Hardware recommendation for 1 gigabit
-
That is because it depends on your use case. For pure routing the atom would do (https://www.netgate.com/products/sg-4860.html)
For some packet filtering the Intel Core i3-4005U would do. For higher complexity loads the Intel Core i5-5250U would be sufficient. OpenVPN will never reach 1gbit so there is little point throwing more expensive HW to the problem. Just use IKEv2. If you use PPPoe the requirements change (single core performance is a must, use of em driver) but I have no experience with it so I can't comment.
Anything higher than that in a non enterprise deployment is a waste IMHO but it's your money so if you fancy a Ryzen build go for it :)
Ps. I use the above i5 with pfblocker and get full gigabit with under 30% utilisation.
-
This is just a bad question that keeps getting asked over and over…
While in this case, the thread starter did say "1Gb NAT rules", most of the time, people think that saying 'I need 1Gb' is enough of a question to get a correct answer, but that is simply not the case.
It truly depends on what you want to do, in most cases it's not even going to matter what your linespeed is going to be. If you do some plain routing, an Atom will do. If you do NAT, an i3 will do, if you want more, you'll need an i5 and if you are going to use security features you need a Xeon. At the same time, you'll want AES-NI, and maybe 2GB RAM to start, but 4GB as soon as you start running packages, and moving on to 8GB and 16GB in cases where you want to do caching, or heavy registration of connections etc.Just saying "1 gigabit" means practically nothing. The question just gets repeated and people here are getting tired of posting the same 'what is it that you actually want to do' chain of comments.
Maybe the solution would be stickying as post about what speeds and packages need what hardware. At the same time, if people are so clueless about what it is they need or do, maybe they should just hop over to the pfSense store and buy a ready made box that does exactly what they need instead of trying to come up with a question and answer that fits their case.
-
People just say oh get a j1900, (Which BTW doesnt work for ACTUAL GB,…
Since those CPUs don't support AES-NI they won't work with future pfSense versions any more which will require this feature.
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html
https://www.netgate.com/blog/more-on-aes-ni.htmlIf you couldn't find an adequate answer to your question in the linked threads then there probably is no answer to your question. It's not that we all shut up and hide our collective knowledge from you.
Edit:
And, btw, your requested throughput of 1Gbps is a moving target.
https://www.netgate.com/blog/pfsense-around-the-world-better-ipsec-tryforward-and-netmap-fwd.html -
Except not 1 of those is a real answer.
What about this then?
https://forum.pfsense.org/index.php?topic=135184.0 -
People just say oh get a j1900, (Which BTW doesnt work for ACTUAL GB,…
Since those CPUs don't support AES-NI they won't work with future pfSense versions any more which will require this feature.
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html
https://www.netgate.com/blog/more-on-aes-ni.htmlIf you couldn't find an adequate answer to your question in the linked threads then there probably is no answer to your question. It's not that we all shut up and hide our collective knowledge from you.
Edit:
And, btw, your requested throughput of 1Gbps is a moving target.
https://www.netgate.com/blog/pfsense-around-the-world-better-ipsec-tryforward-and-netmap-fwd.htmlOkay but there is an answer, that I did kind of receive with the j1900 comments of old.
Someone simply saying, XXX CPU can do 1gbs throughput at XXX utilization, in my setup. And then whether or not, multi threading will matter, is all that I am really looking for.
From that it is easy deduction, take there XXX CPU, and its relative perf, say like Geekbench Score, and then choose a CPU with more as needed for more tasks.
The last post you linked, is about 100mb down, not gb?
"Ps. I use the above i5 with pfblocker and get full gigabit with under 30% utilisation."
Is a perfect answer imo :).
I think that shows that me an OPs procs in mind, will work, Xeon Ls should be fine.
-
With my setup from below, packages I have as following:-
Suricata IPS Policy on Security mode on both WAN and LAN
pfBlockerNG for IPv4 and IPv6 + DNSBL
APCUPSDWith those and running full 1GB line speed I only seen one of my CPU usage hit about 20% to 25%
-
Dell T20/T30 (>3Ghz haswell/skylake quad core) can handle quite a bit on gigabit, and are cheap to build and expand.
Frequent sales of $250-350 which is a full system with an onboard intel NIC (vpro, don't use on WAN) then just add some easy to source dual or quad intel NICs for however many ports you want.Going piecemeal parts with a custom or small form factor build will either cost a lot more or do a lot less.
-
Dell T20/T30 (>3Ghz haswell/skylake quad core) can handle quite a bit on gigabit, and are cheap to build and expand.
Frequent sales of $250-350 which is a full system with an onboard intel NIC (vpro, don't use on WAN) then just add some easy to source dual or quad intel NICs for however many ports you want.Going piecemeal parts with a custom or small form factor build will either cost a lot more or do a lot less.
Yeah, unless you have existing components and only need a board and CPU there isn't much of a point to putting stuff together anymore. If you need something fast enough just get a server or one of Netgate's boxes, if you need something cheap, you can always get the cheap china boxes. There isn't a lot of room in between where homebuilt stuff performs as well and is cheaper.
Regarding the network cards, you can often find OEM multiport Intel cards (even Dell branded ;-) ) from those retargeting shops on eBay. They are tested (from the good vendors) and field-tested compatible with the systems you can buy. There are those nameless cards as well of course, which most of the time work out great.
-
@johnkeates:
Dell T20/T30 (>3Ghz haswell/skylake quad core) can handle quite a bit on gigabit, and are cheap to build and expand.
Frequent sales of $250-350 which is a full system with an onboard intel NIC (vpro, don't use on WAN) then just add some easy to source dual or quad intel NICs for however many ports you want.Going piecemeal parts with a custom or small form factor build will either cost a lot more or do a lot less.
Yeah, unless you have existing components and only need a board and CPU there isn't much of a point to putting stuff together anymore. If you need something fast enough just get a server or one of Netgate's boxes, if you need something cheap, you can always get the cheap china boxes. There isn't a lot of room in between where homebuilt stuff performs as well and is cheaper.
Regarding the network cards, you can often find OEM multiport Intel cards (even Dell branded ;-) ) from those retargeting shops on eBay. They are tested (from the good vendors) and field-tested compatible with the systems you can buy. There are those nameless cards as well of course, which most of the time work out great.
Then a 2k dollar atom box from Netgate? Lol I beg to differ. That is a convenience price, I could build out that same top end box, for 800, already looked it all up, with some wise shopping. The Netgate pricing is for the convenience and support it offers, like most premade servers, however they do not cost anywhere near what they charge.
To be clear, I am talking about this https://store.netgate.com/pfSense/XG-1541.aspx
You can build that right now from new egg for under 1k, they want 2500….....
Of course if you meant just buy a server, like the netgate one but not the netgate one, I mean you could still get cheaper. I am at 300 for my box so far, swapping for a fuill size E3 Xeon, and i will be under 600 and way more powerful then that super micro for 900 (which doesn't include drives or ram, and my box is).
Buying a prebuilt or barebones box, from anyone, anywhere is never going to be the best deal for the money, ever, for any server or PC at all.
-
@johnkeates:
Dell T20/T30 (>3Ghz haswell/skylake quad core) can handle quite a bit on gigabit, and are cheap to build and expand.
Frequent sales of $250-350 which is a full system with an onboard intel NIC (vpro, don't use on WAN) then just add some easy to source dual or quad intel NICs for however many ports you want.Going piecemeal parts with a custom or small form factor build will either cost a lot more or do a lot less.
Yeah, unless you have existing components and only need a board and CPU there isn't much of a point to putting stuff together anymore. If you need something fast enough just get a server or one of Netgate's boxes, if you need something cheap, you can always get the cheap china boxes. There isn't a lot of room in between where homebuilt stuff performs as well and is cheaper.
Regarding the network cards, you can often find OEM multiport Intel cards (even Dell branded ;-) ) from those retargeting shops on eBay. They are tested (from the good vendors) and field-tested compatible with the systems you can buy. There are those nameless cards as well of course, which most of the time work out great.
Then a 2k dollar atom box from Netgate? Lol I beg to differ. That is a convenience price, I could build out that same top end box, for 800, already looked it all up, with some wise shopping. The Netgate pricing is for the convenience and support it offers, like most premade servers, however they do not cost anywhere near what they charge.
To be clear, I am talking about this https://store.netgate.com/pfSense/XG-1541.aspx
You can build that right now from new egg for under 1k, they want 2500….....
Of course if you meant just buy a server, like the netgate one but not the netgate one, I mean you could still get cheaper. I am at 300 for my box so far, swapping for a fuill size E3 Xeon, and i will be under 600 and way more powerful then that super micro for 900 (which doesn't include drives or ram, and my box is).
Buying a prebuilt or barebones box, from anyone, anywhere is never going to be the best deal for the money, ever, for any server or PC at all.
That's seems a bit overstated. Bare materials would be at least 1440 USD. Sure, you're paying 1000 for brand and warranty, but spending hours on multiple vendors or shady sources would cost more than that 1000… unless your time is not worth anything or you're only building one. Take the X10SDV-TLN4XXX series motherboard they are using and the SC505-203B case, where are you going to get that for less than 1K?
Then again, it's always possible to find something in a product line that is more expensive than compared with alternatives. Take cars of example, the differences between cheap and expensive versions of models mostly boil down to software settings and minimal electrical component changes. Cost of material would be a few 100, cost of unit price a few 1000. There is always a small window where you can get 'more' but 'cheaper', hence the "There isn't a lot of room" since it's not impossible, just highly impractical and nowhere near as predictable as soon as you start building or recommending more than 1 box.
On the other hand, if you only calculate worth on bare components, then any discussion makes little sense as nobody wants just bare components, people want solutions.
-
Well ya, I covered the support in my post. There is defiantly a market that the netgate boxes are aimed at. To that market it they can make sense, 100%.
However that market is only 1 portion. The extra cost, is a wash for very large companys, that can just right it off. The support for smaller company that don't want a full IT staff is a win as well.
I am not at all trying to knock netgate, or what they offer, it fully has a place.
As for the board and case, they come out to exactly 1k. Now aside the fact that most I reckon won't need a 10gb port on there pfsense. Nixing the 10gb ports, on a otherwise indectial board takes off alot of money.
Add a SSD, and boom you have pretty much the same system, for about 1400 I guess, we can go with that number (it can be found less).
The shady sites I don't get? New egg and Amazon are not shady sites lol, and yet always have sales and great deals if you wacth.
What is my time worth? Well this is a strange question. Due to having any different answers. And different situations, in my time as working as a network administrator, and TSS tech, myself and alot of co-workers had alot of free time, let's not pretend that's not truth.
We were paid, to wait for something to happen, alot, now I know that not every place is like that 100%, my experience was mostly working for colleges. If me, I would rather pay my employees to search for parts, or build the boxes then play wow and get paid for it (litteraly did that).
On the same line, what is your time worth is subjective to others not in the employment. How much do you make an hour? Do you enjoy this kind of stuff. There is too many variables.
Have to disagree with the solution comment. That netgate box is just as much a solution as any box server, or build your own. You get pfsense pre installed, that takes what 10 mins? Building multiples, install once and arconis over to many. I feel like the work involved is being grossly exgattered.
At any rate, this is all back to what you said. That homebuilt systems don't make sense, that is 100% false. Especially in the case of OP and myself who were asking, as clearly we are building 1 box, not 100. The china box, are junk, most wot even be supported soon as none afaik have AES, server boxes from netgate are overpriced for support that techie people won't really use. For a small business with a one to a few boxes, or a home user with one, Homebrew imo is the only way to go.
In my case, my business has changed, I have my own, it's not in IT. I still have a passion for IT, I enjoy cutting up that 1u server to make it fit. Fiddling with sites and planning out the perfect parts, instead of taking less than optimal configs from OEMs, I have passion for it.
If someone despises it, doesn't care, wants a box now, like they buy a router from Walmart. Then the netgate and China boxes are king.
-
Do you have a link for those parts? I need them for other (non-pfSense related) setups, and everywhere I look it comes down to:
X10SDV-TLN4F = 927+ euros without tax or shipping
SC505-203B = 110+ euros without tax or shipping -
@johnkeates:
Do you have a link for those parts? I need them for other (non-pfSense related) setups, and everywhere I look it comes down to:
X10SDV-TLN4F = 927+ euros without tax or shipping
SC505-203B = 110+ euros without tax or shippingA link to which parts? The Xeon D SM without 10gb? X10SDV-4C-TLN2F-O is the exact same board minus the 10gb ports, it's 500US.
The X10SDV-TLN4F is 829 USD, shipped on new egg right now, in the states, not sure if New Egg UK has the same sale.
Ya the case is 100 no matter what. If you want that specific case, there is other cases that are cheaper, personally prefer universal cases anyway, so not locked down to a board.
Edit: Amazon UK has the TLN4F for 529euros. https://www.amazon.co.uk/gp/aw/d/B01FYD9U1C/ref=pd_aw_sim_sbs_147_1/261-5137042-2878027?ie=UTF8&psc=1&refRID=AWE0B9C6J18RBFT5ABNX&dpPl=1&dpID=41x5OxJaD2L
-
@johnkeates:
Do you have a link for those parts? I need them for other (non-pfSense related) setups, and everywhere I look it comes down to:
X10SDV-TLN4F = 927+ euros without tax or shipping
SC505-203B = 110+ euros without tax or shippingA link to which parts? The Xeon D SM without 10gb? X10SDV-4C-TLN2F-O is the exact same board minus the 10gb ports, it's 500US.
The X10SDV-TLN4F is 829 USD, shipped on new egg right now, in the states, not sure if New Egg UK has the same sale.
Ya the case is 100 no matter what. If you want that specific case, there is other cases that are cheaper, personally prefer universal cases anyway, so not locked down to a board.
For small appliance-type setups (like rack controllers) I often default to the SC505-203B since it has very nice front-IO options with easily machinable IO shields and since there are plenty of supported addons from Supermicro I do like that case. The board X10SDV-TLN4F (with 10GbE) is mostly selected when I need a transparent network canary service between stacking switches or uplinks. I can't get them from New Egg (why the hell is it called New Egg?) without paying a shit ton of money for shipping.
So far, the only boards I can get cheaply are the X10SLV type boards (previous gen) with socket 1150, which do work well and are delivered in 24 hrs. Most often paired with Xeon E3's (the low specced low TDP ones). Excellent performance.
-
Would Supermicro A2SDi-4C-HLN4F do gigabit?
-
Would Supermicro A2SDi-4C-HLN4F do gigabit?
Gigabit what? Gigabit media mode? Gigabit VPN with AES256 and SHA512 with no compression and AES-NI turned off? Gigabit masscan? Gigabit routing? Gigabit NAT? Gigabit proxy? Gigabit cache? Gigabit pings? Gigabit toaster? Gigabit toothbrush?
What it will definitely do: from WAN, to LAN (and back), with NAT and DHCP, and firewall and process Gigabit speeds UDP and TCP.
-
This is an old thread but it’s still relevant in that with gigabit broadband increasingly available there are few if any low end router solutions that can pass close to wire speed on uplink alone with a basic firewall enabled. Someone must have pfSense, OPNsense, RouterOS, etc deployed on an x86 box with gigabit broadband as just a basic firewall (as in say the default configuration). If everyone running pfSense has all the bells and whistles enabled it still would still be iseful to hear the configuration they are using to get wire speeds.
I bought a eBay SFF HP with 4th gen quad core 3.2ghz i5 for $100 with 4g of memory and added an Intel i350 NIC to replace my Mikrotik RB3011 wihich has dual core Arm @ 1.2ghz and hw assist bridging and can only muster about 600mbs. Can’t seem to get more than 100mbs out of RouterOS on the new i5 box though. Either a configuration problem or RouterOS x86 version is only running on one core and not optimized for pc architecture or something but I’m tired of messing with it and moving on to something open source. I’ll let you know what I find.
-
Well, I can say for those that want to know, for my network and duplicating the protection that a Netgear R7800 router provides (which can only achieve around 600mbs with it's 2-core 1.2ghz ARM processor), pfSense and a 4th gen quad core 3.2ghz i5 with 4g of memory and an Intel i350 NIC are huge overkill. After a fresh install and setting up the firewall to provide actually more robust security, I'm seeing consistently 927mbs throughput through the router/firewall vs. 987mbs direct connect to the cable modem with approximately 1% processor utilization shown. That's with 20 or so other clients on the LAN (printers, webcams, etc). Clearly don't need that much horsepower for a non-VPN environment. Have no need for VPN so won't be testing that. Adding 6 or 7 more rules to WAN has no discernible impact to download performance. Clearly symmetrical gigabit would need LAGG or 10g to max out both directions though. The power requirements are much higher than SSFF single board devices but it's quiet, as a reasonably small footprint, very, very robust hardware design and cheap - $100 on ebay with no HDD. I'm thinking a third or fourth generation i3 at 2.5ghz or more or even a Celeron multi-core would be enough after this experience.
-
BTW, the Netgear R7800 makes a quite impressive AP can still get well over 800mbs via 802.11AC wifi on download 20 feet from the R7800 and through one wall.
-
BTW, the Netgear R7800 makes a quite impressive AP can still get well over 800mbs via 802.11AC wifi on download 20 feet from the R7800 and through one wall.
Perhaps, but for the same amount of money you can get two Ubiquiti UniFi AP-AC LITE which do that same thing.. but you'll have two :p
