Help with hardware build

Dazdigo

If you are going with an i3, you might want to look if it supports ECC memory. Some of the i3 have support for it and if it does, use ECC memory. It is slightly more expensive but it would make the system more stable if you plan to leave it on forever.

teh g

@pfBasic:

Well the higher the better but I'm willing to sacrifice is a bit ambiguous haha. You won't crash your network, you'll just cap out at a certain speed. PIA and an OpenVPN server on pfSense provide two totally different services. PIA provides encryption and anonymity. An OpenVPN server provides encryption so that you can access your home network remotely (it can provide anonymity if you then route your server into a VPN client gateway, but by default it does not).

I was mixing up OpenVPN as a client vs server. The main use will be as a client connecting to PIA. I'd like to have the VPN service as the limit. Lets assume I will stay around 250 mbps for the time being, and have that as the soft cap for PIA.

On the OpenVPN server side, I don't think I need a ton of speed. I have consumer internet, so my upload speeds are pretty limited. I doubt I will use that too much yet, but I'd like to "future proof" myself. Maybe 100 mbps as a limit for impact there?

@pfBasic:

I too thought squidguard would be great, but in practice it was a PITA with no noticeable improvements in my case (caching isn't very effective in a home use scenario), and oyu have ot MiTM all of your devices to do much of anything on HTTPS. If you decide to go this route I believe the performance impact will be minmimal but I don't really know.

I definitely do not want to mitm myself to snoop on HTTPS traffic. I hadn't thought about that (I've only done some cursory research into the packages).

@pfBasic:

Darkstat shouldn't have any noticeable impact.
Any IDS/IPS will have a significant impact. You'll need something pretty damn powerful if you want to do packet inspection at gigabit speeds. I would recommend going with suricata over snort as it supports multithreading. I don't know what to recommend you for gigabit packet inspection and it will depend on the rulesets you are using.

I suppose from a pure user standpoint, I don't have a pressing need for packet inspection anyway. I think I can get away with a fairly basic firewall.

@pfBasic:

The router as an AP will provide wireless access to your clients but that's it, it won't offload anything from your pfSense box performance wise. It really shouldn't matter that much unless you have a lot of users trying to use a lot of bandwidth at the same time.

Your desired use case is still pretty ambiguous, it sounds like you want to play around with the box and figure it out as you go.

I would recommend something along the lines of an i3-7100.
I don't know where it will cap out at but it won't do any serious IDS/IPS at gigabit speeds, it also won't give you gigabit VPN. It's dramatic overkill for NAT at gigabit.
But from what it sounds like you are looking to do I think it will be a good compromise between performance and cost.

Sorry, I don't even know what I want. This is a whole new world for me. It all started with setting up Pi-Hole on my network…

I updated the requirements to be slightly less vague.

• 250/25 internet speeds now

• Going to have gigabit internet Soon

• Will use PIA on the pfSense box, aiming for ~250mbps

• Low chance for OpenVPN server on the box, only need ~100mbps throughput

• Some basic firewalling on the pfSense

• I'd like the box to be fairly small, I was thinking mini-ITX and a passively cooled system

• Currently only three devices plugged directly into my router (two PCs and my Pi-Hole)

• Will leverage my current wireless router in bridge mode to give WiFi to my house

• If this box can take over my Pi-Hole function, all the better

• Packages I will install: Darkstat, probably others I will find that are cool…

Here are some must haves, and why I am annoyed with my current router. This might help get to clearer requirements…

• Assign static IPs to devices via the router. I really like knowing what is doing what on my network, and having the same IP makes it WAY easier

• View traffic data since I love graphs

• Block ads and malicious domains (currently done on Pi-Hole device)

Thanks for all the help so far everyone. This has been wicked helpful.

pfBasic

@Dazdigo:

If you are going with an i3, you might want to look if it supports ECC memory. Some of the i3 have support for it and if it does, use ECC memory. It is slightly more expensive but it would make the system more stable if you plan to leave it on forever.

No, don't waste money on ECC RAM for a firewall/router that's for home use. That's just silly. If you have it lying around and the system you buy happens to support it then by all means. But in no way is ECC RAM a meaningful purchase for a home firewall/router.

pfBasic

@teh:

Here are some must haves, and why I am annoyed with my current router. This might help get to clearer requirements…

• Assign static IPs to devices via the router. I really like knowing what is doing what on my network, and having the same IP makes it WAY easier

• View traffic data since I love graphs

• Block ads and malicious domains (currently done on Pi-Hole device)

Well feature wise you will be very happy with pfSense.
I've never used pi-hole but it looks like it's a hardware ad-blocker. If I understand that correctly you won't need it anymore with pfSense, pfBlockerNG & DNSBL is an excellent package that will block ads and more.

250Mbps OpenVPN by itself can be done by the i3 I posted for sure. Where it gets difficult is passively cooled in a small case @ 250Mbps VPN and Gigabit NAT. Even a C2758 caps out at ~218Mbps UDP AES-128 https://store.pfsense.org/C2758/. That performance surprised me, I thought a C2758 would do a lot better @ 2.4Ghz & AES-NI, but it is older.

You could get a pretty cheap CPU that could do 250Mbps OpenVPN or Gigabit NAT, but not both at the same time. Or you could pay a lot and get everything you want.

teh g

@pfBasic:

Well feature wise you will be very happy with pfSense.
I've never used pi-hole but it looks like it's a hardware ad-blocker. If I understand that correctly you won't need it anymore with pfSense, pfBlockerNG & DNSBL is an excellent package that will block ads and more.

250Mbps OpenVPN by itself can be done by the i3 I posted for sure. Where it gets difficult is passively cooled in a small case @ 250Mbps VPN and Gigabit NAT. Even a C2758 caps out at ~218Mbps UDP AES-128 https://store.pfsense.org/C2758/. That performance surprised me, I thought a C2758 would do a lot better @ 2.4Ghz & AES-NI, but it is older.

You could get a pretty cheap CPU that could do 250Mbps OpenVPN or Gigabit NAT, but not both at the same time. Or you could pay a lot and get everything you want.

Yup, Pi-Hole is a DNS level ad-blocker.

For OpenDNS Server, I'd settle for 50-100 Mbps for outside clients connecting in, as I will rarely use it. For using OpenDNS as a client to connect to PIA, I'd love to max out my current line (250 Mbps) since I can with the PIA client on my PC. Basically aiming for feature parity there.

Future proofing myself for Gigabit NAT is probably the most important bit. Will having a solid NIC (one of the Intel ones you've recommended in the past) help out there? What CPU would hit the Gigabit NAT and what would you (roughly) expect for OpenVPN speeds? What CPU would powerhouse through all of it? I might be able to convince my wife to let me spend more and get something insane :D

pfBasic

You don't need to use OpenDNS on pfSense either. You could use it as a substitute for pfBlockerNG on a lower powered system but in general it's best to use Unbound as a DNS resolver and use pfBlockerNG & DNSBL to do all of your DNS filtering.

Gigabit NAT by itself is easy. I often recommend the J3355B and J3455-ITX for the majority of home use cases. They are very cheap passively cooled modern SoC's.
J3355 is better for VPN because it has two cores clocked higher.
J3455 is more powerful overall with four cores but they are clocked lower. You also have to either physically modify your NIC or motherboard or buy the micro-ATX board to make it work.
Either one of these will do gigabit NAT alone.

I own a J3355B for an HTPC and have tested it on pfSense, it maxed my 150Mbps line on OpenVPN AES-128-CBC @ ~33% total CPU usage on a single OpenVPN instance (only using one CPU core for VPN). It costs $55 for SoC. It will do Gigabit NAT, and it will do 250Mbps OpenVPN AES-128. It will not do them at the same time, and it will not handle heavy packages well. Check out my thread on it for more details, https://forum.pfsense.org/index.php?topic=127793.0.

The Goldmont chips (includes Apollo Lake J3355 & 3455) got an upgrade to their AES-NI (it's still slower than full blown desktop AES-NI) but apparently it was a pretty good one for low end chips. I expected the C2758 to meet all of your needs, but as I posted it gets <250Mbps max on AES-128 and it has a base freq of 2.4GHz while the J3355 is only 2.0 bursting to 2.5.

Really CPU wise what you are asking is very reasonable, I think a G4620 could do everything you want no problem.

The problem is getting all of that performance into a passively cooled package in a small case. There are some xeons that are sold passively cooled but I don't think they are really intended to be used that way, they would also be way overkill for what you need and cost a lot of money.

The options as I see it are:

• Settle for lower performance hardware if you are more interested in saving money and/or you are willing to give up gigabit WAN

• Actively cool a CPU, if noise and case size are non-negotiable then check out watercoolers with large radiators. (water cooled firewall is just silly, but again, if size, noise and performance are non-negotiable….)

• Use a larger case that can fit a large passive heatsink < This would be my recommendation

• Spend a whole lot of money and get everything you want

teh g

@pfBasic:

You don't need to use OpenDNS on pfSense either. You could use it as a substitute for pfBlockerNG on a lower powered system but in general it's best to use Unbound as a DNS resolver and use pfBlockerNG & DNSBL to do all of your DNS filtering.

I shouldn't drink and ask technical questions. When I mentioned OpenDNS earlier, I meant OpenVPN. I'd plan on using public DNSm Unbound, pfBlockerNG, and DNSBL as you suggested.

@pfBasic:

Gigabit NAT by itself is easy. I often recommend the J3355B and J3455-ITX for the majority of home use cases. They are very cheap passively cooled modern SoC's.
J3355 is better for VPN because it has two cores clocked higher.
J3455 is more powerful overall with four cores but they are clocked lower. You also have to either physically modify your NIC or motherboard or buy the micro-ATX board to make it work.
Either one of these will do gigabit NAT alone.

I own a J3355B for an HTPC and have tested it on pfSense, it maxed my 150Mbps line on OpenVPN AES-128-CBC @ ~33% total CPU usage on a single OpenVPN instance (only using one CPU core for VPN). It costs $55 for SoC. It will do Gigabit NAT, and it will do 250Mbps OpenVPN AES-128. It will not do them at the same time, and it will not handle heavy packages well. Check out my thread on it for more details, https://forum.pfsense.org/index.php?topic=127793.0.

The Goldmont chips (includes Apollo Lake J3355 & 3455) got an upgrade to their AES-NI (it's still slower than full blown desktop AES-NI) but apparently it was a pretty good one for low end chips. I expected the C2758 to meet all of your needs, but as I posted it gets <250Mbps max on AES-128 and it has a base freq of 2.4GHz while the J3355 is only 2.0 bursting to 2.5.

Really CPU wise what you are asking is very reasonable, I think a G4620 could do everything you want no problem.

The problem is getting all of that performance into a passively cooled package in a small case. There are some xeons that are sold passively cooled but I don't think they are really intended to be used that way, they would also be way overkill for what you need and cost a lot of money.

This is all amazing information. Thank you. Either the C2758 or the G4620 sound like decent bang for my buck. I'd like to have something built that will be fairly future proof, so spending a bit more now to get something beefier will be pretty worth while. The C2758 is somewhat attractive due to the lower power usage. I'd have to poke around at some benchmarks to see what the overall difference will be with the two. Is there a summarized thread where people have posted their throughput with OpenVPN, NAT, etc with different hardware?

@pfBasic:

The options as I see it are:

• Settle for lower performance hardware if you are more interested in saving money and/or you are willing to give up gigabit WAN

• Actively cool a CPU, if noise and case size are non-negotiable then check out watercoolers with large radiators. (water cooled firewall is just silly, but again, if size, noise and performance are non-negotiable….)

• Use a larger case that can fit a large passive heatsink < This would be my recommendation

• Spend a whole lot of money and get everything you want

I'd be OK with a slightly larger case or actively cooling the CPU. I'd probably lean more towards slightly larger case just to avoid extra noise in my office.

Once I do finish asking you all these questions, and getting amazingly detailed answers, I will make sure to do a summary and put it in the OP so hopefully others can glean some info.

pfBasic

@teh:

I shouldn't drink and ask technical questions.

;D

@teh:

Either the C2758 or the G4620 sound like decent bang for my buck. I'd like to have something built that will be fairly future proof… …The C2758 is somewhat attractive due to the lower power usage… …Is there a summarized thread where people have posted their throughput with OpenVPN, NAT, etc with different hardware?

I’d go with the G4620. The C2758 really isn’t suited for your needs. You don’t need 8 cores and it won’t help you for VPN. I mentioned it because I thought it would do the trick for your VPN needs but apparently it isn’t very impressive for VPN. It’s also pretty expensive, so it would be a long time until you got your money back in electricity savings. Additionally, it has had some issues, so if you do go that route, purchase carefully: https://forum.pfsense.org/index.php?topic=125105.0.

Unfortunately, no there isn’t a thread like that, at least not an up to date one.

@teh:

I'd be OK with a slightly larger case or actively cooling the CPU. I'd probably lean more towards slightly larger case just to avoid extra noise in my office.

To get the Pentium working for you at very low to inaudible sound levels, you’ll need to get a larger case than you had originally desired with good ventilation, fit the biggest heatsink you can in there, and use the biggest case fan you can. The larger the heatsink and the larger the fan, the lower the fan RPM = the lower the noise level. The compromise you want to make between case size and noise is up to you.
When your system will be idling when not under heavy load and during those time periods your fan will be either off or at very low RPM depending on the size of the heatsink (even if it’s a smaller heatsink it won’t be screaming at idle). Also, your PSU is going to have a smaller, higher RPM fan in it unless you invest in a fanless unit, so you only need to be quieter than that fan. Just some things to keep in mind when making your decision.

@teh:

I will make sure to do a summary and put it in the OP so hopefully others can glean some info.

Thank you, that would be very helpful! It would be great to see real world CPU utilization with different packages and VPN throughputs, especially at gigabit WAN speeds! It would really be very helpful to make more educated recommendations in the future!

teh g

@pfBasic:

To get the Pentium working for you at very low to inaudible sound levels, you’ll need to get a larger case than you had originally desired with good ventilation, fit the biggest heatsink you can in there, and use the biggest case fan you can. The larger the heatsink and the larger the fan, the lower the fan RPM = the lower the noise level. The compromise you want to make between case size and noise is up to you.
When your system will be idling when not under heavy load and during those time periods your fan will be either off or at very low RPM depending on the size of the heatsink (even if it’s a smaller heatsink it won’t be screaming at idle). Also, your PSU is going to have a smaller, higher RPM fan in it unless you invest in a fanless unit, so you only need to be quieter than that fan. Just some things to keep in mind when making your decision.

Any thoughts on a decently small (but still larger) case, heatsink and fan? I've had good luck with Noctua fans, and they can be fairly quiet.

What's the OpenVPN performance I can expect if I go the passive cooling, small case route? Would I still be able to run all the other packages and hit gigabit NAT?

pfBasic

I don't know much of anything about cooling hardware. Noctua is from what I know a great brand, but they can be expensive. All I can say is that in any application if you need X amount of airflow you can spin something big slower or you can spin something small faster to achieve X airflow, the big thing spinning slowly will always be substantially quieter.
So putting a little fan directly on your cpu cooler will result in higher dB than putting a huge case fan in the side of your box blowing over the whole CPU.

If you get a case that has one whole side of it vented, then get a really big ass fan that covers as much of that vented surface area as possible and plug the fan into the CPU fan controller, it will probably work very well for you while being inaudible more than a few feet away.
For example, I use a 230mm fan in the side of my desktop, and can barely hear it when the case is open and I'm looking at it inches from my face because it operates at very low RPM.
https://smile.amazon.com/gp/product/B008UYZ102/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

Something like this will get you great cooling as it can fit a 200mm fan and a 140mm cooler, but it's not small.
https://www.hardocp.com/article/2014/08/15/thermaltake_core_v1_miniitx_case_review/7
https://www.amazon.com/Thermaltake-Core-Gaming-Computer-CA-1B8-00S1WN-00/dp/B00M2UKGSM?psc=1&SubscriptionId=AKIAIS7SSXKLFPKG5TPA&tag=11018812-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B00M2UKGSM
I wouldn't expect your CPU to thermally throttle using something like this, but this is where you have to decide what kind of compromises you want to make.
Again, you could get a really small case that fits a water cooler, but that just seems wrong for a firewall.

Gigabit NAT can be done by an old low end celeron, so don't worry about that with a full blown desktop CPU. Even running VPN maxed out, VPN is single threaded so it will only max one core unless you use gateway groups.

IDK what that pentium will max out on VPN, as a total guess I would think 4-500Mbps @ AES-128-CBC?

teh g

@pfBasic:

I don't know much of anything about cooling hardware. Noctua is from what I know a great brand, but they can be expensive. All I can say is that in any application if you need X amount of airflow you can spin something big slower or you can spin something small faster to achieve X airflow, the big thing spinning slowly will always be substantially quieter.
So putting a little fan directly on your cpu cooler will result in higher dB than putting a huge case fan in the side of your box blowing over the whole CPU.

If you get a case that has one whole side of it vented, then get a really big ass fan that covers as much of that vented surface area as possible and plug the fan into the CPU fan controller, it will probably work very well for you while being inaudible more than a few feet away.
For example, I use a 230mm fan in the side of my desktop, and can barely hear it when the case is open and I'm looking at it inches from my face because it operates at very low RPM.
https://smile.amazon.com/gp/product/B008UYZ102/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

Something like this will get you great cooling as it can fit a 200mm fan and a 140mm cooler, but it's not small.
https://www.hardocp.com/article/2014/08/15/thermaltake_core_v1_miniitx_case_review/7
https://www.amazon.com/Thermaltake-Core-Gaming-Computer-CA-1B8-00S1WN-00/dp/B00M2UKGSM?psc=1&SubscriptionId=AKIAIS7SSXKLFPKG5TPA&tag=11018812-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B00M2UKGSM
I wouldn't expect your CPU to thermally throttle using something like this, but this is where you have to decide what kind of compromises you want to make.
Again, you could get a really small case that fits a water cooler, but that just seems wrong for a firewall.

Gigabit NAT can be done by an old low end celeron, so don't worry about that with a full blown desktop CPU. Even running VPN maxed out, VPN is single threaded so it will only max one core unless you use gateway groups.

IDK what that pentium will max out on VPN, as a total guess I would think 4-500Mbps @ AES-128-CBC?

I imagined liquid cooling in that case for a router and laughed a bit :D

Would one of the other CPUs you suggested allow for passive cooling, the various packages we talked about (DarkStats, the DNS tools) and hit some lower OpenVPN numbers? I am trying to get a picture in my head of what I would "lose" if I went with a smaller form factor and zero noise. It sounds like the biggest CPU hogs would be VPN and any IDS/IPS packages. If I can accomplish all of my main goals, hit semi-decent OpenVPN numbers the times I do use it, and keep a smaller form factor with no noise, that may be a better solution.

Sleeping on the OpenVPN usage, I suspect I will not use PIA on the router itself. Most of my devices don't need to be routed through a VPN. I also think my work wouldn't like my traffic being sent through a third party VPN. I might rarely use the router as an OpenVPN server to get some of the adblocking benefits of the device, but that will probably be it.

Sorry for being so wishy washy on features. Talking through the cost/benefit with you has been extremely helpful and probably saved me a ton of time and money! Here is another updated list of needs. I think the CPU you mentioned in your benchmark post will hit my requirements, and I think it is passively cooled or at least extremely quiet.

Changes are bolded

• 250/25 internet speeds now

• Going to have gigabit internet Soon

• Very rarely, if ever will use PIA on the pfSense box. So I will not need maximum throughput

• Low chance for OpenVPN server on the box, only need ~100mbps throughput

• Some basic firewalling on the pfSense

• I'd prefer a small box, but am open to larger

• Biggest goal will be something that is either silent or has minimal noise

• Currently only three devices plugged directly into my router (two PCs and my Pi-Hole)

• Will leverage my current wireless router in bridge mode to give WiFi to my house

• Packages I will install: Darkstat, Unbound, pfBlockerNG, DNSBL and maybe other cool ones that I find

Here are some must haves, and why I am annoyed with my current router. This might help get to clearer requirements…

• Assign static IPs to devices via the router. I really like knowing what is doing what on my network, and having the same IP makes it WAY easier

• View traffic data since I love graphs

• Block ads and malicious domains (currently done on Pi-Hole device)

• Maybe setup a local proxy to fix some issues that PS4 has

whosmatt

@teh:

Yup, Pi-Hole is a DNS level ad-blocker.

I'd stick with pi-hole on the network regardless of what router you use.  And I may be in the minority here but I find Unbound lacking as a local DNS server (as a forwarder or recursive resolver it's ok) and use a couple of low power BIND boxes on my network to handle the local zone, then they forward external queries to my pi-hole VM and do recursive lookups as a last resort (if the pi-hole box is down, for example).

pfBasic

@teh:

Would one of the other CPUs you suggested allow for passive cooling, the various packages we talked about (DarkStats, the DNS tools) and hit some lower OpenVPN numbers? I am trying to get a picture in my head of what I would "lose" if I went with a smaller form factor and zero noise. It sounds like the biggest CPU hogs would be VPN and any IDS/IPS packages. If I can accomplish all of my main goals, hit semi-decent OpenVPN numbers the times I do use it, and keep a smaller form factor with no noise, that may be a better solution.

Sleeping on the OpenVPN usage, I suspect I will not use PIA on the router itself. Most of my devices don't need to be routed through a VPN.

Sorry for being so wishy washy on features. Talking through the cost/benefit with you has been extremely helpful and probably saved me a ton of time and money! Here is another updated list of needs. I think the CPU you mentioned in your benchmark post will hit my requirements, and I think it is passively cooled or at least extremely quiet.

No worries at all, I enjoy the discussion and learn from it!

It sounds like ultimately you value a small box that you can setup, forget about and get respectable performance from. Dropping the IDS and offloading the majority of the VPN usage to the individual devices is a game changer. If that's in line with your priorities, then yes I think the J3355B will be your best bet. It will NAT gigabit and give you respectable VPN throughput when you want it. It will let you play with packages if you want at the expense of overall performance.
The big advantages for you being that if you pair it with an SSD, and a picoPSU you can put it in a very small case and it will make literally no noise. It's also very cheap, the SoC + a used i340-t4 will run you ~$90.

@whosmatt:

I'd stick with pi-hole on the network regardless of what router you use.

You already have the hardware and it works, this will offload work from your router by pretty much replacing pfBNG & DNSBL.

teh g

@pfBasic:

No worries at all, I enjoy the discussion and learn from it!

It sounds like ultimately you value a small box that you can setup, forget about and get respectable performance from. Dropping the IDS and offloading the majority of the VPN usage to the individual devices is a game changer. If that's in line with your priorities, then yes I think the J3355B will be your best bet. It will NAT gigabit and give you respectable VPN throughput when you want it. It will let you play with packages if you want at the expense of overall performance.
The big advantages for you being that if you pair it with an SSD, and a picoPSU you can put it in a very small case and it will make literally no noise. It's also very cheap, the SoC + a used i340-t4 will run you ~$90

I agree, thinking on it, the smaller silent package is probably the highest priority. The VPN is lower down on my priority list, even compared to random packages that do cool things.

Is there a rough idea of what packages would cause problems with performance?

@pfBasic:

You already have the hardware and it works, this will offload work from your router by pretty much replacing pfBNG & DNSBL.

The Pi-Hole doesn't do a ton. It is basically a DNS server that has some black lists in place. The kind of cool part is the extra graphs and reporting data for seeing what domains are getting hit. I suspect I'll still use the pfSense box as the DHCP server. I assume that doesn't have a ton of overhead.

pfBasic

The heavy hitters are IDS/IPS & VPN. I put some load on my network that would make the main packages I run to include pfBNG work and took a screenshot of the top output. Not a definitive answer, but you can see that suricata has a ton of CPU time, OpenVPN instances (I have two clients and a server) are next, then pfBNG.

Squid might be resource intensive but I doubt it. I tried using it when i first got pfSense. But it was a huge PITA and on a home network I saw no performance increase whatsoever. pfBNG & DNSBL also do everything I wanted out of squidguard better, and without the ass pain.

whosmatt

@teh:

The Pi-Hole doesn't do a ton. It is basically a DNS server that has some black lists in place. The kind of cool part is the extra graphs and reporting data for seeing what domains are getting hit. I suspect I'll still use the pfSense box as the DHCP server. I assume that doesn't have a ton of overhead.

Yeah, sorry for not clarifying.  Use pfSense for DHCP and pi-hole just for ad blocking, if you're so inclined.

teh g

@pfBasic:

The heavy hitters are IDS/IPS & VPN. I put some load on my network that would make the main packages I run to include pfBNG work and took a screenshot of the top output. Not a definitive answer, but you can see that suricata has a ton of CPU time, OpenVPN instances (I have two clients and a server) are next, then pfBNG.

Squid might be resource intensive but I doubt it. I tried using it when i first got pfSense. But it was a huge PITA and on a home network I saw no performance increase whatsoever. pfBNG & DNSBL also do everything I wanted out of squidguard better, and without the ass pain.

Thanks for all the info. I'll have to see what I can put together. I'll make a summary once I order my parts.

pfBasic

No worries, I hope it was helpful. I look forward to hearing what you decide on and how it performs for you, especially once you get a gigabit connection!

teh g

@pfBasic:

No worries, I hope it was helpful. I look forward to hearing what you decide on and how it performs for you, especially once you get a gigabit connection!

One more question. Will there be a significant different between the J3355B and the J3455? It sounds like the lower clock speed on the J3455 might impact VPN performance to an extent, but would the additional cores allow for more "playing" with packages?

EDIT: Also, thoughts on the newer chips in the Celeron line? They don't appear to be that much "better" from what I am seeing.

Can you review these notes I put together? I tried to consolidate as much as I could down.

Important Details

• If using VPN, how much throughput do you want?

• What packages do you plan on running?

• Passively cooled, or actively cooled?

Pieces of Info

• Just NAT on gigabit with light, occasional VPN usage can be done with a passively cooled Celeron

• Higher VPN speeds require more CPU power, and eventually active cooling

• Most likely will not see gigabit throughput on VPN

Packages

• DarkStat has little noticeable impact on CPU

• SquidGuard is cool, but a bit of a PITA to setup. Minimal noticeable improvements in most home use scenarios. You also need to use MiTM techniques if you have a lot of HTTPS traffic. There should be little impact on CPU with SquidGuard

• Any kind of IDS/IPS will have a significant impact. Higher speeds directly correlate to higher CPU needs.

• Suricata is multithreaded while Snort is single threaded.

• Unbound for DNS resolution, combined with pfBlockerNG & DNSBL will allow for DNS filtering (blocking ads, etc)

Hardware

• NICs – i340-T4, more power efficient than the PRO/1000's and more affordable than the i350s.

• i3-7100 – Won't do any serious IDS/IPS at gigabit speeds, and won't hit gigabit VPN. Should definitely hit 250 Mbps on VPN easily. Offers a good compromise between performance and cost.

• C2758 – Caps out at ~218 Mbps UDP AES-128. Has also run into some issues

• G4620 – Can do gigabit NAT, ~250 Mbps OpenVPN, and handle a good number of packages. Would need a larger case with good ventilation. A large heat sink and large case fan should do the trick for a quiet package.

• J3355B and J3455 are the two most recommended for home use cases. They are cheap, modern, and passively cooled SoCs.

  • J3355B – Two cores at a higher clock compared to the J3455. Maxed out a 150 Mbps line at AES-128-CBC with about 33% CPU usage, see here. Should do gigabit NAT, and it will hit 250 Mbps OpenVPN AE-128 (not at the same time).

  • J3455 – More powerful than the J3355B overall with four cores that are vlocked lower. Requires either physically modifying the NIC/motherboard, or buying a Micro-ATX board to make it work.

teh g

I'm also curious what the official hardware is capable of compared to these builds cost / functionality wise.