Upgraded to Gigabit line, need to overhaul my network
-
That processor won't be able to cary the load you're thinking off - especially the VPN traffic at a decent rate. I would recommend a mobile i5 chip (such as i5-5250U) with 4 gigs ram (min) - 8 gigs ram (future proof) and a 32gig SSD.
There is limited benefit to using squid on a home network, let alone a home network that has a throughput of 1gbps to the outside world, unless you are on a metered connection. For reference squid would benefit you if:
1. All of your users downloaded the same large files
2. If your WAN bandwidth was less than your LAN bandwidth (as by installing squid you would just move the bottleneck from the WAN port to the LAN port with no overall increase in throughput)On the flip side you will get increased latency vs. going to the WAN directly.
If you VPN your whole network expect a max throughput of about 600-700mbps max due to OpenVPN limitations. And that is using gateway groups (i.e. multiple OpenVPN connections, load balanced with each other) and for highly parallel traffic, such as torrents/browsing. For single large file downloads you would be limited to under 200-300mbps, again due to OpenVPN limitations, no matter what hardware you pick.
-
J1900 is going to suck for high speed OpenVPN. It's single threaded. Based on the following thread, you'll probably see sub 100Mbps throughput over the VPN.
https://forum.pfsense.org/index.php?topic=115673.0
You won't get Gigabit OpenVPN on any hardware, I think about the best you'll see is probably in the 6-700Mbps range if you go with something like an i3-7350K @ 4.2GHz.
I would say for gigabit throughput if OpenVPN is involved, set your minimum CPU at a J3355 - you should get in the 300Mbps range with that over OpenVPN, full gigabit for just routing.
Upper limit I would pay for is the 7350K @ ~$140.I would recommend a G4620 @~$90 as a good compromise.
Pair that with some good NIC's - if your connection is PPPoE, use em - Intel PRO/1000, if not use igb - Intel i340 or i350.
-
I would recommend a mobile i5 chip (such as i5-5250U).
For single large file downloads you would be limited to under 200-300mbps, again due to OpenVPN limitations, no matter what hardware you pick.
Nope nope nope, all of this is bad/wrong.
Mobile CPU's suck at OpenVPN, the 5250U is a 1.6GHz dual core from Broadwell.
You can definitely break 2-300Mbps OpenVPN single thread with a modern high clock CPU. People get 300Mbps with J3355 Celerons single threaded, I'll grant you that there are diminishing returns, but 300Mbps is certainly not a ceiling.
With gateway groups you can get full gigabit OpenVPN with even old quad cores - just use 4 OpenVPN gateways. Even an old i5-2400 will very likely hit Gigabit OpenVPN that way (~236Mbps x 4 cores)But - as mentioned, gateway groups have their own limitations. They are still a good idea for most people - just so long as you understand the limitations.
-
I would recommend a mobile i5 chip (such as i5-5250U).
For single large file downloads you would be limited to under 200-300mbps, again due to OpenVPN limitations, no matter what hardware you pick.
Nope nope nope, all of this is bad/wrong.
Mobile CPU's suck at OpenVPN, the 5250U is a 1.6GHz dual core from Broadwell.
You can definitely break 2-300Mbps OpenVPN single thread with a modern high clock CPU. People get 300Mbps with J3355 Celerons single threaded, I'll grant you that there are diminishing returns, but 300Mbps is certainly not a ceiling.
With gateway groups you can get full gigabit OpenVPN with even old quad cores - just use 4 OpenVPN gateways. Even an old i5-2400 will very likely hit Gigabit OpenVPN that way (~236Mbps x 4 cores)But - as mentioned, gateway groups have their own limitations. They are still a good idea for most people - just so long as you understand the limitations.
Yes base clock is lower but it does turbo to 2.7ghz.
https://forum.pfsense.org/index.php?topic=105238.msg709164#msg709164
Also doing the above openvpn crypto benchmark on the i5 yields 320mbps throughput on aes-256-gcm and 296mbps on aes-256-cbc. Therefore its performance is on par with the J3355 and both will perform a tad bit slower than this in real life.
Some performance comparisons are also here:
https://forum.pfsense.org/index.php?topic=115673.0 -
Never rely on burst frequency for performance.
Burst is just that - burst. You might get that frequency for a matter of seconds before it steps back down to base frequency.
Burst is great for benchmarking, because the benchmark is often done before the CPU steps back down to base.
Then 10 seconds later that performance goes away.Not to mention there's no guarantee you'll get it at all on FreeBSD.
On top of all that, people typically try to keep the size of their routers to a minimum. This just means that the ambient case temps will be high enough that the CPU might not have the thermal headroom to burst at all, and if it does it will likely not be for long.
-
Don't get a protectli, but do check out Qotom (not the J1900). We have a thread for that: https://forum.pfsense.org/index.php?topic=132528.0
You can get a cheap box with decent performance.
-
So I recently upgraded my bandwidth, and unfortunately for me my old pfSense router couldn't keep up (Core 2 Duo w/6GB DDR2 Ram could only get about 250mbps).
<snipped>If you were in my shoes, what would you set up for yourself?</snipped>I am in the same boat actually.. I just updated my line to 500/50 and my old pfsense VM just couldn't handle it.. To get instant access to the bandwidth I had to go with a temp install of a unifi usg 3p.. Only reason for this was it is cheap $100 and can route at speed… It handles the 500/50 without any issues..
It only has to be handle the job until nov when get new pfsense hardware. Which is more than likely going to be a sg-4860.. Go big or go home ;) This is the most umph I can get from pfsense/netgate that aware of before go into rack units. I don't have the place to put a rack system - even though would love too..
Have to work out the details with the budget committee (wife), etc.. The $100 usg box was cheap enough to sneak through the budget without much grief.. hehehe
Since your talking about redo of your network - do you have a budget in mind? Have you looked at or have you considered hardware from pfsense/netgate? Vs doing a DIY system? Since you ask what I would do - while the price can be attractive, I personally would stay away from all the china boxes.. But that just me, there are many people that use them and are happy with them.
-
I agree with john on the chinese boxes. IMO official pfSense is supported, official, but you pay for that. DIY is community supported (pfSense has a pretty damn community support system on here, IRC and reddit), and unofficial - but you get amazing price/performance value.
Then there's the chinese boxes. They aren't official, aren't supported, and they fall somewhere in between. You pay more for having the hardware pre-installed in a good looking SFF box, but you don't get any support if it doesn't work right. It is a better price/performance than official pfSense, but me personally I'd either save a lot of money and DIY or spend a little more and buy official.
-
I agree with john on the chinese boxes. IMO official pfSense is supported, official, but you pay for that. DIY is community supported (pfSense has a pretty damn community support system on here, IRC and reddit), and unofficial - but you get amazing price/performance value.
Then there's the chinese boxes. They aren't official, aren't supported, and they fall somewhere in between. You pay more for having the hardware pre-installed in a good looking SFF box, but you don't get any support if it doesn't work right. It is a better price/performance than official pfSense, but me personally I'd either save a lot of money and DIY or spend a little more and buy official.
Yeah, most of the lesser known boxes or older boxes aren't a good choice. The few that work well have their own threads on the forums, but for other cases a DIY build is better. For cases where you want actual reliability and known vendors, the official hardware is the place to go.
So far, our experiences and experiments with the more recent Qotom boxes (3rd gen Intel chips in the Celeron, Core i3 and i5 versions) as documented in the dedicated thread has been quite positive, plenty of guides to get a nice setup going. Other hardware solutions such as re-purposing other branded firewall boxes (like the Watchguard) have similar dedicated topics and information on setup, performance and quirks.
-
Another comment to these china boxes you see on amazon and such that mention pfsense.. They need to be real careful, I know pfsense has actively been going after them.. And they for sure can not have pfsense pre-installed on them.. Unless they have cleared that with pfsense.. Which I don't think any of them have.
I know some threads have linked to some of these boxes, the links have been removed and pfsense has gone after them.. Just my understanding, not official in any way and I might be off base.
But while you can say your hardware will "work" with pfsense.. You can not actually call it a pfsense firewall or hardware or have it installed on the box when shipped to the buyer, etc. Unless you for sure have cleared that with pfsense, etc.
To be honest, while you might save a few bucks doing DIY.. I think getting hardware from pfsense/netgate is better in the big picture. It helps pfsense, it helps you know your hardware is going to be rock solid.. And you get gold to boot ;) That being said if your wanting to build some rocket ship on a shoe string budget - there is that aspect of it too ;)
I am curious to see what kind of info we get from people in the field once the sg-3100 start shipping. This price point is pretty attractive for official hardware I think.. Take into account the gold and access to the book, etc. And shoot your price point is right in line with some of these soho routers that don't do shit ;)
-
J1900 is going to suck for high speed OpenVPN. It's single threaded. Based on the following thread, you'll probably see sub 100Mbps throughput over the VPN.
https://forum.pfsense.org/index.php?topic=115673.0
You won't get Gigabit OpenVPN on any hardware, I think about the best you'll see is probably in the 6-700Mbps range if you go with something like an i3-7350K @ 4.2GHz.
I would say for gigabit throughput if OpenVPN is involved, set your minimum CPU at a J3355 - you should get in the 300Mbps range with that over OpenVPN, full gigabit for just routing.
Upper limit I would pay for is the 7350K @ ~$140.I would recommend a G4620 @~$90 as a good compromise.
Pair that with some good NIC's - if your connection is PPPoE, use em - Intel PRO/1000, if not use igb - Intel i340 or i350.
An I3 7350K is not required for high OpenVPN speeds. I reach up to 800 Mbps with OpenVPN and PIA using a Intel G4400 and an Intel i350 NIC, the G4400 is almost $100 cheaper than a 7350K. The G4620 is probably a good choice as well, but might as well get a G4560 if you're after HT.
@DaddyNugget: it's really the OpenVPN speed you need that determines which CPU suits you best. It's the single core speed that determines its OpenVPN capabilities. So for 300mbps OpenVPN a J3355B might be your best bet, if you need something faster a Pentium (G4400/G4560 etc.) or I3/I5(u) with a high single core speed is required. You can build a J3355B or Pentiums system yourself, same for a I3/I5 system but for a I3u or I5u you will probably need a prebuild system (QOTOM etc.).
-
Wow, 800Mbps single thread on OpenVPN is really impressive!
Are you using fast io and increase buffers?
-
-
Wow! I was doing some homework before work, and figured maybe I would get a single reply before I got back, thanks for all the help guys!
So because a lot of similar suggestions were made, I will rattle off my answers to everyone.
1. I am not looking at any specific manufacturer for hardware right now, but if I decide to go with some Chinese hardware firewall device I will most likely be going through aliexpress. My reasoning here is that it costs $50-100 less than the exact same product on Amazon, and I might be able to score a better deal overall.
2. I have considered the already setup pfsense firewalls, but I haven't commited to these yet for a couple reasons. The first is that I simply enjoy assembling my own pc's and devices. The second is that they were suggesting me a firewall that is higher than my anticipated budget. An SG-2440 w/32GB EMMC storage is $550. If I understand correctly, the emmc storage is slower than a typical SSD and I was unsure if this could impact my performance. A firewall device from AE w/a celeron (I can't pull up the specific one, but it was a 4 core w/AE-NI) w/8gb ram + 64GB mSATA SSD was $400. I didn't realize that pfsense gold came with the hardware, which is making me re-evaluate what I want to buy.
3. Although I have plenty of components to DIY it myself (2port gigabit Intel NIC, Skylake Celeron I am not using, etc) the reason I want to put a bit more time, money, and effort into this is to both reduce my power bill and the size of the machine. My previous build was in a smaller workstation, but was awkward to keep, not to mention it pulled much more than 20W. My thought process is to get something small and capable, but that I won't need to replace for at least 4 years.
4. My network overhaul has a roomy budget because I won't be able to do everything all at once. I am planning on running proper Cat6 or Cat7 throughout my home. I will have a proper server cabinet, whether it is in a closet or mounted somewhere, with a patch panel etc. I will also be running at least one PoE AP. My end goal is to have a setup that isn't Jerry-rigged together and falling apart all the time, without paying for an enterprise solution.
Ultimately I was originally under the impression that a DiY gigabit router would be $200 or less, but I came to the conclusion that if I am willing to spend $200 for a half-ass firewall, I should instead be willing to pay 2x-3x for a proper one.
Thank you again to everyone for your quick and informative responses, the information about the VPN use was certainly helpful. Also I came to the same conclusion about the usefulness of squid if my throughput goes all the way through to my WAN. It just didn't dawn on me until I was in the car.
-
Wow! I was doing some homework before work, and figured maybe I would get a single reply before I got back, thanks for all the help guys!
So because a lot of similar suggestions were made, I will rattle off my answers to everyone.
1. I am not looking at any specific manufacturer for hardware right now, but if I decide to go with some Chinese hardware firewall device I will most likely be going through aliexpress. My reasoning here is that it costs $50-100 less than the exact same product on Amazon, and I might be able to score a better deal overall.
2. I have considered the already setup pfsense firewalls, but I haven't commited to these yet for a couple reasons. The first is that I simply enjoy assembling my own pc's and devices. The second is that they were suggesting me a firewall that is higher than my anticipated budget. An SG-2440 w/32GB EMMC storage is $550. If I understand correctly, the emmc storage is slower than a typical SSD and I was unsure if this could impact my performance. A firewall device from AE w/a celeron (I can't pull up the specific one, but it was a 4 core w/AE-NI) w/8gb ram + 64GB mSATA SSD was $400. I didn't realize that pfsense gold came with the hardware, which is making me re-evaluate what I want to buy.
3. Although I have plenty of components to DIY it myself (2port gigabit Intel NIC, Skylake Celeron I am not using, etc) the reason I want to put a bit more time, money, and effort into this is to both reduce my power bill and the size of the machine. My previous build was in a smaller workstation, but was awkward to keep, not to mention it pulled much more than 20W. My thought process is to get something small and capable, but that I won't need to replace for at least 4 years.
4. My network overhaul has a roomy budget because I won't be able to do everything all at once. I am planning on running proper Cat6 or Cat7 throughout my home. I will have a proper server cabinet, whether it is in a closet or mounted somewhere, with a patch panel etc. I will also be running at least one PoE AP. My end goal is to have a setup that isn't Jerry-rigged together and falling apart all the time, without paying for an enterprise solution.
Ultimately I was originally under the impression that a DiY gigabit router would be $200 or less, but I came to the conclusion that if I am willing to spend $200 for a half-ass firewall, I should instead be willing to pay 2x-3x for a proper one.
Thank you again to everyone for your quick and informative responses, the information about the VPN use was certainly helpful. Also I came to the same conclusion about the usefulness of squid if my throughput goes all the way through to my WAN. It just didn't dawn on me until I was in the car.
Considering your points, the (so far) well tested Qotom is the way to go. Add pfSense gold to that (99,-) and you'll be at ~300 in total. It'll be small, not use a lot of power, and you'll be supporting the project. By the way, getting a $400 thing is a bit high for what you'd be getting. I have not found a PC or embedded system worth $400 on there ;-)
-
@johnkeates:
Wow!
…
until I was in the car.Would you mind NOT quoting the total post, please? The info is already there to read for everyone, we don't need it twice. Right?
-
4. My network overhaul has a roomy budget because I won't be able to do everything all at once.
Mostly here are playing more then one point together and it might be better to know all things you will be reaching.
So if you are telling around that you will be later able to install more then one packet on top of this all, you should
overthink that before buying your hardware. Increasing the mbuf size, squid, snort and pfBlockerNG will be fast
eaten 4 GB!I am planning on running proper Cat6 or Cat7 throughout my home. I will have a proper server cabinet, whether it is in a closet or mounted somewhere, with a patch panel etc. I will also be running at least one PoE AP. My end goal is to have a setup that isn't Jerry-rigged together and falling apart all the time, without paying for an enterprise solution.
Perhaps you may think about a fast switch that will be able to route your network with wire speed can be relieve the
firewall from some work to run one or more packets with ease. Cisco SG200/SG50 series SG300/SG350 series
might be a really nice matching.Ultimately I was originally under the impression that a DiY gigabit router would be $200 or less, but I came to the conclusion that if I am willing to spend $200 for a half-ass firewall, I should instead be willing to pay 2x-3x for a proper one.
The most peoples see only what they are running before changing to pfSense! Its mostly a consumer plastic router that is
ASIC/FPGA based that will do then the entire job, and we are talking here then often over SPI (netfilter) and NAT (network
address translation), but pfSense is a firewall that works with the BSD packet filter and can be turned into a fully featured
UTM device, but without the whole license subscriptions and fees that came along with that UTM devices mostly too.And so the most users are thinking the best plastic router will be around -$200 till ~$300 and they are able to build
a pfSense firewall also based on that budget or limit, it is truth but then often on top of this they have needs that will
be not matching well to that budget as well, 1 GBit/s routing on the WAN, highest OpenVPN throughput given on earth
and so on and so on. -
Lots of headroom in the budget and already running cat6+ and Gb WAN? Go for 10GbE LAN!!! ;D
Definitely get yourself a solid managed switch whether you go GbE or 10GbE.
$200 DIY build (if you don't already have things to reuse) will get you a J3355B build with an eBay i340t2 & SO-DIMM's, picoPSU and small SSD - very power efficient and reasonably powerful. More than that will cost more $$.
Since you're upgrading the whole network and jumping into pfSense definitely go for Gold no matter where you buy the hardware.
-
I thought this was your home installation. :P
It is! ;) But the 6 ports are very attractive to me.. I don't like having to hairpin intervlan traffic.. This gives me the ability to break out vlans onto their own connection and just use a dumb switch I have on the shelf vs having to hairpin on the same physical interface traffic between vlans.
I am a bit short on ports to do all of them currently.. But bigger switch will be next on the list. Until that I will leverage 1 of them to hang my pi network off.. They are all on the same vlan, so I can break them off onto their own interface on pfsense and remove that traffic from the interface handling all my vlan traffic currently, etc.
So of the 6 ports I will be using 4 of them right out of the gate.. Leaves 2 for future growth… Since won't be using wan interface into my esxi host now.. Could connect that direct to pfsense interface for another segment or vlans for vms, etc.
Plus quad vs dual, more ram, etc. Plan on using this box or a while ;) And since my VM was a limitation with playing with other packages like ntopng, and the ips packages - this give me ample performance to play with about any sort of packages I want, etc..
Funny thing is my home pfsense will be bigger than work.. But work is replacing juniper in 2 more branch locations here soon. Prob get 3100 see how fairs before getting the 2nd one to decide if should stick with 2440 or 3100 save couple bucks, etc. Im hoping to move them in to more central locations and bigger load, etc.. But all I could get ahead for was the branch places for now.. So that should be about 10 I think when all said and done..
-
Wow, 800Mbps single thread on OpenVPN is really impressive!
Are you using fast io and increase buffers?
Yes, both, really makes a difference.