Upgraded to Gigabit line, need to overhaul my network
-
Well I for sure love to support the project that is for sure.. I have been a very active member of the forum for 10 years ;)
The SG-4860 I am looking to get states best for ;)
Best For:
SMB with Medium Sized Networks
Small to Medium Sized Branch Office with heavy loads
Managed Service Providers (MSP) / Managed Security Service Provider (MSSP) On Premise Appliance
Anyone with High-Speed Gigabit Connections
Many VPN ConnectionsWhile I might not have gig currently.. Not sure what I might have next year ;)
The sg-2440, sg-3100 lists
Teleworkers needing an "Always-Up" network or VPN connectionsI am with you though all of their hardware is more designed for business use that is for sure.. I don't think they are pricing them with the home user in mind ;)
If we are going to talk about pricing differences.. Your J3355B build for $250 draws how much power? So in X number of months your up front cost savings could be eaten up by your extra $ per month powering it.. So sure I could put together something for cheaper now - but I am going to have it on for years.. So while I save few hundred now.. When do I start loosing money paying the electric bill? Have to do the math, etc.. I would much rather pay that money up front and support pfsense.
-
I certainly won't argue with supporting the cause, I think that's awesome!
J3355 is low power passively cooled Celeron, i340 is low power NIC, picoPSU 80W has high AC-DC efficiency (I think 88%, haven't looked at spec sheet in awhile?) SSD and SO-DIMM DDR3L also low power - the build has no moving parts. I never measured my J3355B at the wall when I was using it for pfSense.
I currently use it for HTPC with LibreElec (Linux) and measured it with a killa Watt and it pulled I think between 11-14W during high bitrate HEVC 4K playback.So with pfSense shouldn't be all that different.
All that aside, supporting the cause is a great reason to buy official for home! Just not everyone has the means to do so.
-
When do I start loosing money paying the electric bill?
Not before the equipment becomes obsolete.
-
@BlueKobold:
…you should
overthink that before buying your hardware. Increasing the mbuf size, squid, snort and pfBlockerNG will be fast
eaten 4 GB!Perhaps you may think about a fast switch that will be able to route your network with wire speed can be relieve the
firewall from some work to run one or more packets with ease. Cisco SG200/SG50 series SG300/SG350 series
might be a really nice matching.To address your points, I agree that I should have an understanding of my network goals, which I do. I know that my network will not exceed 1Gbps anytime in the next 5 years at least (and honestly, I doubt I will even need the connection I have at that point). I figured I am just going to throw 8GB of RAM into whatever box I have just for the peace of mind (and I am able to upgrade my laptops RAM from 8GB to 16GB, and reuse the sticks from the laptop, getting a double benefit).
Lots of headroom in the budget and already running cat6+ and Gb WAN? Go for 10GbE LAN!!! ;D
Definitely get yourself a solid managed switch whether you go GbE or 10GbE.
$200 DIY build (if you don't already have things to reuse) will get you a J3355B build with an eBay i340t2 & SO-DIMM's, picoPSU and small SSD - very power efficient and reasonably powerful. More than that will cost more $$.
Since you're upgrading the whole network and jumping into pfSense definitely go for Gold no matter where you buy the hardware.
I have multiple gigabit switches, plus none of my devices are able to capitalize on a 10Gbps network. Since 1000ft of In-wall Cat6 is roughly $100, but Cat7 is $350+, I can't justify laying down the cable without having any devices actually be able to use it.
My goal is to run Cat6 to every room, 1-2 outlets w/a ceiling mounted Wireless AP. I can probably get away with a 12-port patch panel, but will get a 24 port anyway just in case I decide to add more ports later. I plan on getting a 4u+ cabinet that I can stuff the panel, my new pfsense router, a larger switch (using my current ones in each room), and potentially migrating my NAS into a rack-mount unit.
So with that said, my budget is roomy, but it isn't unlimited. It is hard to get approval from my wife for spending an extra $500-$1000 for a negligible, if any performance increase. I plan on getting the best 'bang for my buck' as far as hardware.
Thanks again for everyone's input, it has certainly helped a lot.
-
Lots of headroom in the budget and already running cat6+ and Gb WAN? Go for 10GbE LAN!!! ;D
Definitely get yourself a solid managed switch whether you go GbE or 10GbE.
$200 DIY build (if you don't already have things to reuse) will get you a J3355B build with an eBay i340t2 & SO-DIMM's, picoPSU and small SSD - very power efficient and reasonably powerful. More than that will cost more $$.
Since you're upgrading the whole network and jumping into pfSense definitely go for Gold no matter where you buy the hardware.
I have multiple gigabit switches, plus none of my devices are able to capitalize on a 10Gbps network. Since 1000ft of In-wall Cat6 is roughly $100, but Cat7 is $350+, I can't justify laying down the cable without having any devices actually be able to use it.
My goal is to run Cat6 to every room, 1-2 outlets w/a ceiling mounted Wireless AP. I can probably get away with a 12-port patch panel, but will get a 24 port anyway just in case I decide to add more ports later. I plan on getting a 4u+ cabinet that I can stuff the panel, my new pfsense router, a larger switch (using my current ones in each room), and potentially migrating my NAS into a rack-mount unit.
So with that said, my budget is roomy, but it isn't unlimited. It is hard to get approval from my wife for spending an extra $500-$1000 for a negligible, if any performance increase. I plan on getting the best 'bang for my buck' as far as hardware.
Thanks again for everyone's input, it has certainly helped a lot.
I was just playing with 10Gb, it isn't terribly practical for home use yet other than client to client stuff.
As far as cabling though, Cat6 is good for 10Gb on runs up to 180', so you're good there. Ethernet switches and NIC's are where you get killed on 10Gb though.
You can certainly build out a very solid router though. Have fun!
-
I second the opinion not to go with the Protectli device on Amazon. I bought one. The E3845 4 port job, and I hit about ~500Mbps on a 1Gb X 35Mb cable provider. With a laptop directly connected, about 840Mbps. Plus I am pretty sure this device is a rebadged from, copy and paste here, YanLing Industrial Computer Technology (Shenzhen) Co.,Ltd. on Alibaba.
I am pretty close to re-purposing this device as an upgraded workstation for my wife, and getting an SG-4860 as soon as I do some more checking on it's throughput with Snort, pfBlockerNG and other services turned on. I might go with used i5/i7/Xeon hardware if I can keep the power consumption to a minimum. I can't believe my router needs more power then my for VM, two container Proxmox server running a C2750.
-
What effect will QuickAssist support have on fast OpenVPN once QAT software support is enabled? Might a Netgate SG-4860 or equivalent be a good choice when future-proofing is considered?
10Gbase-T works but I don't think it should be taken into consideration yet. I'm not sure the upstream providers have really settled on what connection/media to use from the modem to customer, and 10G switches are still expensive and noisy. For gigabit connectivity I'd like some extra headroom on WAN and LAN (more than 1000base-T) but it's just not practical to spend money on that right now unless you already need 10G for other reasons.
-
"Not before the equipment becomes obsolete."
That depends on the swing doesn't it.. Lets use the 20watt number thrown out there somewhere.. Yeah that is not very much.. about 25$ year.. If the device is 100$ cheaper, that gives you 4 years until you break even on the cost difference.. Don't know about you.. But I would hope to get 4+ years out of the thing ;) It sure not going to be obsolete in 4 years. Unless maybe they put in new internet in your area and you can get 10Ge for cheap ;)
If its a 40w swing.. That is 2 years.. So while it might be nice to throw that rocketship of a CPU at it and sure can do all kinds of cool things with it.. Do you really need that?
So lets take device more priced for home, the sg3100.. So since your wanting to support the company you would get gold either way right ;) So throw that out.. So now you get that hardware for $250.. Can you build your box comparable to the sg3100 for $150? Does it use 20w or more per hour more? If so then your savings are gone in 4 years… If you run it for six years.. Then that device actually cost you 50$ more than if you would of just gotten the sg3100..
I get you how a few watts here a few there make no real difference.. I wouldn't drop $200 bucks to save 20w an hour.. But if your needing to buy hardware anyway for a project.. I would for sure take into account the difference in electric cost of the device.. Don't forget that that 20watt swing also means that device can run on ups for just that much longer than the power hungry device, etc.
-
"Not before the equipment becomes obsolete."
That depends on the swing doesn't it.. Lets use the 20watt number thrown out there somewhere.. Yeah that is not very much.. about 25$ year.. If the device is 100$ cheaper, that gives you 4 years until you break even on the cost difference.. Don't know about you.. But I would hope to get 4+ years out of the thing ;) It sure not going to be obsolete in 4 years. Unless maybe they put in new internet in your area and you can get 10Ge for cheap ;)
If its a 40w swing.. That is 2 years.. So while it might be nice to throw that rocketship of a CPU at it and sure can do all kinds of cool things with it.. Do you really need that?
So lets take device more priced for home, the sg3100.. So since your wanting to support the company you would get gold either way right ;) So throw that out.. So now you get that hardware for $250.. Can you build your box comparable to the sg3100 for $150? Does it use 20w or more per hour more? If so then your savings are gone in 4 years… If you run it for six years.. Then that device actually cost you 50$ more than if you would of just gotten the sg3100..
And if the price difference is $0 and the power difference is 10kW, then it pays for itself instantly! Of course, those aren't the real numbers so why bring them up? You started this by comparing an SG-4860 to a J3355, so you're looking at a $500 premium to save less than 20 watts. I'll stand by the assertion that the hardware will be obsolete before that investment pays for itself.
Then you tried to change the rules by pushing the sg3100 instead. That certainly makes the price difference lower and the shaves a couple more watts off the power consumption, but we don't actually have any idea how it performs. Is it a reasonable alternative to a J3355 for OpenVPN? No idea. (Probably not.) Excluding OpenVPN also makes the J3355 overpowered, so now you're comparing the SG3100 to an APU2. The value there basically comes down to how important you consider the integrated switch & the gold subscription. For some people/applications it's a slam dunk, for others it's a meh.
-
It really just comes down to what the user is comfortable buying or building. But generally speaking you will come out on top diy.
Official hardware (when compared to today's COTS hardware) is shockingly anemic. But this is very normal for this type of hardware. I would also argue that 95% of the DIY boxes for home use pfSense are WAY overspecced for routing packets.
For $250 to beat out the SG-3100? Easy, J3355B build with a Pico PSU in an m300 case with an i340t4. J3355 is apples and oranges to the ARM A9. The power difference will probably be sub 10W as well.
Another option is a business laptop, for example my travel laptop is a T430. It cost me I think $150 used and comes with an i2xx Intel NIC and an i5 with AES-NI. Pair that to a decent switch for $100, install pfSense and now you have a very powerful home network that is also low power and has a UPS.
But not everyone can or will repurpose a laptop.There are reasons to buy official pfSense for the home, I'm just saying price/performance isn't one of them, even when power consumption is considered.
-
@jrv:
What effect will QuickAssist support have on fast OpenVPN once QAT software support is enabled? Might a Netgate SG-4860 or equivalent be a good choice when future-proofing is considered?
No, there's very little chance that the QAT will ever do anything useful on those boxes. You certainly should not base purchasing decisions on something that might happen at some undefined point in the future.
-
The power consumption decision involves a lot more than just savings on the electric bill.
My machine closet is sound insulated with an air duct & return (the guy I bought the house from did it, not me!) Few people have that luxury: my previous "machine closet" was the back wall of coat closet with no air flow & surrounded by thermal insulation; before that the equipment was in the office with me, exposing me to the noise any fans might make.
My guess is that a fan is out of the question for most people. I can see paying a little more for a lower-power solution if the goal is to minimize noise and thermal issues while approaching gigabit speeds with OpenVPN
-
You will not approach Gigabit Speeds on OpenVPN with any cheap fanless solution. The exception to this would be via Gateway groups, then you can do it with something like a J3455 - I think each of it's four core does something like 200Mbps OpenVPN, and that's another cheap fanless board.
But if you want it on a single thread, and fanless? I'm not aware of anything that will do that without some extreme cooling solutions. Certainly no official products if that's what you're alluding to.
But again, it's worth mentioning that High Throughput OpenVPN isn't really an enterprise level solution (most users trying to do this are home users) and most of the official products are aimed towards enterprise. So you can still get great VPN performance out of the official hardware using IPSec, it'll just take a little more effort to setup. -
@jrv:
The power consumption decision involves a lot more than just savings on the electric bill.
My machine closet is sound insulated with an air duct & return (the guy I bought the house from did it, not me!) Few people have that luxury: my previous "machine closet" was the back wall of coat closet with no air flow & surrounded by thermal insulation; before that the equipment was in the office with me, exposing me to the noise any fans might make.
My guess is that a fan is out of the question for most people. I can see paying a little more for a lower-power solution if the goal is to minimize noise and thermal issues while approaching gigabit speeds with OpenVPN
An APU2 is fanless. A J3355 is typically fanless. A kaby lake celeron can be fanless, or depend on a large low RPM case fan. Even an i3 or i5 has a variable speed fan which isn't tremendously loud unless you're really hitting the CPU–in which case you're doing something you wouldn't be able to do with any low power fanless system, anyway. The worst offenders with fan noise are rackmount systems, which generally aren't designed with noise as a concern because they're intended to be in a rack in a data center. Just avoid those and you're good. So while you're right that there's more to low power than the electric bill, it's not particularly relevant to this thread.
-
What effect will QuickAssist support have on fast OpenVPN once QAT software support is enabled? Might a Netgate SG-4860 or equivalent be a good choice when future-proofing is considered?
At this time, today when I drop you this could of lines here, to speed up VPN tunnels and pointed directly to
speeding up OpenVPN it will be having no impact and/or benefit! But, if you read between the lines here and there
this feature or option is even actually in the game play or better said it is even on the road map of the pfSense
developers that are not inserting it into the code for nothing. Perhaps it´ll be not really important for any user
and many customers or plain all who are using pfSense, I am pretty sure, but the ones who want it, need it or
use it, they will be happy with it.10Gbase-T works but I don't think it should be taken into consideration yet. I'm not sure the upstream providers have really settled on what connection/media to use from the modem to customer, and 10G switches are still expensive and noisy. For gigabit connectivity I'd like some extra headroom on WAN and LAN (more than 1000base-T) but it's just not practical to spend money on that right now unless you already need 10G for other reasons.
Netgear GS110MX ~200 € - unmanaged Layer2
Netgear GS110EMX ~250 € - WebGui Layer2
D-Link DGS1510-20 ~230 € - CLI, WebGui Layer3Excluding OpenVPN also makes the J3355 overpowered, so now you're comparing the SG3100 to an APU2. The value there basically comes down to how important you consider the integrated switch & the gold subscription. For some people/applications it's a slam dunk, for others it's a meh.
SG-3100 VPN and WAN throughput, the first numbers (lab tests)
-
the device has up to a gigabit throughput with pfSense
-
up to 300Mbps throughput with IPsec AES128-CBC SHA1.
-
up to 95Mbps throughput with OpenVPN AES128-CBC SHA1
Thread on reddit with the same numbers
SG-3100 is doing 300mbps IPsec in the lab, but we just found that only 1/2 the crypto unit is enabledIf the VPN is for mobile clients from the road to home network it should also be running well over IPSec,
if not or for an VPN provider connection it will be better to go with another hardware here in that case.Intel Atom C2558 V Intel Atom C3558 AES
(besides of all)No, there's very little chance that the QAT will ever do anything useful on those boxes. You certainly should not base purchasing decisions on something that might happen at some undefined point in the future.
OK I will consider to this statement for sure, during one or more development phase´s all can be changing
fast as no one was able expect it before.Intel QAT small talk:
9 month ago
one moth ago
another one month ago
2017 Userspace summit -
-
@BlueKobold:
Intel QAT small talk:
9 month ago
one moth ago
another one month ago
2017 Userspace summitYou do understand that the QAT in the C3xxx series is incompatible with the QAT in the C2xxx series? The more talk there is about the QAT in the newer series, the less likely that the QAT in the C2xxx will ever be utilized. (And, in fact, you can find the pfsense developers directly aying that it's unlikely that they'll ever bother with the QAT in the C2xxx.)
-
Let us imagine some other points, I said only imagine, not that this will be coming or passing through!
You do understand that the QAT in the C3xxx series is incompatible with the QAT in the C2xxx series?
Yes I am understanding that! But you should be thinking more positive please.
If the QAT driver version 1.6 from pfSense team is not compatible with the Intel Atom C2000 but perhaps with
the newer negate hardware based on Intel Atom C3000 called Denverton and the QAT driver version 1.5 from
the NetBSD team is supporting also the Intel Atom C2000 called Rangeley, they only have to exchange this
drivers and porting them to each of their OS, so the developers will not have any more to bother with that
driver and all is fine for them and us!So it could be happen, that at November 2017 the newer hardware from netgate will be launched and fine for
using QAT and perhaps in Dezember 2017 or later it could be happen that the older customers and clients
of them get their "Christmas parcel" too and will be able to use QAT also. Its more cutting half the entire
work time on that drivers that must only be exchanged then as the results.For sure that can be running very different each from another, or never becomes true but it will be a real chance
for and us too as I see it right.And being very open talking over that point, perhaps many users will be very impressed if they know that peoples
from pfSense and/or were talking with employees from the VyprVPN company about the one or other thing, who
knows it really….....The more talk there is about the QAT in the newer series, the less likely that the QAT in the C2xxx will ever
be utilized.But with this words you are talking that it will be not utilized only and not it is not finding its way into the system, right? ;)
Like on Rangely, the QAT scales by the number of cores. Unlike on Rangeley, the QAT has good support. LinkAnd, in fact, you can find the pfsense developers directly aying that it's unlikely that they'll ever bother with the QAT in the (C2xxx.)
I don´t know if that driver from the NetBSD project is able to exchange only, or if this will be easy or able to realize,
but if so I think this might be nice for both parties as well as for us.