the amd 3850 machine).

The main thing is that the average test always gives me speeds above 800.With the amd above 750 was in a good day. With this i3 i get the bandwithd almost at the peak  for what i am paying.

The money invested is equivalent to one year of montlhy bills to isp.
In my opinion, i think its worth it.
But totally understand those who say that something cheaper (this is not in no way one of the most overkill configurations) would get similar results.

Generally i feel more response from my network, but is possible i might be biased.

In speed sense, although 200, 250 might appear a light improvement regarding the total 1000, i think its worth it, specially if i need to upgrade cpu for my needs, the cpu is exchangeable.

The ping suffered no change, 12ms.

Here  the pics:

PS - forgot to mention one small modification, as a 2nd switch no longer a ex3548poe, but a cheap tp link smart switch with 8 ports. It got quicker, go figure.

whosmatt

Nice!  I'd have liked to see how far you could take the AM1 platform, but it's aging now and I can't fault you for not wanting to put more money into what would essentially be a dead end as far as CPU upgrades go.  I suspect you could have gone for the cheaper G4600 Pentium and still gotten satisfactory results.

datum

I am fan nº 1 of the now old am1 platform.
My previous (and first) pfsense rig was build accordingly, that is, affordable, with good perfomance and low tdp.
The asus board is super stable, and for a 500mb connection is more than enough.

For gigabit realm another kind of muscle is needed.

You are absolutely right. G4400 would be more than enough. But i was rather curious about kaby lake, and it seemed to have very good tdp in idle, so i went for it.

Has i said, Xeon was my plan, but money doesnt grow on trees and i chose i3. If i got a Xeon, my firewall cpu would be better than my main desktop pc. Seemed quite weird.

Besides help and feedback, i wanted to help to share the idea that a cheap cpu can give the perfomance for this «new» gigabit speeds. Anyone planning an upgrade for a SOHO environment can go the pentium way, or others more tdp friendly. Does not need to spend a fortune.

I was surfing amazon and newegg for supermicro and asrock boards with c2758 and D-1520 cpu's, but here in Europe they give a new definition to «pornography» when we talk about computer parts prices.

Got a server board(although Asus) with ipmi, it can be a security issue but gives me options for remote administration for about 180 euros.

4 ghz give me a short future proof for IPS/IDS and AV.

The appliances selling at pfsense store are top notch, would be my first optin, but it is just my home network and i wanted to build it myself.

The am1 cpus are becoming scarce in amazon.es, amazon.de or amazon.co.uk.
The new 5370 is more recent but not near the perfomance of the newer cheap Pentium line.

Lets see if Ryzen brings any surprise.

I repeat once again, i am satisfied with this build.

The isp guy that came to do the install of the service, last December, told me the faster he had seen was 950 in a top rig of a gamer that had invested a fortune on his rig.
Its not a competition, but im able to squeeze 940 out of my connection, in a consistent way.

My next (planned dreaming) addition will be 10GB nics, but only when i believe the high price being asked for them.
Maybe i get results more close to the 1000.