New Build
-
No i5/i7/xeon is going to come as close to 6W. The least I have seen is about 35W for those processors at which point I also need to worry about enough cooling in a 1U chassis - which means cooling fans, worrying about fitting all of that in 1U and if not, then spring for a 2U chassis etc. etc.
My QOTOM-Q355G4 (Core i5 box) has a TDP of 15W , but most of the time uses less.
It's not 1U , but a little neat passively cooled box.https://forum.pfsense.org/index.php?topic=132528.msg728629#msg728629
https://www.aliexpress.com/store/product/QOTOM-Q355G4-4-Gigabit-LAN-I5-5250U-Dual-core-LAN-Pfsense-Linux-ubuntu-mini-pc/108231_32798680692.html
What i mean to say is that there exists Core i5's with a reasonable TDP , that might fit in a MoBo.
/Bingo
-
I would say all those processors would fit your needs more than enough(you said your internet speed was less than 100mb), I think there is a thread where people say the j1900 gets about 800mbits of throughput with zero plugins installed. But as you said you'd like to be one step above your needs. it's not the routing and wan transmitting that tax a cpu, it's the plugins.
and 4gb is in my opinion like a golden level for a small home. You could maybe use 1gb, maybe hit 2gb peak once in a while. but i doubt you'll ever hit 4gb. and no one's goal is to max their memory. I just had it around so i installed 2x 4gb sticks and it'll never get used.
-
Thanks for the heads up Bingo. I will look into those processors as well then.
s_mason16, It's good to know that all the processors will be able to do what I need. This opens up many choices for me as I can either go with a server motherboard with SoC - to get remote power on/off and remote management or just go the desktop motherboard with pretty much any processor that supports AES-NI.
About the memory, as I mentioned, I do have a 1GB 204 pin stick from an old laptop (the same from where I am sourcing the 2.5" 40GB HDD). I will try it with 1GB, and if I think I need more RAM, I can add a 1GB/2GB stick later. If 1GB is enough for me, then that might save me some additional money.
Time to hit ebay/newegg/amazon.
Thanks.
-
J3355B
-
Thanks pfBasic, for the short and succinct post. :) ;)
-
Anytime! It's a great part, I recommend it often. It's great for sub 100Mbps + significant package usage & also for gigabit with light package usage.
It's cheap, no moving parts and takes standard PCIe quad Gb NICs.
I use one for an HTPC (Apollo Lake has HEVC decoding) and it runs High Bitrate 4K 10bit HEVC with no issues. I personally tested it using Suricata with a moderate ruleset and piping all traffic over OpenVPN AES-128 + pfBlockerNG and it maxed out at ~65Mbps with no tweaking, IDS/IPS was the limiting factor. ~300Mbps is the peak with just OpenVPN, no IDS/IPS.
For your described use case it will serve you well for years.
If you don't already have a PSU it's best paired with a picoPSU - http://www.mini-box.com/picoPSU-80-60W-power-kit
If you do already have one use that.It will take the SO-DIMM RAM you already have. You will probably run into issues using IDS/IPS on 1GB RAM unless you are using very light rulesets (which is honestly probably best for home use - IDS/IPS is honestly total overkill for home networks).
-
What about one of the new denverton boards?
ie A2SDi-4C-HLN4F?
Think it has everything you are looking for and afaik has aes & quickassist.
Been looking at getting one of them for my pfsense build.
https://www.supermicro.com/products/nfo/Atom.cfm?show=SELECT&type=C3000
Edit:
Just double checked, the 2 core one actually doesn't have quick assist (C3338), however the 4 core and above ones do (A2SDi-4C-HLN4F has C3558).I would think then the C3558 would be perfect? Anyone disagree?
-
Regarding server hardware, and also IPMI:
- server hardware only makes sense if it's very important to have long term vendor support and special features
- IPMI makes no sense if you only have 1 WAN link since you won't be able to manage it if pfSense goes down
Remote power-on can be done with Wake-on-LAN via the LAN network, or using ASF. Sensor readings can be done in pfSense (either via the WebUI or via SSH).
If you have a local network where someone is always available, then IPMI can be nice to have since you won't have to go to the hardware device to reset it, but other than that, the true profit with IPMI comes from out-of-band management in case your pfSense-managed WAN is dead.For your case, desktop and even laptop hardware (mobile i3 or mobile i5) will suffice. Make sure you get AES-NI support.
-
Anytime! It's a great part, I recommend it often. It's great for sub 100Mbps + significant package usage & also for gigabit with light package usage.
….You will probably run into issues using IDS/IPS on 1GB RAM unless you are using very light rulesets (which is honestly probably best for home use - IDS/IPS is honestly total overkill for home networks).IDS/IPS – I was only going to play around with it just for my understanding. I don't know if I am going to keep it around. I probably won't even keep Squid, because I don't have a cap on my internet connection, so it hardly matters if I cache. I might lose a few ms to redownload which could be obtained from the cache -- but then again, this is a home network where performance is important but not mission critical.
I will, however keep using the VPN -- client and server, plus pfBlocker or similar parental controls, firewall and HAVP.
Think it has everything you are looking for and afaik has aes & quickassist.
Hmm. Not very familiar with Quick Assist. I might have to read up on that and whether it would be useful for my use case.
@johnkeates:
Regarding server hardware, and also IPMI:
- server hardware only makes sense if it's very important to have long term vendor support and special features
- IPMI makes no sense if you only have 1 WAN link since you won't be able to manage it if pfSense goes down
Remote power-on can be done with Wake-on-LAN via the LAN network, or using ASF. Sensor readings can be done in pfSense (either via the WebUI or via SSH).
If you have a local network where someone is always available, then IPMI can be nice to have since you won't have to go to the hardware device to reset it, but other than that, the true profit with IPMI comes from out-of-band management in case your pfSense-managed WAN is dead.For your case, desktop and even laptop hardware (mobile i3 or mobile i5) will suffice. Make sure you get AES-NI support.
Agreed and Agreed. You are right in every point. I would only have 1 WAN connection. IPMI for me would only be useful in that if I ever wanted to reboot or do something in the BIOS (upgrade or change settings etc…) I wouldn't have to disconnect it from the rack and bring it up to my home office to connect to a monitor and keyboard. I can simply use KVM over IP to do that. Infact I do that with my FreeNAS box. That box required a server motherboard because FreeNAS and its forum is big on using ECC RAM, so I had to get a server board. The one I got (TYAN S5533) had IPMI.
On that note, I hear that pfSense would now start supporting ZFS filesystem -- Would this necessitate having ECC RAM -- as that is what FreeNAS recommends for ZFS ? I know FreeNAS works without ECC too, it's just what they prefer/recommend.
-
Anytime! It's a great part, I recommend it often. It's great for sub 100Mbps + significant package usage & also for gigabit with light package usage.
….You will probably run into issues using IDS/IPS on 1GB RAM unless you are using very light rulesets (which is honestly probably best for home use - IDS/IPS is honestly total overkill for home networks).IDS/IPS – I was only going to play around with it just for my understanding. I don't know if I am going to keep it around. I probably won't even keep Squid, because I don't have a cap on my internet connection, so it hardly matters if I cache. I might lose a few ms to redownload which could be obtained from the cache -- but then again, this is a home network where performance is important but not mission critical.
I will, however keep using the VPN -- client and server, plus pfBlocker or similar parental controls, firewall and HAVP.
Think it has everything you are looking for and afaik has aes & quickassist.
Hmm. Not very familiar with Quick Assist. I might have to read up on that and whether it would be useful for my use case.
@johnkeates:
Regarding server hardware, and also IPMI:
- server hardware only makes sense if it's very important to have long term vendor support and special features
- IPMI makes no sense if you only have 1 WAN link since you won't be able to manage it if pfSense goes down
Remote power-on can be done with Wake-on-LAN via the LAN network, or using ASF. Sensor readings can be done in pfSense (either via the WebUI or via SSH).
If you have a local network where someone is always available, then IPMI can be nice to have since you won't have to go to the hardware device to reset it, but other than that, the true profit with IPMI comes from out-of-band management in case your pfSense-managed WAN is dead.For your case, desktop and even laptop hardware (mobile i3 or mobile i5) will suffice. Make sure you get AES-NI support.
Agreed and Agreed. You are right in every point. I would only have 1 WAN connection. IPMI for me would only be useful in that if I ever wanted to reboot or do something in the BIOS (upgrade or change settings etc…) I wouldn't have to disconnect it from the rack and bring it up to my home office to connect to a monitor and keyboard. I can simply use KVM over IP to do that. Infact I do that with my FreeNAS box. That box required a server motherboard because FreeNAS and its forum is big on using ECC RAM, so I had to get a server board. The one I got (TYAN S5533) had IPMI.
On that note, I hear that pfSense would now start supporting ZFS filesystem -- Would this necessitate having ECC RAM -- as that is what FreeNAS recommends for ZFS ? I know FreeNAS works without ECC too, it's just what they prefer/recommend.
Regarding server/ECC hardware: it's not really a requirement but rather something that you should probably always do, but sometimes doesn't fit the budget. For instance, if you want good storage of a lot of data there bit flips and RAM errors would be a big problem, having mirrored drives and ECC helps a lot. For a firewall, it might only help if there is data flowing over the network that has no checksums. If it fits inside the budget, I always design systems with ECC and redundancy in mind, but it simply isn't always possible.
For most situations it is overkill, imagine:
2x pfSense nodes in HA mode
2x WAN links
2x Switches for LAN
2x PSU per system
2x line power feeds
2x UPS
bonded networking in failover mode
all disks raid1/mirror
all ram ECCit would survive a lot, but also be pretty expensive ;-)
-
For that kind of IDS/IPS you'll have no problems at all performance wise.
I will, however keep using the VPN – client and server, plus pfBlocker or similar parental controls, firewall and HAVP.
It will push triple your current bandwidth over OpenVPN, significantly more over ipsec. HAVP can have some pretty noticeable performance impacts on your network even if itsn't taxing your CPU. I tried it out with my old i5-2400 setup and could tell a difference whether it was on or off even though the CPU wasn't even kind of working hard. It also just isn't very useful - but use it if you want it!
DO NOT waste your money on ECC RAM for a home network - just totally no reason at all for that crap. If you are running a business, sure throw it in there so you can tell your boss you did - it still won't matter for a small network.
There are no additional requirements to use ZFS. There is also nothing about ZFS that makes it need ECC RAM any more than other FS. The FreeNAS extremists make ZFS essentially sound like a huge liability the way they chant the ECC mantra ::), even the creator of ZFS has debunked that myth. I currently have it installed in raidz2 on 4 cheap flash drives with no issues for months, but I wouldn't use flash drives unless you have plenty of RAM for a RAM Disk (my system came with 8GB that I don't need). You can check out the link in my signature if you're interested in a ZFS install.
Regarding server/ECC hardware: it's not really a requirement but rather something that you should probably always do,
I'm pretty sure this statement was directed towards a FreeNAS setup? Because previously you stated the opposite.
server/ECC is neither required nor recommended for home use pfSense if you like your money.
-
HAVP can have some pretty noticeable performance impacts on your network even if itsn't taxing your CPU. I tried it out with my old i5-2400 setup and could tell a difference whether it was on or off even though the CPU wasn't even kind of working hard. It also just isn't very useful - but use it if you want it!
Noted !
@pfBasic:DO NOT waste your money on ECC RAM for a home network - just totally no reason at all for that crap.
and Noted !
@pfBasic:server/ECC is neither required nor recommended for home use pfSense if you like your money.
I do like my money. It's pretty hard to come by ! ;)
-
Well, just ordered A2SDi-4C-HLN4F. Though I think it might take a week or two to get here (cost €360 including shipping).
Already have a spare mini itx case and ram so no other costs for me.Will probably make a thread on it to point out any issues and how well it performs.
Afaik there are no threads on someone actually using pfsense with denverton (not surprising as boards were only announced like a week ago).
Edit: as for the server vs home comments. Pretty much agree, though if you can afford it and the server hardware has features you want then imho you should go server. Personally I couldn't find a board (soc or non) that fitted my criteria then denverton mobos dropped, couple of the main things I wanted was fanless, more than 2 intel nic and ipmi. As mentioned earlier though, for most ipmi may be pointless on a router system, my use case for it is a little different then just a home router so ipmi is essential.
-
there are definitely fringe cases where server hardware would be desirable in a home - but they are for sure fringe cases.
That Denverton Atom really doesn't offer much over a modern SoC Celeron/Pentium for most home users looking in that market segment (low power fanless SoC).
But it does cost a lot more (over 4 times as much for quad NIC setups).In your case, you needed some specific features it has - that most people definitely don't need at home.
though if you can afford it and the server hardware has features you want then imho you should go server.
Many people on here have this general opinion on hardware selection - and it is valid in the professional sector. Unfortunately it often gets spread into the home sector where it has no place.
I would rephrase that for home use:
though if you can afford it and the server hardware has features you
wantabsolutely must have and cannot get in the commercial market imho you should go server.For the 99% server hardware offers little to nothing they will actually use (or often even notice), yet it costs dramatically more.
-
there are definitely fringe cases where server hardware would be desirable in a home - but they are for sure fringe cases.
That Denverton Atom really doesn't offer much over a modern SoC Celeron/Pentium for most home users looking in that market segment (low power fanless SoC).
But it does cost a lot more (over 4 times as much for quad NIC setups).In your case, you needed some specific features it has - that most people definitely don't need at home.
though if you can afford it and the server hardware has features you want then imho you should go server.
Many people on here have this general opinion on hardware selection - and it is valid in the professional sector. Unfortunately it often gets spread into the home sector where it has no place.
I would rephrase that for home use:
though if you can afford it and the server hardware has features you
wantabsolutely must have and cannot get in the commercial market imho you should go server.For the 99% server hardware offers little to nothing they will actually use (or often even notice), yet it costs dramatically more.
Yup, I'll go with that. Depends on what the person is after. Every potential build I was putting together was coming to around the cost of that denverton board. I wasn't satisfied with non server alternative build parts I was looking at to do the job. So overall it made sense for me.
-
Well, just ordered A2SDi-4C-HLN4F. Though I think it might take a week or two to get here (cost €360 including shipping).
Congrats. Do let us know about your build and how it turns out for you.
I am most likely going the desktop grade route. J3355B is the top choice in new – but I am also looking at ebay for used mobos/cpus where if I can get an i3/i5 with a low tdp around 15W in the same price range as the new J3355 -- it might give me a bit more grunt for my VPNs since they use AES-256-CBC. I am not sure if i3/i5 would be fanless though. Might have to check.
I am probably going to get a 1U case from these fellas -- http://www.plinkusa.net/1u.htm
Brand new they cost from $45 - $150. Even used supermicro chassis sell for more than that on ebay. For my use case, the base one would do as well, they have 3-4 choices from $45 to $60. The good thing about them is that they also provide 39mm I/O plates for the different mobos which you can use instead of the 50mm I/O plates that normally come with boards.
If your board is some random layout for which they don't have an I/O plate, you can always buy the basic plate and cut it up according to your mobo.
-
The i3's and i5's can be fanless but you'll get the mobile low power ones. Not bad for pfSense, so it's not like you need the raw core power at max performance.
Regarding ECC: don't get it unless you have both the money and use weird non-checksummed protocols. -
No i5/i7/xeon is going to come as close to 6W. The least I have seen is about 35W for those processors at which point I also need to worry about enough cooling in a 1U chassis - which means cooling fans, worrying about fitting all of that in 1U and if not, then spring for a 2U chassis etc. etc.
My QOTOM-Q355G4 (Core i5 box) has a TDP of 15W , but most of the time uses less.
It's not 1U , but a little neat passively cooled box.https://forum.pfsense.org/index.php?topic=132528.msg728629#msg728629
https://www.aliexpress.com/store/product/QOTOM-Q355G4-4-Gigabit-LAN-I5-5250U-Dual-core-LAN-Pfsense-Linux-ubuntu-mini-pc/108231_32798680692.html
What i mean to say is that there exists Core i5's with a reasonable TDP , that might fit in a MoBo.
/Bingo
@johnkeates:
The i3's and i5's can be fanless but you'll get the mobile low power ones. Not bad for pfSense, so it's not like you need the raw core power at max performance.
Regarding ECC: don't get it unless you have both the money and use weird non-checksummed protocols.Where do I find the mobile low power ones? I have been trying to search for core i3/i5 U designated processors, but newegg, amazon and ebay all just show me $300-$500 laptops. I don't want that. All I want is to buy a core ix-xxxxU processor. I found a few T designated processors, but then the TDP is 35W and above which means it won't be fanless.
-
No i5/i7/xeon is going to come as close to 6W. The least I have seen is about 35W for those processors at which point I also need to worry about enough cooling in a 1U chassis - which means cooling fans, worrying about fitting all of that in 1U and if not, then spring for a 2U chassis etc. etc.
My QOTOM-Q355G4 (Core i5 box) has a TDP of 15W , but most of the time uses less.
It's not 1U , but a little neat passively cooled box.https://forum.pfsense.org/index.php?topic=132528.msg728629#msg728629
https://www.aliexpress.com/store/product/QOTOM-Q355G4-4-Gigabit-LAN-I5-5250U-Dual-core-LAN-Pfsense-Linux-ubuntu-mini-pc/108231_32798680692.html
What i mean to say is that there exists Core i5's with a reasonable TDP , that might fit in a MoBo.
/Bingo
@johnkeates:
The i3's and i5's can be fanless but you'll get the mobile low power ones. Not bad for pfSense, so it's not like you need the raw core power at max performance.
Regarding ECC: don't get it unless you have both the money and use weird non-checksummed protocols.Where do I find the mobile low power ones? I have been trying to search for core i3/i5 U designated processors, but newegg, amazon and ebay all just show me $300-$500 laptops. I don't want that. All I want is to buy a core ix-xxxxU processor. I found a few T designated processors, but then the TDP is 35W and above which means it won't be fanless.
You cannot buy them for end-user purposes. They are not socketed and integrated on the motherboard directly.
-
@johnkeates:
You cannot buy them for end-user purposes. They are not socketed and integrated on the motherboard directly.
Aha ! No wonder I wasn't able to find any. Well then in that case, if I am to build my own, the best i3/i5/i7 I would get would be with a TDP of 35W.
Looks like I should stick with Celeron J3355 or Pentium N3700 which are integrated as well, but at least you can get ITX boards instead of laptop boards of weird shapes and sizes which may or may not fit my case.