Hardware upgrade required or not?
-
Yeah I peeked around out of curiosity, it's a rough market for hardware.
This is about the best deal I found. It will probably get similar (non-VPN) performance to a J3355, but with way more power draw, and it's got a fan that's probably loud, and the quality might be questionable….
Still though, if that's the market you have to buy it looks like you could get a J3355, and a stick of DDR3 SO-DIMM 204 pin RAM for less than the builds you posted.
Honestly if I had to buy in that market I would build a DIY computer case for my router (I still use ten year old cases for my stuff). www.recomputepc.com actually sells computers in pretty cool DIY cases.
Another thought since the market there is so damned expensive.
A 50/5 line with snort, squid and light experimental VPN usage will not stress a J3355.
Both J3355 & i340 support virtualization.
VMware is free for personal use.
You could virtualize pfSense and something else in order to get maximum utilization out of your purchase.J3355 just so happens to have top-tier hardware video decoding if that is of any use to you?
You could also run some type of server, TrueOS, a NAS, a normal desktop instance of linux or TrueOS?Just trying to think of ways you can get the most bang for your buck when everything is 3x as expensive.
-
Well if you don't want to buy new hardware then I don't think you'll have any trouble doing what you described on your current setup.
Yes he will. Before my P4 setup died it was maxing out the CPU and RAM and hitting the page file with a 3/1.5 connection and no VPN ruuning snort and pfBlockerNG.
P4 was a very broad range of CPUs. At least OP's CPU is dual core (not hyperthreaded) as far as I can tell. I'd at least give it a shot.
-
Good point, worst case scenario is the CPU maxes out and you turn off snort, squid & suricata.
Another thought that hopefully others can chime in on.
Since you are in a very expensive market making it even more criticial to get the most bang for your buck, I'm thinking suricata might be the better choice for you. It supports multiple cores whereas squid does not.
My first thought is that anything that can help to more efficiently utilize whatever resources you have available is worth doing.But, I don't know if suricata is also more or less resource intensive than snort?
And I don't know if a P4 would have any issues with multithreading programs? -
And I don't know if a P4 would have any issues with multithreading programs?
That's the thing. There were so many different processors under that family. There are single core 1.6GHz CPUs that are total dogs. There are 3GHz CPUs with hyperthreading. And then there are the Pentium D, which is what I think OP has. Those have 2 real cores at 2.8GHz. Not world beaters by todays standards, but certainly much better than a single core 1.6GHz model, and MUCH more capable with pfSense. This is my assumption, that OP's "Intel Pentium 4 D820" is this: https://ark.intel.com/products/27512/Intel-Pentium-D-Processor-820-2M-Cache-2_80-GHz-800-MHz-FSB
Should note that if that is indeed OP's CPU, it supports 64 bit meaning it can still be relevant with the newest builds.
-
Yeah I peeked around out of curiosity, it's a rough market for hardware.
This is about the best deal I found. It will probably get similar (non-VPN) performance to a J3355, but with way more power draw, and it's got a fan that's probably loud, and the quality might be questionable….
Still though, if that's the market you have to buy it looks like you could get a J3355, and a stick of DDR3 SO-DIMM 204 pin RAM for less than the builds you posted.
Honestly if I had to buy in that market I would build a DIY computer case for my router (I still use ten year old cases for my stuff). www.recomputepc.com actually sells computers in pretty cool DIY cases.
Another thought since the market there is so damned expensive.
A 50/5 line with snort, squid and light experimental VPN usage will not stress a J3355.
Both J3355 & i340 support virtualization.
VMware is free for personal use.
You could virtualize pfSense and something else in order to get maximum utilization out of your purchase.J3355 just so happens to have top-tier hardware video decoding if that is of any use to you?
You could also run some type of server, TrueOS, a NAS, a normal desktop instance of linux or TrueOS?Just trying to think of ways you can get the most bang for your buck when everything is 3x as expensive.
i really don't mind if the cases are old or new, just was looking for small cases and compatible motherboards and PT-13 was something i liked that is all.. Infact i was think of going for matx board which tend to come cheaper but then again they are all non-integrated chips and so fan sound etc.. Problem with DIY cases and me is that i never tend to finish it been like that from my teen days.. ::)
But to be frank case is not my major issue. Its just noise and since i tend to keep playing around router , i.e, with firewall rules and other things i tend to mess it up and to recover fast i need to access it , so don't want to keep it somewhere far off in a closet or something to avoid the noise..
Regarding virtualization, I have went this route. Infact i bought the quad port NIC specifically for this reason..
I have currently a very decent home server for NAS and windows/linux OS virtualized. Using UNRAID for this purpose, simply because its been hassle free to get VM for gaming and GPU pass through.. if I had to avoid gaming then proxmox was my fav hypervisor. And pfsense on proxmox atleast the basic functionality was just too simple and easy, though i had issue initially(learning). Never got around getting snort or other to run simply because i need the gaming to work(just casual gamer but it my only stress breaker)..On UNRAID it was a problem, simply because the array at times started giving problems and then i need to stop and start the array which made the VM (pfsense) to go down which meant going under the table reconnecting cables and figuring out the issue during which the router will be down. Since I use pfsense as my primary router it will have impact at times. This was the only reason i decided to start playing with a old PC and now looking for new one..
I was even considering getting a edgerouter and run pfsense as VM for firewall/snort/squid etc, but was not sure if that made sense..
But yes J3355 looks better of all options..
P4 was a very broad range of CPUs. At least OP's CPU is dual core (not hyperthreaded) as far as I can tell. I'd at least give it a shot.
I may be wrong about having a P4.. i just checked again and i have Pentium D 820.. and the board does not support anything more powerful than i already have, i think.. Also getting hold of DDR rams are quiet impossible..
P.S: Does snort affect throughput drastically?
-
You can get fanless SoC on microATX, both the J3355 and J3455 are offered on microATX.
Note, I don't keep mentioning those two CPU's because I think they are the only option out there. In the US they are very cheap, but if there's something cheaper in your area by all means go that route.
In your case I agree with matt, at least try your current setup and if it doesn't work then look into buying.
If you must buy then try to buy the cheapest thing that will do what you need.Yes, any IDS/IPS will be a big hit on throughput. By using snort or suricata you are now not only routing all of your packets but inspecting them and then comparing their contents to a bunch of signatures. Just like firewalling, the more rules/signatures you are comparing traffic to the more work your CPU has to do.
-
I may be wrong about having a P4.. i just checked again and i have Pentium D 820
The Pentium D is basically two P4 CPUs on a single socket.
-
I may be wrong about having a P4.. i just checked again and i have Pentium D 820
The Pentium D is basically two P4 CPUs on a single socket.
Thanks for correcting me.. I got the timelines messed , i assumed P4 came after Pentium D..
I see that your using ESXI .. how do you find it? I mean was it easy to setup? and if your using free version, what is the limitations , i just cant seem to get a concise data. I know it not correct forum but i was curious.You can get fanless SoC on microATX, both the J3355 and J3455 are offered on microATX.
Note, I don't keep mentioning those two CPU's because I think they are the only option out there. In the US they are very cheap, but if there's something cheaper in your area by all means go that route.
In your case I agree with matt, at least try your current setup and if it doesn't work then look into buying.
If you must buy then try to buy the cheapest thing that will do what you need.Yes, any IDS/IPS will be a big hit on throughput. By using snort or suricata you are now not only routing all of your packets but inspecting them and then comparing their contents to a bunch of signatures. Just like firewalling, the more rules/signatures you are comparing traffic to the more work your CPU has to do.
That is the idea.. i am going to try and figure out what can be done with my current setup and its limitations.
Never knew about suricata..
Based on crazy idea i have now, can pfsense act as firewall on the LAN, but on WAN output?I mean : modem -> Standalone Pfsense(P4) -> Realtek MB port -> VM Pfsense( for squid/VPN/suricata) -> Intel single port NIC card -> L2 Switch(with vlan support)
I know the idea is to have IDS/IPS on the WAN port , but was just thinking.. :P
Never thanked you guys for inputs..
@Jailer, @pfBasic , @whosmatt
Thanks -
Based on crazy idea i have now, can pfsense act as firewall on the LAN, but on WAN output?
I mean : modem -> Standalone Pfsense(P4) -> Realtek MB port -> VM Pfsense( for squid/VPN/suricata) -> Intel single port NIC card -> L2 Switch(with vlan support)
Hm, I'm not really sure what's going on here? Do you mean having two physical pfSense boxes? The "Standalone Pfsense(P4)" & a separate box hosting a "VM Pfsense( for squid/VPN/suricata)? I don't think this is what you mean but I'm having trouble following.
Also, where did the i340 go in this configuration?
Realtek is never recommended, if you can at all avoid it just don't utilize your realtek NIC. However, knowing that you are not in a conducive market to just cheaply buy hardware; if it is unavoidable then at least try to put it as far downstream as possible.
Maybe post a list of all of the hardware that you have available to you, and a description of what exactly it is you are trying to accomplish with the above configuration.
Never thanked you guys for inputs..
@Jailer, @pfBasic , @whosmatt
ThanksYou are very welcome, this is a great community and it's enjoyable contributing to solve problems and make pfSense more useful for more people!
-
Based on crazy idea i have now, can pfsense act as firewall on the LAN, but on WAN output?
I mean : modem -> Standalone Pfsense(P4) -> Realtek MB port -> VM Pfsense( for squid/VPN/suricata) -> Intel single port NIC card -> L2 Switch(with vlan support)
Hm, I'm not really sure what's going on here? Do you mean having two physical pfSense boxes? The "Standalone Pfsense(P4)" & a separate box hosting a "VM Pfsense( for squid/VPN/suricata)? I don't think this is what you mean but I'm having trouble following.
Also, where did the i340 go in this configuration?
Realtek is never recommended, if you can at all avoid it just don't utilize your realtek NIC. However, knowing that you are not in a conducive market to just cheaply buy hardware; if it is unavoidable then at least try to put it as far downstream as possible.
Maybe post a list of all of the hardware that you have available to you, and a description of what exactly it is you are trying to accomplish with the above configuration.
I have 2 systems right now.
System 1>
old PC(pentium D) which is running PFSENSE.System 2>
Home server for NAS/media server/gaming etc
Intel Xeon E3-1246 v3
32GB RAM
8TB HDD
AMD RX480 GPU
Currently running UNRAID on this. Tried pfsense as VM here but it failed since if hard disk issue come then array stops and VMs go down.
Tried Proxmox, pfsense worked properly , but could not get few other things so returned to UNRAID.
Need to try ESXI..So the idea was give up the i340 for 2 Dual port Intel NIC cards. Place it in each system and System 1 will act as simple router and pfsense VM on System 2 will act as IDS/VPN endpoint..
I have not thought it through, but here it is
Modem -> WAN [ SYSTEM 1] LAN 1 -> LAN 2[ SYSTEM 2] LAN 3 -> switch.
LAN3 will vbridged port for all VMs. LAN 2 is where IDS will be applied. and since there is no other device it should be same as WAN port.
Crazy i know.. -
It sounds to me like your best bet is to retire the old Pentium X and virtualize everything in your Xeon.
VMware/ESXI is the most recommended VM I've seen for pfSense among many other things. You've already got a lot of capable hardware on your hands and it sounds like you can do everything you need with what you have.
Try running VMware/ESXI on your xeon platform. If it's stable for everything you need then gut the Pentium box for its i340 and run pfSense off of your VM. For your stated needs you won't need to provision much at all for pfSense.
If this fails then I would say try getting all of your pfSense working on just the Pentium box.
Only if both of the above options fails would I recommend trying to string together two pfSense boxes to do what one low end box can do. I'm guessing that the Pentium box is a huge power hog (especially if you make it work hard on an IDS), it alone is probably costing you ~$40USD/yr to run (just my guess). Your xeon is exponentially more power than the pentium and uses less power.
-
I see that your using ESXI .. how do you find it? I mean was it easy to setup? and if your using free version, what is the limitations , i just cant seem to get a concise data. I know it not correct forum but i was curious.
I love it. That said, I'm an IT professional and have been using it extensively for the past 10 years or so, so I'm very comfortable setting it up and managing it. For home use, the limitations of the free version really don't matter. If I had a faster WAN connection (I'm 50x5 or so) then I'd use a dedicated pfSense box, but my current VM handles full speed with PIA OpenVPN no problems and allows me to run 8 or so other low consumption VMs for stuff like DNS, pi-hole, Unifi controller, Crashplan, Subsonic, dedicated torrent box, etc.
EDIT: regarding limitations of the free version of ESXi, 32GB of RAM on the host used to be a limit but I believe that has been removed in the 6.x versions. I'd use it on your Xeon system with confidence, except that I always recommend hardware RAID (for safety if not performance). If that's not an option, a good SSD will be more reliable (and MUCH faster) than any spinning disk. At home, I don't have disk redundancy on my ESXi system, but I do back up anything important nightly. This includes my pfSense config, and essential config data from the more important Linux VMs. I have a separate storage "server" (really a Sheevaplug with a Drobo) that hosts all of my essential data, and that gets backed up constantly by Crashplan on an VM on the ESXi box. And, anything important on the ESXi box runs from the SSD, mostly for reliability reasons rather than for performance.
Sorry if that's long-winded, just want to make sure I don't give hasty advice. :)
-
My own P4 based system could push ~350Mbps and that was a single core bog standard CPU.
If you exhaust the RAM and start swapping performance is destroyed though especially with whatever ancient slow disk is probably in that. It's easy to eat RAM with Snort and Squid if you just enable everything.
I might still be running that box were it not for that fact that all the capacitors died on the motherboard and it failed to post. That alone is good reason to upgrade.
Steve
