Parts for building router for Gbit speeds

pfBasic

@messerchmidt:

i5 @3.2ghz+ (the skylake non-k) cpus can be overclocked

16gb ddr4

120gb ssd

It is common on here that when someone asks for hardware recommendations for gigabit WAN to recommend they buy a router that is much faster than the average desktop computer.

The hardware recommendations are generally about the same whether the user wants to use a lot of packages & VPN or just the very basic features of pfSense (like you).

It might be true, but I doubt it because it just doesn't make sense.

I suspect that the reason for this is because like you stated most people don't report back with their actual performance once they buy hardware. Until that starts happening people will keep recommending heavy duty CPUs to NAT gigabit WAN, even for home use, even for no packages.

There is sense in why this happens though, if someone gets recommended underpowered hardware and it doesn't work out they are liable to lose their minds because they wasted money and it didn't do what they wanted.
If someone gets recommended to buy a little supercomputer to NAT gigabit WAN, buys it and surprise surprise it works. They still wasted their money, but at least it worked.

I suspect that this can be done with a modern passively cooled celeron, but I'm also not in the IT or networking profession so you can take my opinions with a grain of salt.

Thank you for reporting back with your findings! It is very helpful for future users to know that:

• Celeron XYZ works for full gigabit w/ NAT only & light firewalling @ x% CPU

• Celeron XYZ maxes out at XXXMbps w/ NAT only & light firewalling

• Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

• Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

• i5-XXXX works for full gigabit w/ X packages and Y firewalling @ x% CPU

• etc.

Basically all the feedback you can give on the forums will be invaluable, not many people have gigabit WAN to test hardware out on!

@Evronius:

The i3[-6320 @ 2x3.90GHz w/ HT disabled] is holding up quite well… ...i get around 980Mpbs down and around 975Mbps up. Total WAN to LAN throughput landing on around 1890Mbps... ...But one thing doesn't work well. I have turned of HT on it. When several units were online the CPU used HT threads and not the physical cores and that dragged the throughput down a lot.

@Evronius:

But still i cant use the whole CPU. With HT on i get really bad performance

This is great feedback, thank you! Can you share what kind of system usage you're getting when the system is under load on WAN, LAN, WAN & LAN?
How many clients is this supporting?
It's valuable to know that you were getting gigabit with only 2 cores.

The more detailed info you can share the better!  ;D

kroko

@pfBasic:

not many people have gigabit WAN to test hardware out on!

new users can test their new rig before using by connecting WAN inside existing (or easy to create) 1GbE LAN. imho this should be done always, if not  speed testing, it's kind of part for burning in router, including letting network interface to run fullduplex 24/3 (via iperf or some P2P disk speed).
this is what i did and still do with H270M-ITXac + 7100T (#10, #12, #16 on that thread) i just cannot afford to put this router in prod while untested and unconfigured 100%. haven't gotten to snort yet (and surely will report back on that thread) but, hey, i3-7100T as for now gives 1GbE for "normal" traffic without a drop, which shows that cheaper Pentiums do also (does not have AVX2 though).

/ranting
one could argue, that testing means much hardware, time and effort - sure, but what environments pfsense is for then? plug and play at home? if one does not have hardware or time to test such router, does he/she actually need x64 based monster or should stick with OpenWRT on high-end-consumer TPLINK? i have deployed real time network intensive installations (basically never ending TCP & UDP stream) 24/7/200 interactive w/ all traffic through OpenVPN on the latter. subjectively, OpenWRT performs on not-the-cheapest TPLINKs (~60 EUR) really good.

pfBasic

@kroko:

@pfBasic:

not many people have gigabit WAN to test hardware out on!

…does he/she actually need x64 based monster or should stick with OpenWRT on high-end-consumer TPLINK? i have deployed real time network intensive installations (basically never ending TCP & UDP stream) 24/7/200 interactive w/ all traffic through OpenVPN on the latter. subjectively, OpenWRT performs on not-the-cheapest TPLINKs (~60 EUR) really good.

That's good to know about the testing on LAN!

For myself, I started looking for an alternative to SOHO routers because my wife kept calling me telling me that the internet was down on our Archer C2 with a 15Mbps connection on a very small home network doing not much of anything. She had to unplug it and reboot several times a month.
I looked into DD-WRT, but it carries the risk of bricking your router. I don't know how high it is but it was a small deterrent. I also was occasionally using VPN's while travelling but was annoyed with having to connect and disconnect it on each client I wanted to use it on. So I liked the idea of VPN on my router providing the service to a whole network all the time, and even high end SOHO routers are not great at this, and they cost nearly $300.
That's how I came around to pfSense, it was much cheaper than a high end SOHO router, is dramatically more capable and carries no risk of bricking my device. My Archer C2 has performed without a hitch as an AP.

All that to say that there are reasons to choose pfSense over DD-WRT, Open-WRT, Tomato, etc. Cost and risk of bricking being the two that standout for a home user. All of that goes out the window when people start recommending ix-core CPU's, Xeons, etc. for home users. (Gigabit is a little different but it's looking more and more like modern passively cooled celerons can NAT @ gigabit speeds).

kroko

this is really going offtopic. i quickly went through my memories and have to say have flashed, reflashed routers with Open/DD-WRT more than few hundred times. flashin since late 2000's. just last year i have reflashed about 30 routers for different project needs. it is the very first thing i do to any router that has been bought for project needs (this is a way we can strip down networking costs - take consumer grade router that is supported or known to work, flash it) or any personal needs (friend asks for advice, i recommend something that can be flashed and immidiately do it). i have never ever bricked one of them through last 10 years. but i always choose only linksys (ah, the infamous wrt56gl @ mid last decade) or for past ~5 years always TPLINK (TL WDR3600 w/ Atheros @0.5Ghz being bang for the buck)

Guest

Many of new users are seeing mostly and only that there are some packets available to install on their pfSense box, but in
real life if they are installing IDS, (Snort or Suricata), a proxy (Squid), Antispam (DansGuardian) and AVScan (ClamAV)
we are talking then about a fully featured UTM device that should be delivering at least nearly 1 GBit/s at the WAN port!

What do you think you must pay at SonicWall or Sophos for their SG or WXA seris to get 1 GBit/s out after the AVScan?
Then we are in the 1000 - 2000 Euro region or area and the license fee must be counted on top of this, so in my eyes to
get one real GBit/s at the WAN for a pfSense firewall only must not be paid so hard for sure, but installing all packets
together with 1 GBit/s at the WAN will be also not on the same stage as a lazy ~$60 router that is only doing SPI/NAT!

Where is their the captive portal and all the other packets available to install? So it might be pointed to many things
and not only to one or two points in that game here, as I see it right, or am I wrong now?

For a guy in Honkong with 1 GBit/s FTTH fiber connection without PPPoE this set up is working great for ~360 Euros
and delivering ~936 MBit/s as throughput in total to the LAN and this absolutely silent!

• Jetway NF9HG-2930 ~$200
• M350 mini-ITX case ~$50
• 30 GB mSATA SSD ~$50
• 8 GB DDR3 RAM ~$40
• PSU ~$15

So for sure if this might be all (firewall & VPN) this unit will do the job a bit longer as I see it right and together with a
Radius Server, Captive Portal and OpenLDAP server it might be offering a really good matching security to smaller networks.

pfBasic

@BlueKobold:

Many of new users are seeing mostly and only that there are some packets available to install on their pfSense box, but in
real life if they are installing IDS, (Snort or Suricata), a proxy (Squid), Antispam (DansGuardian) and AVScan (ClamAV)
we are talking then about a fully featured UTM device that should be delivering at least nearly 1 GBit/s at the WAN port!

What do you think you must pay at SonicWall or Sophos for their SG or WXA seris to get 1 GBit/s out after the AVScan?
Then we are in the 1000 - 2000 Euro region or area and the license fee must be counted on top of this, so in my eyes to
get one real GBit/s at the WAN for a pfSense firewall only must not be paid so hard for sure, but installing all packets
together with 1 GBit/s at the WAN will be also not on the same stage as a lazy ~$60 router that is only doing SPI/NAT!

Where is their the captive portal and all the other packets available to install? So it might be pointed to many things
and not only to one or two points in that game here, as I see it right, or am I wrong now?

For a guy in Honkong with 1 GBit/s FTTH fiber connection without PPPoE this set up is working great for ~360 Euros
and delivering ~936 MBit/s as throughput in total to the LAN and this absolutely silent!

• Jetway NF9HG-2930 ~$200
• M350 mini-ITX case ~$50
• 30 GB mSATA SSD ~$50
• 8 GB DDR3 RAM ~$40
• PSU ~$15

So for sure if this might be all (firewall & VPN) this unit will do the job a bit longer as I see it right and together with a
Radius Server, Captive Portal and OpenLDAP server it might be offering a really good matching security to smaller networks.

@Evronius:

deliver solid 1Gbit both ways with NAT and some basic Firewall options that are found on standard routers

The OP stated that he doesn't want any of those things.

Also, that's a €355/$380… for a celeron.... that's three years old. Horrible recommendation IMO unless the user absolutely must have SFF and is willing to pay a lot for it.

Guest

The OP stated that he doesn't want any of those things.

He want 1 GBit/s at the WAN in both directions and some basic firewall rules. SPI is done in another way inside of pf (packet filter)
and NAT is done in another higher stage inside of pf (packet filter), so what is now your problem? And where I was not hitting the
goal? This is an industrial board from Jetway with support to 2019 and all is solid rocking soldered on the board, only the RAM and
mSATA must be inserted in! No turning parts, silent and quiet running and no used consumer parts from eBay!

• 4 Intel NICs
• max. 8 GB RAM
• industrial grade of hardware
• Achieve 1 GBit/s without PPPoE

Also, that's a €355/$380… for a celeron.... that's three years old.

If you use amazon.com you will be able to get it right for something around ~$320 as I was seeing it right today!
And it is delivering the asked throughput (without PPPoE) and no consumer parts.

Horrible recommendation IMO unless the user absolutely must have SFF and is willing to pay a lot for it.

Here in Germany the APU2C4 (as a bundle) and this Jetway Board (for more speed & packets) are the best running both
units on the market and for sure more often used then refurbished consumer parts from the (e)Bay. Nothing fancy but
solid running and strong enough and on top silent without turning parts.

Evronius

This really got a bit sideways :) But it is going back on track, sort of…

@pfBasic:

@messerchmidt:

i5 @3.2ghz+ (the skylake non-k) cpus can be overclocked

16gb ddr4

120gb ssd

It is common on here that when someone asks for hardware recommendations for gigabit WAN to recommend they buy a router that is much faster than the average desktop computer.

The hardware recommendations are generally about the same whether the user wants to use a lot of packages & VPN or just the very basic features of pfSense (like you).

It might be true, but I doubt it because it just doesn't make sense.

I suspect that the reason for this is because like you stated most people don't report back with their actual performance once they buy hardware. Until that starts happening people will keep recommending heavy duty CPUs to NAT gigabit WAN, even for home use, even for no packages.

There is sense in why this happens though, if someone gets recommended underpowered hardware and it doesn't work out they are liable to lose their minds because they wasted money and it didn't do what they wanted.
If someone gets recommended to buy a little supercomputer to NAT gigabit WAN, buys it and surprise surprise it works. They still wasted their money, but at least it worked.

I suspect that this can be done with a modern passively cooled celeron, but I'm also not in the IT or networking profession so you can take my opinions with a grain of salt.

Thank you for reporting back with your findings! It is very helpful for future users to know that:

• Celeron XYZ works for full gigabit w/ NAT only & light firewalling @ x% CPU

• Celeron XYZ maxes out at XXXMbps w/ NAT only & light firewalling

• Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

• Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

• i5-XXXX works for full gigabit w/ X packages and Y firewalling @ x% CPU

• etc.

Basically all the feedback you can give on the forums will be invaluable, not many people have gigabit WAN to test hardware out on!

@Evronius:

The i3[-6320 @ 2x3.90GHz w/ HT disabled] is holding up quite well… ...i get around 980Mpbs down and around 975Mbps up. Total WAN to LAN throughput landing on around 1890Mbps... ...But one thing doesn't work well. I have turned of HT on it. When several units were online the CPU used HT threads and not the physical cores and that dragged the throughput down a lot.

@Evronius:

But still i cant use the whole CPU. With HT on i get really bad performance

This is great feedback, thank you! Can you share what kind of system usage you're getting when the system is under load on WAN, LAN, WAN & LAN?
How many clients is this supporting?
It's valuable to know that you were getting gigabit with only 2 cores.

The more detailed info you can share the better!  ;D

I have 4 PCs now, and if i use all of them on the network the CPU usage pending between 26 and 35%. This is on WAN to LAN usage. I will do more testing and tweaking and i hope to lower this usage.

This is a bit offtopic, but i think it have a part of this as well. I am a bit worried about the upcomming LAN event i will host. Some tests i did between 2 PCs with 10Gbit cards had a really high CPU usage. One machine has an i5-3550. The other one has an i3-4130 and its really having problems to get 10Gbit speeds. Both up and down wont go over 4Gbit. After much tweaking i got maxed out at 5.8Gbit and the CPU usage on the i3-4130 is 100%. If i switch from the i3-4130 to i5-6400 or my new i7-7700 i get 10Gbit speeds. I checked for answers all over the internet and i find some interesting stuff here. To keep it simple, 2 Windows 10 klients on 10Gbit needs 4 cores, and these will have a high CPU usage when going full 10Gbit! This got me to think and wonder over alot of things.

Here is a few questions i have.
1: Does this apply to DIY and prebuild pfsense riggs as well?
2: Is there any performance info on DIY pfsense riggs compared to prebuild ones?
3: Does a prebuild pfsense box have benefits in performance and hardware over DIY ones?

Do i need to elaborate here, or are you all with me on where i am going with this?

pfBasic

@Evronius:

I have 4 PCs now, and if i use all of them on the network the CPU usage pending between 26 and 35%. This is on WAN to LAN usage. I will do more testing and tweaking and i hope to lower this usage.

Thank you very much! Does that CPU usage change much between 1 & 4 clients? Is that utilizing the full potential of the WAN?

@Evronius:

This is a bit offtopic, but i think it have a part of this as well.

It is your topic my friend!  ;)

@Evronius:

I am a bit worried about the upcomming LAN event i will host. Some tests i did between 2 PCs with 10Gbit cards had a really high CPU usage. One machine has an i5-3550. The other one has an i3-4130 and its really having problems to get 10Gbit speeds. Both up and down wont go over 4Gbit. After much tweaking i got maxed out at 5.8Gbit and the CPU usage on the i3-4130 is 100%. If i switch from the i3-4130 to i5-6400 or my new i7-7700 i get 10Gbit speeds. I checked for answers all over the internet and i find some interesting stuff here. To keep it simple, 2 Windows 10 klients on 10Gbit needs 4 cores, and these will have a high CPU usage when going full 10Gbit! This got me to think and wonder over alot of things.

Here is a few questions i have.
1: Does this apply to DIY and prebuild pfsense riggs as well?
2: Is there any performance info on DIY pfsense riggs compared to prebuild ones?
3: Does a prebuild pfsense box have benefits in performance and hardware over DIY ones?

Do i need to elaborate here, or are you all with me on where i am going with this?

10Gbit LAN is a totally different ball game. What were the tests you were using?
I would imagine that 10Gbit WAN would be very resource intensive, but wouldn't know. I would have thought 10Gbit LAN would more or less just need good 10Gbit NICs and a good 10Gbit switch? I've read that Intel is actually not necessarily the best in town for 10Gbit NICs yet, it sounds like Chelsio is the winner in that category for now but I couldn't expound on that at all and it may not even be true anymore.

Performance wise the pre-built boxes sold by pfSense don't have any edge over DIY, you could buy and build the exact same specs yourself if you wanted to. Generally speaking you will get a lot more performance for your money DIY than prebuilt.
pfSense is exceptional at running on old used hardware and still providing features previously only found in very expensive industrial grade equipment.

What the pre built pfSense units do have is a stamp of approval that they will work as intended for the rated specs and they come with a year of support from the pfSense team!
These things are very valuable if you are applying pfSense in a professional environment to a paying customer.
They can also be very valuable if you are looking to learn pfSense as you get a year of Gold access.
It's up to you to decide if it's worth it to you or not for personal use, the prebuilt hardware absolutely has advantages but they won't necessarily be any faster than what you can build yourself. In fact you can very likely build a much faster unit for less money if that's the only goal.

@BlueKobold:

The OP stated that he doesn't want any of those things.

…industrial board from Jetway... ...soldered on the board, only the RAM and
mSATA must be inserted in... ...no used consumer parts from eBay!

...no consumer parts...

You are likely an IT Pro and probably a very good one. You make great hardware recommendations for other IT Pro's, but you don't seem to adjust your recommendations for non-professional environments.

You place a lot of value in "industrial" equipment. You're right, it's better but it's also a lot more expensive. That would be warranted if pfSense were known to have issues with pieced together hardware, or if it were common for used consumer grade to crap out.
But pfSense works great on cobbled together machines, and while sure used consumer grade parts do occasionally crap out, it's not common and if they do, it's cheap to replace.
With so many people successfully running pfSense on cheap used consumer grade hardware for years on end where is the sense in recommending they pay a lot more for premium stuff? You could also buy industrial grade SLC USB flash drives for $40/GB and it would be a lot better than the consumer stuff but where is the sense in that for a consumer level application?

You recommend great stuff but you aren't matching your recommendations to the use case. Money matters to people.

Evronius

@pfBasic:

@Evronius:

I have 4 PCs now, and if i use all of them on the network the CPU usage pending between 26 and 35%. This is on WAN to LAN usage. I will do more testing and tweaking and i hope to lower this usage.

Thank you very much! Does that CPU usage change much between 1 & 4 clients? Is that utilizing the full potential of the WAN?

@Evronius:

This is a bit offtopic, but i think it have a part of this as well.

It is your topic my friend!  ;)

@Evronius:

I am a bit worried about the upcomming LAN event i will host. Some tests i did between 2 PCs with 10Gbit cards had a really high CPU usage. One machine has an i5-3550. The other one has an i3-4130 and its really having problems to get 10Gbit speeds. Both up and down wont go over 4Gbit. After much tweaking i got maxed out at 5.8Gbit and the CPU usage on the i3-4130 is 100%. If i switch from the i3-4130 to i5-6400 or my new i7-7700 i get 10Gbit speeds. I checked for answers all over the internet and i find some interesting stuff here. To keep it simple, 2 Windows 10 klients on 10Gbit needs 4 cores, and these will have a high CPU usage when going full 10Gbit! This got me to think and wonder over alot of things.

Here is a few questions i have.
1: Does this apply to DIY and prebuild pfsense riggs as well?
2: Is there any performance info on DIY pfsense riggs compared to prebuild ones?
3: Does a prebuild pfsense box have benefits in performance and hardware over DIY ones?

Do i need to elaborate here, or are you all with me on where i am going with this?

10Gbit LAN is a totally different ball game. What were the tests you were using?
I would imagine that 10Gbit WAN would be very resource intensive, but wouldn't know. I would have thought 10Gbit LAN would more or less just need good 10Gbit NICs and a good 10Gbit switch? I've read that Intel is actually not necessarily the best in town for 10Gbit NICs yet, it sounds like Chelsio is the winner in that category for now but I couldn't expound on that at all and it may not even be true anymore.

Performance wise the pre-built boxes sold by pfSense don't have any edge over DIY, you could buy and build the exact same specs yourself if you wanted to. Generally speaking you will get a lot more performance for your money DIY than prebuilt.
pfSense is exceptional at running on old used hardware and still providing features previously only found in very expensive industrial grade equipment.

What the pre built pfSense units do have is a stamp of approval that they will work as intended for the rated specs and they come with a year of support from the pfSense team!
These things are very valuable if you are applying pfSense in a professional environment to a paying customer.
They can also be very valuable if you are looking to learn pfSense as you get a year of Gold access.
It's up to you to decide if it's worth it to you or not for personal use, the prebuilt hardware absolutely has advantages but they won't necessarily be any faster than what you can build yourself. In fact you can very likely build a much faster unit for less money if that's the only goal.

Sort of… With 1 klient running hard the CPU usage is around 11%. I think it is quite high usage, but then i do have fast internet.  I have not checked out the usage when 2 or 3 klients are going rampage on the network and internet. And yes, i utilizing the WAN 100% when i checked the CPU usage on 4 clients. I just noticed that i havnt checked the RAM usage yet. So i overlooket that. But 8GB would be more then enough.
And here is what i whas thinking on the performance on 1Gbit vs 10Gbit test. When this box is driving the upcoming easter lanparty, it will have around 50 PCs on it. And games today are internet based. Almost no new games runs local TCP or IPX. And with so many PCS pushing both games and alot of other stuffs on the internet it would be alot of stress on the CPU. So i figured that a quick speedtest on 10Gbit would give a clue on how hard many clients would impact. But i also see why this isnt applicable here. A big miss from my side. Got sidetracked by my own hype here
But compared to the prebuild boxes my machine would handle a high number of clients quite easy. I will now this for sure when the LAN is up and running.

When i tested the Intel X540-T1 NICs it whas both small files and big files up to 40GB each in ordinary Windows file transfer. No programs used. These cards is for an upcoming project that is pure fun and has no other purpose than that :) But it would be quite nice to use these. But the high CPU usage when transfering files dont feel great.