Another hardware question - please advise

SSri

Yeah. It gives me 4 choices:

1. Dell 1U Xeon E3 1240 v2 costing £300 inc VAT. It comes with 4 gigabit lan. I need to add a HDD on a SATA drive. This is R210 II
2. HP Z220 E3 1240 V2 costing £360. I need to add an SSD and a 4 port lan
3. LENOVO Thinkstation E2 SFF Xeon E3-1230v3 3.3GHz, 8GB RAM, 128GB SSD, K600. It is £300. I need to add 4 ports NIC.
4. Custom Build Xeon E3 V5.

All the three are from Ebay and the Lenovo is from Germany with a pretty heavy return postage, if faulty. VAT is paid at the time of delivery.

I would appreciate further comments and recommendations. Thanks

pfBasic

I'd do the R210 II. You'll also need to add a 5th gigabit LAN port for 4Gb LAN + your WAN.

Use an SSD, even a cheap one over a HDD.

SSri

Choice 4 is:

PCPartPicker part list / Price breakdown by merchant

CPU: Intel Xeon E3-1230 V5 3.4GHz Quad-Core Processor  (£226.80 @ Alza)
CPU Cooler: Noctua NH-D15 82.5 CFM CPU Cooler  (£75.95 @ CCL Computers)
Motherboard: Gigabyte GA-X150M-PRO ECC Micro ATX LGA1151 Motherboard  (£98.32 @ BT Shop)
Memory: Crucial 8GB (2 x 4GB) DDR4-2133 Memory  (£58.06 @ CCL Computers)
Storage: ADATA Premier SP550 120GB 2.5" Solid State Drive  (£49.37 @ Amazon UK)
Video Card: EVGA GeForce GT 710 2GB Video Card  (£39.48 @ Ebuyer)
Power Supply: Silverstone Strider Platinum 550W 80+ Platinum Certified Fully-Modular ATX Power Supply  (£99.95 @ Amazon UK)
Total: £647.93
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-04-20 20:06 BST+0100

Adding a case plus Quad NIC would cost an additional £150 assuming all parts are compatible. The total is at least £800.

BlueKoBold's supermicro server is most likely a better choice than building one, if the modern architecture is better. I am a little confused now.

SSri

@pfBasic:

I'd do the R210 II. You'll also need to add a 5th gigabit LAN port for 4Gb LAN + your WAN.

Use an SSD, even a cheap one over a HDD.

Sorry. I did not see this. I will sure contact the seller to explore Lan options. Perhaps, go without Lan from the seller and put an intel i-340 or i-350 pulled from the server, assuming R210 II gives me an ability to add to sets of Lan cards.

From performance wise, leaving the cost difference for the time being, are there any advantages of Supermicro Superserver SYS-E300-8D over R210 II sporting xeon e3-1240 v2 please? In terms of CPU benchmark Xeon D1518 scores 4700 points vs E3 1240V2's 9200+.

Guest

Total: £647.93
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-04-20 20:06 BST+0100

Would be also a really nice pfSense box and strong enough for all things, all packets and surely 1 GBit/s at the WAN port.
But based on the Gigabyte Mainborad there where incompatibilities with their BIOS in the past and so I would be carful
to get on of this ones!

Adding a case plus Quad NIC would cost an additional £150 assuming all parts are compatible. The total is at least £800.

The SYS-E300-D8 is offering 4 Cores and 8 Threads together with 2 x Intel i210 LAN Ports, 4 x Intel i350 LAN Ports and on top of this
2 SFP+ Ports connected to the SoC and one IPMI Port on top of all of this! And another QuickAssist or Network Card if needed.

BlueKoBold's supermicro server is most likely a better choice than building one, if the modern architecture is better. I am a little confused now.

Might be enough for many things and future proof, OpenVPN 2.4 is multi core threated and it is using AES-NI too, perhaps
a nice thing for many peoples, I swear on IPsec and AES-NI where a SG-4860 can push nearly +/+ 500 MBit/s over the tunnel.

If here the main part is not really pointed to the maximum OpenVPN throughput, it could really be that the Qotom J1900
4-core - 4 x Intel LAN build - 8GB RAM, 120GB mSATA- 10 watts - $260 will do the job also.

Sorry. I did not see this. I will sure contact the seller to explore Lan options. Perhaps, go without Lan from the seller and put an intel i-340 or i-350 pulled from the server, assuming R210 II gives me an ability to add to sets of Lan cards.

All can be bought refurbished and from eBay for less and cheap, its only a firewall and not a PC.

From performance wise, leaving the cost difference for the time being, are there any advantages of Supermicro Superserver SYS-E300-8D over R210 II sporting xeon e3-1240 v2 please? In terms of CPU benchmark Xeon D1518 scores 4700 points vs E3 1240V2's 9200+.

Core is not Core and CPU is not likes all other CPUs, but the D-15x8 SoC is power saving and strong.

pfBasic

OpenVPN 2.4 is not multithreaded.

There is no chance of running IDS/IPS at the multi gigabit level on a j1900, even if no VPN were required at all.

SSri

Thanks guys. Very helpful inputs and recommendations.

@pfBasic:

OpenVPN 2.4 is not multithreaded.

There is no chance of running IDS/IPS at the multi gigabit level on a j1900, even if no VPN were required at all.

Agree. j1900 does not suit the IDS/IPS requirement.

It is clearly Xeon, choosing between R210 II, SM Sys-E300-8D and custom built Xeon E3-v5. All three would fit, although I need to be careful with E3-v5 mobo. I am a little lost for the choice. The SM spec is tempting as it contains 2 10G SFP costing almost double.

I will think a little between these three. Any comments in terms of their relative performance advantage will be greatly appreciated.

pfBasic

Just the cheapest thing that can do everything you want it to do is probably your best bet.

SSri

I am going to think a little to decide the cheapest versus Sys300-8D vs xeon E3-1230 v5 build.

I am sorry. I keep asking.

How does this stake? Is it good for the purpose please?

HP ProLiant DL360e Gen8 (SFF Drives)

• Xeon E5-2450L EightCore 70w TDP

• 4 x 4G DDR3 RAM

• 4 x GB HP Ethernet 366i (essentially intel i350, I guess)

• 2 usb 2.0 ports

• 2 PCIe - can add additional Lan, 4GB or 10GB Fibre Channel ports

These costs £475.00.

Dell R210 II costs £300 plus SSD (£60) + Intel i350 Lan (£100-£125).
I Need to get an SSD or get SATA-mSATA tray to use my old Sandisk mSATA

pfBasic

1.8 GHz is pretty slow for VPN.

When you are comparing xeons for this build, the most important factor are price and architecture. You don't need anymore cores than the standard 4, but lower clock speeds will hurt your per instance VPN throughout.

Especially on old hardware like that, 1.8GHz from 2012 will be an OpenVPN dog compared to even a cheap modern Celeron.

SSri

@pfBasic:

Especially on old hardware like that, 1.8GHz from 2012 will be an OpenVPN dog compared to even a cheap modern Celeron.

Thank you. This is very helpful.

Please forgive me for asking. From architecture perspective, how would E3-1240V2 (3.4GHz, 8MB Cache)-still an EOL in Dell R210 II-stake against D1518 (2.2 GHz, 6MB Cache) please? I know the latter is  still a modern architecture. I do not want to sound rude for comparing two different architecture, especially a popular Xeon D family. I am just trying to understand.

This is important for me to understand as I want to decide (i) buy the EoL Xeon as the old R210 II would still cost me closer to £500 after adding an SSD, GB quad NIC, etc or (ii) pay more and get/build a xeon E3-1200 v5 or get the Sys-300-D8.

I am sorry, I keep asking than deciding!  :)

pfBasic

E3-1240 v2 is Ivy Bridge ~2012 https://ark.intel.com/products/65730/Intel-Xeon-Processor-E3-1240-v2-8M-Cache-3_40-GHz

D-1518 is Broadwell ~2014 https://ark.intel.com/products/91201/Intel-Xeon-Processor-D-1518-6M-Cache-2_20-GHz

You can find a CPUs architecture on the Intel ARK database, and here's a link to the heirarchy:
https://en.wikipedia.org/wiki/List_of_Intel_CPU_microarchitectures

All of those 4 core models will serve you well.

Newer architectures are generally just better. You can't compare across architectures.

2.0GHz Ivy Bridge is not the same as 2.0GHz Kaby Lake.
Similarly AES-NI instructions get improved over time, etc.

So if price is similar, go with what's newer. If the new stuff is a whole lot more expensive, then it probably isn't worth it for your situation.

It's easy to google around and find an old CPU that appears to be a monster (8 core/16 thread xeon) for a price that seems too good to be true. It's because the technology is outdated. Not saying those products are now totally invalid, but you can probably find something newer that looks not nearly as nice on paper that will get similar performance and use less power while doing so.

SSri

Thank you. Really appreciate your help.  I agree and am aware we can't compare across. I don't think xeon kaby lake has hit the retail market. At least, I can't see anything in the UK yet.

I was kind of playing around with E3 v5 config. Depending on the CPU and graphics, it is about £900 inc VAT, without a QP intel NIC, which would add another £50-£5. The overall difference in the newer xeon build is give or take 50, depending on the choice of E3 V5 CPU and video card.

I will any way share the spec, if some were to be interested in.

Xeon E3-v5

PCPartPicker part list / Price breakdown by merchant

CPU: Intel Xeon E3-1275 V5 3.6GHz Quad-Core Processor  (£331.90 @ Alza)
CPU Cooler: Noctua NH-D15 82.5 CFM CPU Cooler  (£75.95 @ CCL Computers)
Motherboard: ASRock E3C236D2I Mini ITX LGA1151 Motherboard  (£204.92 @ More Computers)
Memory: Kingston ValueRAM 4GB (1 x 4GB) DDR4-2133 Memory  (£36.81 @ BT Shop)
Memory: Kingston ValueRAM 4GB (1 x 4GB) DDR4-2133 Memory  (£36.81 @ BT Shop)
Storage: ADATA Premier SP550 120GB 2.5" Solid State Drive  (£49.37 @ Amazon UK)
Case: Fractal Design Node 304 Mini ITX Tower Case  (£64.48 @ Ebuyer)
Power Supply: Silverstone Strider Platinum 550W 80+ Platinum Certified Fully-Modular ATX Power Supply  (£99.95 @ Amazon UK)
Total: £900.19
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-04-21 23:02 BST+0100

I could not find a paired 2 x 4 GB ECC RAM in PCPitparker UK.

IBM intel i-340 t4

http://www.ebay.co.uk/sch/i.html?_from=R40&_sacat=0&_nkw=IBM%20INTEL%20QUAD%20PORT%20GIGABIT%20PCI-E%20SERVER%20NETWORK%20ADAPTER%20CARD%2049Y4242%20I340-T4%20%7C&rt=nc&LH_PrefLoc=1&_trksid=p2045573.m1684

The xeon e3-1240 v2 R210-II look very attractive indeed as a new build does not seem worth it for the purpose, unless I leverage this to run multiple services (i) PfSense FW/Router, (ii) VPN, (iii) Suricata, (iv) media server and (v) NAS. My initial thought was to run (i) to (iii) on one platform and (iv) and (v) on the other.

I am going to think a little, decide and come back.

SSri

Although running all the above five on a single platform looks attractive, personally, I think it poses a security risk. It also defeats the purpose of running the FW router as a standalone service

Guest

This is important for me to understand as I want to decide (i) buy the EoL Xeon as the old R210 II would still cost me closer to £500 after adding an SSD, GB quad NIC, etc or (ii) pay more and get/build a xeon E3-1200 v5 or get the Sys-300-D8.

The question is how much you have to pay more!!! The Xeon D-15x8 platform is able to route 1 GBit/s at the WAN with ease,
and due to the capable of AES-NI it might be speeding up IPsec VPN and OpenVPN since version 2.4 based on the pfSense version
2.4, ok its on Beta status but together with the Xeon D-15x8 platform it is playing more nice then the pfSense version 2.3.3-px.

Xeon E7 = big
Xeon E5 = mid size
Xeon E3 = small
Xeon D-15x8 = Xeon light

CPU core is not the same as another CPU core, the Xeon D-15x8 platform is a Xeon Core light and its benefits
will be really nice matching to a firewall, but for raw and strong power machines, the Xeon E3/E5 will be perfect
and not to beat, in my eyes. Its made for 24/7, supports ECC RAM, USB3 and 1/10GbE will round up that points.

Often peoples are only looking on some things that could be in their game play, but it is more a detailed thing to know what
exactly you will reach or you must solve out, or in some special cases it might be making more sense to take then a really
strong and powerful platform that is really able to fit all your needs.

Although running all the above five on a single platform looks attractive, personally, I think it poses a security risk. It also defeats the purpose of running the FW router as a standalone service

Only in some rarely situations it might be good to set up a firewall or a router inside of a VM, and then also only on dedicated machines
with no other VMs, related to the safety needs.

VAMike

@BlueKobold:

due to the capable of AES-NI it might be speeding up IPsec VPN and OpenVPN since version 2.4 based on the pfSense version
2.4

Please stop with this nonsense about AES-NI not working with OpenVPN 2.3.

pfBasic

Yeah, you've got a bunch of weird ideas bro.

• AES-NI doesn't work well on pfSense prior to 2.4

• OpenVPN 2.4 is multithreaded

• Only virtualize pfSense on a dedicated machine :o What then would be the point of virtualizing?

• J1900 can do gigabit+ IDS/IPS….

Wrong on all accounts.

Being wrong is one thing, bu you are wrong way more than you are right and you keep spreading the same misinformation over, and over, and over again.
What's worse is your profile makes you look like you know what you're talking about, sort of….

Please stop or go away.

whosmatt

@pfBasic:

yeah you'll want a xeon if you want to eventually inspect a total of 5 gigabits of traffic.

Let's take a step back for a moment.  pfSense is not the right choice for routing 4 or 5Gbps of traffic, packet inspection needs aside.  OP, what Cisco switch do you have?  For that kind of traffic, assuming you really have that need, a L3 switch is a much better choice than using pfSense to route between internal network segments.

And for packet inspection, with the right switch (which is pretty much any managed switch, L3 or no), you're able to set up a dedicated box for that, one that you don't have to route traffic through.  You can use port mirroring on your switch to send any traffic you like to a dedicated inspection box without imposing slowdowns on the actual routing.

If those are really your requirements, I'd go one of two ways:

1. Buy a dedicated small Kaby lake (not Xeon) system with the fastest CPU clock speed you can muster for pfSense.  The fast clock speed is your friend with OpenVPN.  Buy another machine to handle packet inspection and use port mirroring on your switch to send whatever traffic you like to it.

2.  Buy a beefy 1U server and use it as a hypervisor.  Plan to dedicate at least 2 cores to pfSense and about 1GB of RAM, and if you wish, you can dedicate NICs as well.  That pfSense instance should handle only LAN(s) to WAN routing and VPN, presuming you have a L3 switch.  The rest of the resources on the hypervisor can host another VM (pfSense or otherwise) to handle any packet inspection needs.

I have my doubts as to whether you really have a requirement for 4Gbps routing, but, again, if you do, pfSense is probably not the best tool for the job.

SSri

Thanks all for helping me.

@BlueKobold:

how much you have to pay more!!! The Xeon D-15x8 platform is able to route 1 GBit/s at the WAN with ease

The difference between an E3-v2 and D15xx/E3-v5 is double the price. But, thanks for the heads up on the D series. I would be keen to see its VPN THROUGHPUT.

@whosmatt:

what Cisco switch do you have?  For that kind of traffic, assuming you really have that need, a L3 switch is a much better choice than using pfSense to route between internal network segments

1. my requirements, which are given above are: a FW Router - PfSense, VPN for internet facing devices and suricata.

2. Cisco SG300 managing multiple Vlans and route internal traffic. I want to leverage this switch's features as much as possible without having to knock the front door. I do want to use its L3.

3. set up a separate server, after the above is complete,  for media, NAS. Etc.  I want to  maximise the speed as much as possible, > 1gb, 4-10 Gb for internal server access and expose it on a few devices that require access to this server. To achieve this, either I need to link aggregate the GB Ports or get a couple of 10 Gb Sfp FC cards, connect the server through this and enable access to devices via a 10 Gb switch or any alternative. I therefore want to future proof the FW Router box  to achieve this speed.

Isn't packet inspection done at the firewall please? If we run it sepearately, do I need to maintain the routing table here as well? How to filter to ensure anything that comes on this does not bypass the FW and VLAN rules? I'm sorry it may be a naive question.

I like both the approaches 2 boxes vs 1 server.  Do I need a licence to run a hypervisor please? If I buy a 1u server, I could then run all my requirements (1 and 3)  plus DPI as VMs. One concern is: isn't a good practice to run the FW separately? I guess VM achieves it.

Thanks again.

Guest

@VAMike:

@BlueKobold:

due to the capable of AES-NI it might be speeding up IPsec VPN and OpenVPN since version 2.4 based on the pfSense version
2.4

Please stop with this nonsense about AES-NI not working with OpenVPN 2.3.

AES-NI is speeding up a IPsec tunnel to +/- 400 MBit/s throughput with a SG-4860 unit from the pfSense store, but but
not the OpenVPN tunnel due to his TUN/TAP architecture (based on the information from @gonzopancho) that was also
there in version 2.3! But since OpenVPN 2.4 at first we get multicore CPU usage and on top of that the AES-NI is able
to sped up then available to chose and use AES-GCM mode. Link

OpenVPN has problems that will not be solved by faster crypto. The tun/tap interface is the bottleneck.
Link ok 11 month old and not really
actual since OpenVPN 2.4 with AES-GCM mode.

So what was now wrong here!?

Yeah, you've got a bunch of weird ideas bro.

Because you said?

•AES-NI doesn't work well on pfSense prior to 2.4

OpenVPN is now available on pfSense

•OpenVPN 2.4 is multithreaded

Currently, OpenVPN is scaled on SMP machines by adding processes rather than threads.
OpenVPN Roadmap

And on pfSense OpenVPN will be able to get for each tunnel another CPU core in usage.
For sure not a real smp usage but together with the multicore usage of the (pf4) since
pfSense version 2.2 more then enough as before with only and "real single CPU core threated"

•J1900 can do gigabit+ IDS/IPS….

I never said or wrote this!

Wrong on all accounts.

If you mean!

Being wrong is one thing, bu you are wrong way more than you are right and you keep spreading the same misinformation over, and over, and over again.

What's worse is your profile makes you look like you know what you're talking about, sort of….

Please stop or go away.

So I have to leaf that forum now?