PfSense box for 100/40 w/ traffic shaping + some room
-
Thanks everyone for taking the time to respond! It sounds like traffic shaping is NOT the CPU hog I feared it was. Whatever the hell they put into that USG most be really subpar hardware then…
OpenVPN is single threaded, so base clock speed is pretty important.
Oh, didn't know that, that puts some things into perspective. That makes the higher clocked dual core Celerons sound more appealing..
I took the vpn comment to mean that they're was a work laptop with a vpn or such
Sorry, I apparently rambled a bit on in the middle of the night.
What I meant regarding VPN:
- there is an OpenVPN Server in my home network with 0-2 concurrent connections, mostly people using my Plex. Right now it's hosted on my home server, but I see some benefits of moving it to the router
- I personally use Cisco AnyConnect on my work laptop to connect to.. work. Not that the router cares, except my traffic shaping requirement.
I don't see myself using the router as an OpenVPN client to tunnel traffic through PIA or something similar.
Unless you're in the EU, then the apu2 may not be competitive.
Yep, located in Germany, so it's about 210€. The shuttle is about 290€. In the states I'd probably just get a used Dell R210 ii for 200 bucks and be done with it. Alas…
I like the J3355B in an M300 enclosure using a PCIe riser for a dual (or quad if you want it) port NIC (I recommend an eBay server pull i340t2 or 4). Combine that with 2x2GB SO-DIMM DDR3(L), a little 16GB SSD and a picoPSU 80 (non-WI). In the US that will all cost you something like $200, that's for a totally silent (fanless) and compact system with no moving parts. Less if you have some of your own parts you can reuse.
Thanks, I'll look into building a small whitebox this weekend. I never built something small so I struggled a bit with the external power supply and the small cases, but that's a great starting point.
As far as traffic shaping goes, I would recommend you install pfSense 2.4 (RELEASE goes live in like a week I think?), and use Limiters with fq_codel.
That sounds wonderful, thanks for the info + link I'll dig into that.
/edit
I just noticed that the Celeron 3855U and the J3355B have pretty similar single threaded performance, but the 3855U is about 50% faster in multicore. Most likely due to TurboBoost, also the 3855 is about 50% more TDP.
https://www.cpubenchmark.net/cpu.php?cpu=Intel+Celeron+J3355+%40+2.00GHz&id=2960&full
https://www.cpubenchmark.net/cpu.php?cpu=Intel+Celeron+3855U+%40+1.60GHzSounds like both might just work for what I want to do…
-
What Hardware are you running on VM?
I have pfsense running as vm on OLD HP microserver N40L on esxi 6.5, It could handle my 75/10 connection without any problem – would get 80+ and 12 up.. I was doing some fq_codel to remove buffer bloat but not any other sort of shaping.. When I put in my new 500/50 line the other day no the VM could not keep up but it was doing 120ish down and the up it handled..
I had to go with USG to handle the speed of the line, which it does do but I am not using any shaping on it - from what I was reading yeah it falls down pretty hard then..
I have only had the usg online for a few days - and while it can route the packets at speed.. Other than that its very limited.. They are getting there I think.. But I want my pfsense back!! I hope to have some pfsense hardware in Nov.. But I am going with actual pfsense/netgate hardware.. The new sg-3100 is shipping in a few days, I would think that should handle your needs without even breaking a sweat, etc.
-
I just noticed that the Celeron 3855U and the J3355B have pretty similar single threaded performance, but the 3855U is about 50% faster in multicore. Most likely due to
The low end traditional celeron parts (skylake and later) are all pretty good for this sort of application. (Insert note here about how annoying it is that intel is now calling everything a celeron. The 3855U and the J3355 are completely different architectures. The U series will be much faster for some tasks, but firewalling isn't one of them.) The main reason the J3355 comes up (note there's no "b", that's a motherboard product name) so much is that it's got a bit lower thermal requirement, it's a bit cheaper, there are a few decent low-cost boards, and it's enough power to cover a pretty big range of requirements. The 3855U isn't a bad choice, but I'm not aware of as many low-cost reasonably available/tested boards using it. Stepping up a bit into even higher performance G series celerons is useful for people trying to do full VPN, but unnecessary for the performance you're talking about. (That said, it may be sensible depending on availability in your local market if the costs end up pretty similar. Around here the G series final price would probably be cheaper than the U series, because they're much higher volume, but would still be twice as much as the J series.)
-
What Hardware are you running on VM?
My VM host is Xeon E3 1230v6 so powerful enough. if I'm going the VM route I just need to add a proper network card (otherwise all other VMs / containers share the one remaining and my pfSense uses a single NIC for everything). If my newest purchase from eBay isn't a counterfeit piece of junk like the card I got from Amazon it's were I'll start.
I had to go with USG to handle the speed of the line, which it does do but I am not using any shaping on it - from what I was reading yeah it falls down pretty hard then..
Just activating Smart Queues reduced bandwidth like crazy…
I have only had the usg online for a few days - and while it can route the packets at speed.. Other than that its very limited.. They are getting there I think.. But I want my pfsense back!! I hope to have some pfsense hardware in Nov.. But I am going with actual pfsense/netgate hardware..
The UI is very pretty but I was surprised how little stuff was there. pfSense on the other hand got me surprised just how much I can do with it. :)
The new sg-3100 is shipping in a few days, I would think that should handle your needs without even breaking a sweat, etc.
The prices in Germany are complete bonkers. 665€ for the Atom based SG-2440. 420€ for the atom-based SG-3100.
Insert note here about how annoying it is that intel is now calling everything a celeron. The 3855U and the J3355 are completely different architectures. The U series will be much faster for some tasks, but firewalling isn't one of them
Yes, it has been very interesting to learn about the different chip series Intel puts out there. Atom C, D, E, Apollo Lake, Skylake, jeez. What makes you say the SkylakeU are not faster at the pfSense stuff than the Apollo Lake Celerons? I'm tying my assessments to Passmark scores right now, but that might not be optimal.
The 3855U isn't a bad choice, but I'm not aware of as many low-cost reasonably available/tested boards using it.
I've picked the Shuttle DS68U, which seems to be well received from what I could find: http://www.shuttle.eu/products/slim/ds68u/overview/
And while the mainboards are pretty chip I couldn't find any that use Intel NICs, so I have to get a case with space for a network card. Adding all up I ended up at 277€, which is very close to the Shuttle with 293€:
https://docs.google.com/spreadsheets/d/1HF0IIQZs2sYIeKY-nER_JhpiZaqKibplbTedNr-SeFI/edit#gid=0I might be doing it wrong and I'll continue to look into it, but as of right now I see the main choices between:
-
Just VM the thing, safe the money and bite the bullet when you have to do maintenance
-
You'll never notice not having two NICs, buy the damn NUC i3
-
You'll never notice only having a Celeron CPU, buy the damn Shuttle
-
-
The prices in Germany are complete bonkers. 665€ for the Atom based SG-2440. 420€ for the atom-based SG-3100.
You sure those prices are not bundled with support? They have started offering enterprise level support so yeah the price jumps up if you pick support vs community support which is 0$ ;)
-
$350 is pretty steep for an ARM CPU.
-
There is a bit more too it than just the CPU ;) Don't forget it comes with year of gold as well.
Why don't you add up the price of building that box with the specs.. Then take into account the development cost of pfsense that buying hardware direct from them supports, etc. etc. Now compare that price to say what you get with buying say comparable product vs some box made in china that your going to put pfsense on ;)
I too would love them to be cheaper ;) But not like they are all that crazy.. And I for sure understand budget committees (spouses) for your home purchases.. Which forced me to get the "cheap" usg until such time as budget can allow for pfsense hardware.. And I still got an eye roll when it showed - WTF did you order now ;)
Maybe it is just me, but I would much rather wait a month or two to get pfsense hardware vs some china box.. Which isn't all that much cheaper when you add it all up.. What you going to save 100-150$ My buddy got one of those cheap boxes off amazon.. Ran into the bios issue, they sure an the hell not fixing it, etc.
-
Haha yeah, the budget committee sure wouldn't stand for that (and I agree with her).
It is a good value with gold.
For me I use a SFF used i5-2400 workstation with 8gb ram. It's power hungry but was very cheap and it's powerful.
I also like the $2-250 j3355b builds.
Basically it would be nice to have an option to buy official without gold for those that don't want it.
But that might not be realistic for netgate with their profit margins. -
You sure those prices are not bundled with support? They have started offering enterprise level support so yeah the price jumps up if you pick support vs community support which is 0$ ;)
Yep, I can add support from that local partner on top though. It's similar to say Apple, were a $699 device costs 799€.
There is a bit more too it than just the CPU ;) Don't forget it comes with year of gold as well.
Yep and I would love to have that / support the company. I'm not complaining about the price they offer and as a company would love to get that premium support. But since it's just me playing around with my home network those appliances are not in price range, and that's OK!
Maybe it is just me, but I would much rather wait a month or two to get pfsense hardware vs some china box.. Which isn't all that much cheaper when you add it all up.. What you going to save 100-150$ My buddy got one of those cheap boxes off amazon.. Ran into the bios issue, they sure an the hell not fixing it, etc.
The main thing that scares me about the China boxes is the knock off thing. They all claim Intel chipsets & NICs, but how can you be sure? Especially the NICs are being copied like crazy apparently.
Anyhow, thanks everyone for the support and responses, I really appreciate it. If there are more suggestions or links to threads with mini ITX builds, keep them coming I haven't written that route off!
-
Insert note here about how annoying it is that intel is now calling everything a celeron. The 3855U and the J3355 are completely different architectures. The U series will be much faster for some tasks, but firewalling isn't one of them
Yes, it has been very interesting to learn about the different chip series Intel puts out there. Atom C, D, E, Apollo Lake, Skylake, jeez. What makes you say the SkylakeU are not faster at the pfSense stuff than the Apollo Lake Celerons? I'm tying my assessments to Passmark scores right now, but that might not be optimal.
passmark is useless. To be clear, a skylake outperform an apollo lake at the same clock speed or at a slight clock speed disadvantage (which is the case between the 3855U and the J3355). What I meant is that for some tasks the skylake would stomp all over the apollo lake, but firewalling isn't one of those tasks–the performance will be a lot closer. So if the U series ends up being price competitive just get it.
-
Haha yeah, the budget committee sure wouldn't stand for that (and I agree with her).
if all customers and/or users would be submitting 5 € - 10 € a year that would be not so hard to finance that
project. And as second, if you spend 20 years 5 € it is not to much but with Gold support you will get something back!For me I use a SFF used i5-2400 workstation with 8gb ram. It's power hungry but was very cheap and it's powerful.
I also like the $2-250 j3355b builds.I love more the APU2C4 bundles from the varia store here in Germany, they offers mostly good parts and are also
not so high in price.Basically it would be nice to have an option to buy official without gold for those that don't want it.
But that might not be realistic for netgate with their profit margins.I don´t know what you think what a pfSense version change will be producing in costs!? From 2.1.5 to 2.2x it
was something around ~$92.000,00 what I was reading once a time here in that forum from one of the developers.The prices in Germany are complete bonkers. 665€ for the Atom based SG-2440.
You will get three miniPCIe slots + 1 SIM slot on top of this!
420€ for the atom-based SG-3100.
Please compare this unit to the SolidRun ClearFog pro unit with case and a qualified SoC or SoM!
It comes with more ports, crypto offloading engine inside of the CPU and it is ARM based as many many users
were asking for something like this in the past or formers days. My personally mind on this, is that many peoples
at first are calling and asking for somethings or more, and then if this will be available they all run away or have no
money to pay a small fee such 5 € for home usage and perhaps 10 € for professional usage inside of company networks. -
the general idea is that most of the official solutions are priced well out of the budget of many home users and are also not competitive with what a home user could put together on their own or buy from a third party.
This is all totally understandable and fine - netgate is clearly not marketing home users as their primary buyer for most of their products.
-
Apologies for not stating clearly that I'm comparing US vs German prices, not complaining about the pricing for Netgate hardware in general. I do see the value they bring to the table, but I question the addition of 100+€ from that partner. But as I said, this is not so uncommon, not sure why though.
I'm also interested in the Gold subscription as I've heard very good things about the book. So I'd be paying roughtly $250. I'd definitely consider buying that, especially since then I can actually get confirmation from Netgate themselves before the purchase that it would (probably) fit my needs.
I love more the APU2C4 bundles from the varia store here in Germany, they offers mostly good parts and are also
not so high in price.Hey thanks, I saw their offer on Amazon but good to hear they use good components. One line of thinking was to start with that and if for whatever reason I don't have enough power on this one, use it as a slave in a HA setup. Haven't looked into that too much, but it would enable me to use a VM with plenty of power and a backup unit in case the server gets rebooted / dies / explodes / flies away.
-
Gold is a great purchase if you're trying to learn pfSense, whether you purchase an official product or not.
-
Hey thanks, I saw their offer on Amazon but good to hear they use good components.
For the lower Internet connection speeds here in Germany it will be one of the best and often sold hardware
in combination with pfSense as I am right informed. It is running here for 100 MBit/s down and 50 MBit/s up
for ~ 70 employees together with IPSec VPN, Squid & SquidGuard, snort and pfblockerNG, all is fine.One line of thinking was to start with that and if for whatever reason I don't have enough power on this one, use it as a slave in a HA setup.
You will be able to run it in one big 1U" case as well available from the Varia-Store, here is a link to that dual 1U" case;
APU2C4 - 1 U" - rack mount caseHaven't looked into that too much, but it would enable me to use a VM with plenty of power and a backup unit in case the server gets rebooted / dies / explodes / flies away.
That could be also very interesting, but I love more the real hardware HA setup, if one server is "gone" mostly also
both VMs are also "gone" please don´t forget this too!For more power you could also have a look on the new Supermicro Atom C3000 line
But the network drivers will be not really matching to all NICs that are SoC integrated!!!Stronger and faster then the Intel Atom C2000 series, but slower and less powerful then the Intel Xeon D-15xx series.
it is not only interesting what kind of Internet connection speed you are running, also the amount of installed packets,
running applications, offered services or used protocols will be also important likes the amount of users and their
produced traffic such mailing, surfing, gaming or audio/video streaming!
