Need to upgrade for gigabit (pppoe) connection
-
The phone company has rolled out 1gb/1gb fiber to my area. They installed a converter box on the side of my house that takes the fiber lines and outputs to an ethernet jack ran into my home. No modem or gateway. Authentication is done via PPPOE from within pfSense.
I've been using pfSense happily at home for several years at this point - my current build is running on this Atom D525 Board: http://www.supermicro.com/products/motherboard/ATOM/ICH9/X7SPE-HF-D525.cfm
Speed test with the above board is giving me 400/mbps or so in both directions. If I plug my MacBook directly in and set up a PPPOE connection I get 935mbps both ways. Even though the 400/400 is absolutely amazing I'd like to get my full connection speed if at all possible.
I am currently utilizing OpenVPN and IKEv2 IPSec Mobile Clients for VPN service, Suricata (not currently), BandwidthD, and the acme client for LetsEncrypt.
The network drop into the house comes into my office. Noise/space is an issue so I have made it a point to try and keep things quiet while also keeping everything constrained to a small Ikea "cabinet" I've put together that can hold very shallow rack equipment.
The main questions I have are:
-
Are there any "fanless" hardware available with an internal PSU that can handle the above speeds with pppoe in the mix
-
Will it fit in a shallow depth 1u chassis? I am using this now - it is perfect: https://www.supermicro.com/products/chassis/1U/510/SC510-200B
I'm looking at https://www.supermicro.com/products/motherboard/atom/A2SDi-2C-HLN4F.cfm or https://www.supermicro.com/products/motherboard/atom/A2SDi-4C-HLN4F.cfm but I'm not sure that the C3558 can do what I need it to. I'm also not sure if the NICs are supported in pfSense at this time (C3000), or if QuickAssist is worth it for my usage.
If I need to bump up the hardware I can - so long as it will fit in a shallow enclosure. I can always swap in some Noctua fans to keep the volume down if needed.
I appreciate any feedback offered.
-
-
The A2SDi-4C-HLN4F is nice but
PPPoE is single threaded
OpenVPN is single threaded
C3000 NICs are currently unsupported in FreeBSD -
There are X10 and X11-series SuperMicro board that fit shallow 1U (also supermicro) cases if that's what you want, but it's a bit expensive and total overkill for a home setup. You might as well go for an APU2, or a Qotom or MiniSys box.
-
Are you sure an APU2 can route at GBit speed with PPPoE, OpenVPN and IPsec running concurrently?
-
A Qotom Q355G4(i5-5200u) box or a minisys i3-7100u box can run up to 1 gigabit speed and does AES-NI for VPN. I prefer minisys i3-7100u box which can have maximum 32gb DDR4 ram for IDS/IPS purpose, even I has Qotom Q355G4(maximum 8gb ram) only. These two can be found in aliexpress.com. Qotom also sells its boxes in Amazon and ebay.
The bad thing is that both of them has 2 cores only, and are not good choices for IDS/IPS if you have over 100 computers to use internet at the same time.
Both of them are fanless boxes. But I put a USB fan on my qotom.
-
Thanks for the replies everyone!
PPPoE is single threaded
Is this planned to be multi threaded in the near future?
C3000 NICs are currently unsupported in FreeBSD
That's a show stopped definitely. Depending on the PPPoE performance I could live possibly with it, but not if the NICs won't even work.
@johnkeates:
There are X10 and X11-series SuperMicro board that fit shallow 1U (also supermicro) cases if that's what you want, but it's a bit expensive and total overkill for a home setup. You might as well go for an APU2, or a Qotom or MiniSys box.
I looked at those but I didn't see any with a really short depth (under 12 inches)
The Qotom stuff looks interesting, but I didn't see anything rackable. I guess I could get a shelf..
I'm crossing a little bit out of this board's focus, but would any of the official pfSense hardware work for my needs?
-
The top 3 in here won't work, but the others will: https://store.netgate.com/pfSense/systems.aspx
-
-
PPPoE, PPTP and FTP are those protocols in that pool of old shit that you just want to die and never come back. It's just no longer worth it to use them. Too bad ISP's are locked into their older gear and can't switch…
-
PPPoE is single threaded
Is this planned to be multi threaded in the near future?
Unfortunately this requires a non-trivial rewrite of the FreeBSD PPPoE code as I understand it. It's unlikely to happen any time soon. :-\
Steve
Which device would you recommend from your store for Gigabit (Symmetrical) PPPoE? (+ few other packages)
(Even more future proof, if possible, Gigabit + ) -
I'd suggest you ask for a non-PPPoE connection, might be much simpler.
-
Well, i wish i could ask that :)
-
Following up on this -
I bought the https://www.supermicro.com/products/motherboard/atom/A2SDi-4C-HLN4F.cfm board and loaded Proxmox on it. I did a fresh install of pfSense and then imported all my config files. I used the VirtIO network drivers for both the LAN and WAN adapters. I cranked up the speed test.
Aaaaand...... My speed was ~280/280. Worse than what it was on the old D525 Atom board (400ish/400ish).
After fooling around with my installed packages, I am surprised as to what was the biggest offender: BandwidthD. On removal of the BandwidthD package my speed jumped to around 800/800!
This is an issue noticed by a few other folks, but I never caught onto it.
Not too happy about this I re-deployed my old system to see if I got similar performance gains by removing BandwidthD (it's the same config, after all) - I was able to hit 570/540 on the D525 system after disabling BandwidthD- still slower than the new system so I did gain some speed with the new hardware (as well as a virtualization platform). Removing Suricata didn't have as much of a noticeable impact - maybe 10-15mb gain after a few more speed tests. pfBlockerNG removal had no impact - BandwidthD was the absolute killer in this situation. The CPU was holding at around 70% in the web GUI during the speed tests with all my add-in packages removed so I think I saw the maximum the D525 could push.
I'm not certain what the penalty (if any) on performance is for virtualization of pfsense, but this board will work well for anyone in a similar situation with high speed pppoe based internet and wanting a lower power draw (and smaller) system.
I also tested with a Sophos XG VM and was able to hit 930/930 so I'm hoping some additional tweaks in pfSense can get me to the same speeds. Once I have a good baseline of "maximum" I'll start adding packages and watching for performance hits.
-
Thanks for following up on this. Its nice to see some actual numbers from some of these old platforms. I have a system with an Atom 2550 running pfsense 2.4.x. Given that the 2550 and the D525 are neck and neck in many benchmarks, it seems that's 500 Mbit or so is about what I can expect out of this box. Mind you, I am still on 40Mbit/5Mbit plan so this is strictly theoretical.
-
If you have Intel NICs and you don't use PPPoE you might see slightly over 600Mbps with that. I recall another user reporting ~650Mbps with a similar box. That was many pfSense versions ago though.
Normal test caveats apply, packet size etc.Steve
-
@stephenw10 Unfortunately, my box has Broadcom NICs and I am in a CenturyLink area (PPPoE land.) We do have a municipal fiber provider (Utopia) but it’s not available in my area yet. They can provide from 250 Mbit to 10 Gigabit symmetric. I am just waiting for them to make it down my street and take my money.
Carlos
