Help with hardware build
-
I personally would go for an i340 server pull over a refurb i350 (unless you need SR-IOV or Ethernet Power Management).
That's really just a matter of opinion though, I've read about plenty of people using obvious knockoff i340/i350's with great results. I've bought plenty of things used and refurbished and I've never had an issue.
One thing to watch out for on i350's is that it's an i350v2. Apparently there was some sort of power spike issue on the original and they discontinued it. I don't know how serious the problem is for home use though, probably negligible but I just don't know.
I'll have to poke around at the eBay deals. They definitely seem a bit sketchy…. Would any Intel PCIe NIC work?
I was thinking of getting two SSDs for a mirrored ZFS array. Probably overkill, but would help if a disk dies. This means I can't get one of those picoPSUs, since they appear to only have one SATA power cable. Any recommendations for a decent PSU? I assume the lower the wattage, the better, since it starts hurting efficiency at the wattages I am sitting at.
-
Yeah, intel NICs are solid. The three main PCIe NICs for gigabit are in PRO/1000, i340 and i350.
In the quad port configuration at least, the PRO/1000 can consume more power than a J3455, almost three times as much as an i340. i340 also supports virtualization if you ever go that route. Finally, the PRO/1000 is PCIe v 1.0, so if you want to fully utilize a quad port unit you must have a slot at x4 speeds.
For all of those reasons I recommend searching around for a good used i340-t4. You can find them fairly regularly in the $35-$40 range, the best I've seen is I think $25.I personally would say that SSD's in a mirror for home use is totally unnecessary. You will almost certainly not see your SSD fail in the lifetime of the firewall. In the event that it does fail, so long as you have a config.xml backed up, you can reinstall to just about any thumb drive you have lying around and restore your config file. Your machine would be back up in minutes and then you could order a replacement SSD.
However, if you are more comfortable with SSDs in a mirror, then you can still keep the picoPSU, just use a SATA splitter or MOLEX to SATA cable.
https://www.newegg.com/Product/Product.aspx?Item=N82E16812119010
https://www.amazon.com/StarTech-com-Power-Splitter-Adapter-PYO4SATA/dp/B0086OGN9E -
Thanks again for all the info and help pfBasic. You rock!
I haven't hit order just yet, but I settled on these parts:
CPU/Mobo: ASUS Intel Celeron Quad-Core SoC fanless MicroATX Motherboard (J3455M-E)
RAM: Corsair Vengeance 8 GB (2 x 4 GB) DDR3 1600 MHz PC3 12800 240-Pin DDR3 Dual Channel Memory Kit 1.5V
SSD: Kingston Digital 120GB SSDNow V300 SATA 3 2.5 (7mm height) Desktop Bundle Kit with Adapter Solid State Drive SV300S3D7/120G
Case: Thermaltake CORE V21 Black Extreme Micro ATX Cube Chassis CA-1D5-00S1WN-00
PSU: picoPSU-120 + 120W Adapter Power Kit
NIC: Intel i340-T4The case is a bit bigger than I originally thought, but the extra convenience of tons of room, and not having to mod the NIC or motherboard to fir in ITX is a plus. With no fans, I can also just dump that anywhere, it isn't a huge issue as long as it gets some natural airflow.
Edit: Fixed the links because BBcode is basically the worst :P
-
I think that will work out great for you! Please let us know how it goes once you get it up and running and feel free to ask any questions yo may have in the configuration process.
You can definitely use the picoPSU 80(non-WI) with 60W AC/DC Converter kit for that build, you will probably pull less than 30W from the wall under max load on everything.
-
I think that will work out great for you! Please let us know how it goes once you get it up and running and feel free to ask any questions yo may have in the configuration process.
You can definitely use the picoPSU 80(non-WI) with 60W AC/DC Converter kit for that build, you will probably pull less than 30W from the wall under max load on everything.
I just ordered my parts. Managed to get the i340-T4 for ~$35 on eBay. Not too shabby!
Any "standard" benchmarks I should run so I can share info?
-
Congrats!
Maxing out the VPN connection for a little while (Steam downloads and 5k youtube videos are an easy way to do this) with IDS/IPS, packages on/off and posting up your RRD graphs for the time period are very useful!
Also just your general performance in real world day to day usage is valuable for others to know!
There a home brew VPN benchmark on here that seems to be reasonably accurate for some but is by no means definitive. It's still fun to see how different CPUs stack up if nothing else.
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743
# openvpn --genkey --secret /tmp/secret# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm( 3200 / execution_time_seconds ) = Projected Maximum OpenVPN Performance in Mbps
-
One dumb hardware question for you. Will I use one of the four ports on the Intel NIC as a WAN port and the other three as WAN? Or would I use the onboard NIC as the WAN port and keep the Intel NIC for LAN?
-
The on board NIC for that motherboard (and most motherboards) is a crappy realtek NIC.
You can use that NIC if you need it, they aren't the end of the world they just aren't quality products. I would relegate it to something low priority like a Guest LAN or IOT LAN though. I have my guest LAN running on a cheap WAP with 100Mbps ethernet ports, it was connected to pfSense via a realtek NIC for awhile and there were no issues. Its on intel now but there's no noticeable improvements since I never had any issues.
Definitely use an Intel NIC for your WAN, and for anything you care about performance on.
-
The on board NIC for that motherboard (and most motherboards) is a crappy realtek NIC.
You can use that NIC if you need it, they aren't the end of the world they just aren't quality products. I would relegate it to something low priority like a Guest LAN or IOT LAN though.
Definitely use an Intel NIC for your WAN, and for anything you care about performance on.
Oo, maybe I can turn that into my LAN for my WiFi network…
I will tinker around with it. Now to wait for my parts to get delivered. Everything should be here before the end of the week!
-
The on board NIC for that motherboard (and most motherboards) is a crappy realtek NIC.
You can use that NIC if you need it, they aren't the end of the world they just aren't quality products. I would relegate it to something low priority like a Guest LAN or IOT LAN though. I have my guest LAN running on a cheap WAP with 100Mbps ethernet ports, it was connected to pfSense via a realtek NIC for awhile and there were no issues. Its on intel now but there's no noticeable improvements since I never had any issues.
Definitely use an Intel NIC for your WAN, and for anything you care about performance on.
Actually, to save myself some ports, would the onboard NIC be OK for my DNS server? I was thinking of keeping the Pi-Hole (DNS server / ad-blocker) since it is configured and working well for what I need.
-
I would imagine that it would work fine for that. Some have reported realtek NICs being flaky in general.
I've only ever used one for a few months on a Guest network but had no issues. So I'd say check it out, it will probably work without any problems. If not then you can use Unbound with DNSBL to replace the pi-hole or use an intel NIC.
-
Put stuff together tonight. Looks like I got unlucky with the eBay hardware pull, dmesg is reporting that the NIC is "<intel(r) 1000="" pro="" network="" connection,="" version="" -="" 2.5.3-k="">" instead of an i340… Any reason I should issue a return other than the power usage?
I saw a few people say that using port one as WAN and the other three ports bridged as WAN was not a good idea. Is that old or is that still the case? I think I have a gigabit switch floating around...</intel(r)>
-
@teh:
Put stuff together tonight. Looks like I got unlucky with the eBay hardware pull, dmesg is reporting that the NIC is "<intel(r) 1000="" pro="" network="" connection,="" version="" -="" 2.5.3-k="">" instead of an i340… Any reason I should issue a return other than the power usage?
I saw a few people say that using port one as WAN and the other three ports bridged as WAN was not a good idea. Is that old or is that still the case? I think I have a gigabit switch floating around...</intel(r)>
hmmm, I'm not sure that this is telling you that you have a PRO/1000.
when you run dmesg what driver does it list? if it's "igb" then it's an i340, if it's "em" then it's a PRO/1000.
Also check this output and see what chipset it's using:
pciconf -lv -
hmmm, I'm not sure that this is telling you that you have a PRO/1000.
when you run dmesg what driver does it list? if it's "igb" then it's an i340, if it's "em" then it's a PRO/1000.
Also check this output and see what chipset it's using:
pciconf -lvigb0@pci0:1:0:0: class=0x020000 card=0x12a28086 chip=0x150e8086 rev=0x01 hdr=0x00 vendor = 'Intel Corporation' device = '82580 Gigabit Network Connection' class = network subclass = ethernet -
Yeah looks like an i340 to me, 82580 is the i340 chipset, PRO/1000 is 82571.
https://ark.intel.com/compare/50495,49186It looks like the FreeBSD man page lists the igb driver as PRO/1000, some old dual port NICs, i340, i21x and i35x. The name is "Intel(R) PRO/1000 PCI Express Gigabit Ethernet adapter driver" which is why it shows up like that. But you got an i340!
https://www.freebsd.org/cgi/man.cgi?igb(4) -
Yeah looks like an i340 to me, 82580 is the i340 chipset, PRO/1000 is 82571.
https://ark.intel.com/compare/50495,49186Phew, I was worried!
Any thoughts on bridging all the ports (other than WAN) or should I use a switch?
It looks like the FreeBSD man page lists the igb driver as PRO/1000, some old dual port NICs, i340, i21x and i35x. The name is "Intel(R) PRO/1000 PCI Express Gigabit Ethernet adapter driver" which is why it shows up like that. But you got an i340!
https://www.freebsd.org/cgi/man.cgi?igb(4) -
@teh:
Any thoughts on bridging all the ports (other than WAN) or should I use a switch?
https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used
It is normally best to avoid such configurations as they can be problematic
I've never tried it so I can't say from experience. Just looking at that document you certainly can do it but may have some issues.
If you have the time time and would prefer to bridge than switch then give it a shot and if it doesn't work out dust off the switch.
-
Congrats!
Maxing out the VPN connection for a little while (Steam downloads and 5k youtube videos are an easy way to do this) with IDS/IPS, packages on/off and posting up your RRD graphs for the time period are very useful!
Also just your general performance in real world day to day usage is valuable for others to know!
There a home brew VPN benchmark on here that seems to be reasonably accurate for some but is by no means definitive. It's still fun to see how different CPUs stack up if nothing else.
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743
# openvpn --genkey --secret /tmp/secret# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm( 3200 / execution_time_seconds ) = Projected Maximum OpenVPN Performance in Mbps
Ran these benchmarks:
AES-256-CBC : 267.9 Mbps
AES-256-GCM: 282.4 MbpsAES-128-CBC: 270.0 Mbps
AES-128-GCM: 284.9 MbpsZero issues in real world use. Maxing out my line (300 Mbps down) with pfBlockerNG setup uses ~10% CPU.
-
Very nice, Thank you for the feedback!
-
Very nice, Thank you for the feedback!
I am going to play around more and get things setup. But so far so good! I get to do all kinds of fun tinkering and learn, so it has been great.