Starting a Build
-
Hi,
I'm new to pfsense and am starting a build.
I'm currently looking at going with a supermicro A1SRI-2758F-O with the atom 8 core CPU.
Can anyone offer any better suggestion for a mobo? Or some opinions on this one, positive or negative.
Also, what would be a good mini itx small/mini case?
Thanks!
-
You will find that embedded solution to very costly for something such as this. Plus, the system will not really utilize all those cores anyhow. I'm doing a new build myself and chose the Intel DQ77KB which is a this mini-itx motherboard. With thin mini, you can put into a 1U chassis. Standard mini-itx is to tall to go into a 1U chassis. The DQ77KB gives you option of a socket that holds a wide range of CPU's which is nice if you ever want to use it in a desktop. It also has a expansion slot for a PCIE riser if you need more network ports. Additionally, it has 2 MSATA slots onboard. The DQ77KB has a much more simplified power system than that of the supermicro board. With the DQ77KB you can power it with a 19v laptop charger or a standard internal 1U PSU that offers a 2 pin 19v connector so no need to mess with the very unreliable PicoPSU's and such. Finally, it's on $85 on amazon whereas the one you mention is $300
-
Thank you for the feedback! That makes sense. I will look at that board right now. I want to order hardware soon.
-
I think I would prefer a server class board with ecc memory and support for aes-ni and quickassist.
I like ipmi but it isn't a requirement. I will mostly be using this as a dedicated firewall with SSL VPN access for probably no more than 3 client tunnels at a time.
I like the idea of 4 gig NICs as well.
I'm just struggling to find dthe right mobo/CPU and the right case! I want to order something really soon. It I can't make up my mind :) any other opinions out there? I've been googling and reading this forum for hours now.
-
My advice?
Forget quick assist for home use, it is overkill unless you are doing 1gbpsJust get a nice asrock board of the current generation, put 6 gig of ram in it (or more) and an i3, and have done with it.
-
I think I would prefer a server class board with ecc memory and support for aes-ni and quickassist.
I like ipmi but it isn't a requirement. I will mostly be using this as a dedicated firewall with SSL VPN access for probably no more than 3 client tunnels at a time.
I like the idea of 4 gig NICs as well.
I'm just struggling to find dthe right mobo/CPU and the right case! I want to order something really soon. It I can't make up my mind :) any other opinions out there? I've been googling and reading this forum for hours now.
Server class motherboard….. there really isn't such a thing. Especially for an atom cpu which is a mobile low power cpu. Atom CPU'S come in low cost netbooks and such. If more than 2 NIC'S are a must, put the DQ77KB into a 3 or 4 U chassis and hop on ebay and search for an Intel 4 way NIC card for Dell poweredge serves to put into the expansion slot. This will give you 6 1GB NIC ports. 4 VPN tunnels, they will all enter into your dedicated WAN port.
-
I think I would prefer a server class board with ecc memory and support for aes-ni and quickassist.
I like ipmi but it isn't a requirement. I will mostly be using this as a dedicated firewall with SSL VPN access for probably no more than 3 client tunnels at a time.
I like the idea of 4 gig NICs as well.
I'm just struggling to find dthe right mobo/CPU and the right case! I want to order something really soon. It I can't make up my mind :) any other opinions out there? I've been googling and reading this forum for hours now.
Check this out. It's the link to my post detailing a build I'm doing. Maybe you will find it useful in your part search.
https://forum.pfsense.org/index.php?topic=108819.0#msg605876
-
I think I would prefer a server class board with ecc memory and support for aes-ni and quickassist.
I like ipmi but it isn't a requirement. I will mostly be using this as a dedicated firewall with SSL VPN access for probably no more than 3 client tunnels at a time.
I like the idea of 4 gig NICs as well.
I'm just struggling to find dthe right mobo/CPU and the right case! I want to order something really soon. It I can't make up my mind :) any other opinions out there? I've been googling and reading this forum for hours now.
The Supermicro A1SRi-2785F is ideal because pfSense is optimized for using AES-NI and QuickAssist Technology. No recommendations on case.
-
I'm new to pfsense and am starting a build.
pfSense is a x86 based software firewall and can be srewed up to be a real UTM device and
all depends on the use case, needed throughput, installed packets and turned on services so
the hardware must be more or less fitting this needs and matching the use case.I'm currently looking at going with a supermicro A1SRI-2758F-O with the atom 8 core CPU.
Should be really powerful and on the other side electric power saving.
Can anyone offer any better suggestion for a mobo? Or some opinions on this one, positive or negative.
- only nearly 1 GBit/s throughput at the WAN Port
- By using PPPoE only single CPU core usage
- no miniPCIe and SIM slots for extensions
- small and powerful
- silent and fan less
- ready for many RAM
- SATA/SSD-DOM support
- AES-NI & Intel QuickAssist
- fully supported by pfSense
Also, what would be a good mini itx small/mini case?
- M350
- Supermicro SC101i
- Supermicro SuperChassis 721TQ-250B
I think I would prefer a server class board with ecc memory and support for aes-ni and quickassist
Is not really a must be and could also be done by a really strong CPU likes Intel Core i3, i5 or Xeon E3-12xxv3
if you get with them 500 MBit/s encrypted IPSec or OpenVPN throughput and 1 GBit/s raw WAN throughput
the AES-NI and QuickAssist is not really necessary. But mostly not fan less and with more power usage.I like ipmi but it isn't a requirement. I will mostly be using this as a dedicated firewall with SSL VPN access for probably no more than 3 client tunnels at a time.
If you are using PPPoE a stronger CPU should be in usage for a good throughput.
I like the idea of 4 gig NICs as well.
An refurbished Intel Quad Port NIC for $50 - $70 will do it also.
I'm just struggling to find dthe right mobo/CPU and the right case! I want to order something really soon. It I can't make up my mind :) any other opinions out there? I've been googling and reading this forum for hours now.
Give us more input please!
- Installed Packets
- services in usage
- Internet connection (WAN port speed)
- needed throughput
-
I think I would prefer a server class board with ecc memory and support for aes-ni and quickassist.
I like ipmi but it isn't a requirement. I will mostly be using this as a dedicated firewall with SSL VPN access for probably no more than 3 client tunnels at a time.
I like the idea of 4 gig NICs as well.
I'm just struggling to find dthe right mobo/CPU and the right case! I want to order something really soon. It I can't make up my mind :) any other opinions out there? I've been googling and reading this forum for hours now.
The Supermicro A1SRi-2785F is ideal because pfSense is optimized for using AES-NI and QuickAssist Technology. No recommendations on case.
Honestly, this can be done on almost every Intel CPU.
Let me reattack on my initial comment about cost. When building one of these things you can spend very little on older used parts or top dollar for high end new and in reality have exactly the same thing. If power and options are what you want, Id honestly look past Atom as a cpu. They are okay but they really fall short in term of raw power. Atom cpu was a very short lived item. It was an attempt by intel to make the centrino mobile processor my cost effeicient but has since be replaced by better cpus. I would honestly consider any board I could select my own cpu for over an atom board. I had a small computer with this cpu in it some years ago and it was very limited in abilities with spars support for application. Plus, 6 or 7 of those cores on the supermicro board will be 100% idle. %100% of the time on pfsense. Lastly, everything you are looking for is a capability of almost every Intel board currently available.
-
OP did not mention processing power, dual purpose use or cost as criteria. Requirements cited were server class board, ECC memory, support for AES-NI and QuickAssist Technology, and 4 GB NIC. OP's initial choice meets those requirements.
-
Server Class Motherboard… What really makes a motherboard server class. I would think processor and CPU to start. Servers typically come with XEON CPU's, a few with I Series CPU's. Atom's are a mobile processor and are intended for low end systems. Check out this youtube video. It shows a gentleman who is upgraded from the atom CPU and why. He is moving up to the DQ77KB but that is not important for this comment. What is, is the bandwidth limitation of the ATOM CPU to which he explains in detail.
https://www.youtube.com/watch?v=b1OBnn2pKzgECC memory... ECC slows down the memory stream and provides a check bit process on the memory pipeline for the installed OS if supported. For your case, ECC will provide no benefit for through putting packets since they are handled strictly within you NIC. Your greatest benefit will come from the highest quality NIC Card. Bottom line, ECC is a trade off. You get an error checker in exchange for reduced system performance. It is really only use in cases of large server environments such as Windows Server and or Linux Server.
AES-NI... Is a feature of almost all commercially available intel CPU's.
Intel QuickAssist... Comes on a wide array of system boards to include my gaming system board. Shop around to find a better bargain.
4 NIC's... Integrated NIC's are okay will stumble under high traffic loads. For you purpose, I would recommend an Intel 4 Port Gigabit NIC such as the one here:
http://www.ebay.com/itm/Intel-I350-T4-PCI-Express-RJ45-PCI-E-4-Ports-Gigabit-Server-Adapter-NIC-I350AM4-/172034462062?hash=item280e0d916e:g:C78AAOSw3KFWdYqTOverall, for the cost of the selected motherboard, you are getting not much bang for your buck. Supermicro is known for making industrial grade motherboards. The problem with your chosen board and the manufacturers choice of CPU can be related to like putting a chevette engine in the corvette.
-
Server Class Motherboard… What really makes a motherboard server class.
Board chipset and the features/CPU's it supports are generally is what determines if it's a server board or not.
ECC memory… ECC slows down the memory stream and provides a check bit process on the memory pipeline for the installed OS if supported. For your case, ECC will provide no benefit for through putting packets since they are handled strictly within you NIC. Your greatest benefit will come from the highest quality NIC Card. Bottom line, ECC is a trade off. You get an error checker in exchange for reduced system performance.
With the speed and bandwidth increases in memory technologies the error correction bit has a negligible affect on memory throughput.
ECC…snip......It is really only use in cases of large server environments such as Windows Server and or Linux Server
I STRONGLY disagree with this statement. Anyone who values their data, including your average home user, would and can benefit from the use of ECC memory. It's about risk assessment, not enterprise use.
Intel QuickAssist… Comes on a wide array of system boards to include my gaming system board. Shop around to find a better bargain.
I think maybe you better read up a bit on exactly what Intel Quick Assist is.
http://www.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html
I can appreciate your willingness to try and help the OP but spreading disinformation doesn't do him much good.
-
You know, I did just that. All quick assist is, is a platform that uses increased security measures with out sacrificing bandwidth. Plain and simple. For my gaming board, while it may not say specifically it has something called Intel Quickassist; it does have a software set that does what Quickassist does.
If you go to Intel's own website for this, http://www.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html , you can see a snap shot of it. Again, while other boards may not say Quickassist exactly, they have the same feature under a different title.
I would suggest that you take a peak over the link I provided. You will find that quick assist covers a wide array of CPU and motherboard configuration provided that incorporate the Intel Communication Chipset 89xx. Thusly, intel quickassist is a feature of a specific NIC chipset. Has little to do with the CPU.
Also, you can disagree with my statement of ECC all you want but fact is, in the case of a router, data packets will not experience the bit checking of the ECC memory. Where ECC comes into play; example, querying a large database on server or making changes to that database. ECC will provide the server the means to ensure that data moving to and from the hard disk is properly and accurately reflected. In the case of a router, packets will not be offloaded on or off a hard disk or system memory. Every NIC has a tiny bit of system memory that is used to packets while the NIC processors decides what to do with them. For your desktop, if you are downloading a large file, the system will route the downloaded packets to the pagefile.sys (windows) and process it in and out of the system memory to make the complete downloaded file. For routing this process is much different since the system only needs to decide what the destination is, filter it and send it on it's way which is all handled within the NIC interface. Promiscuous mode allows for expanded packet handling and it is why it is enabled in pfsense.
Finally, I should probably caveat all of this by saying that it has always been my understanding of out it should theoretically work.
-
You know, I did just that. All quick assist is, is a platform that uses increased security measures with out sacrificing bandwidth. Plain and simple. For my gaming board, while it may not say specifically it has something called Intel Quickassist; it does have a software set that does what Quickassist does.
If you go to Intel's own website for this, http://www.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html , you can see a snap shot of it. Again, while other boards may not say Quickassist exactly, they have the same feature under a different title.
I would suggest that you take a peak over the link I provided. You will find that quick assist covers a wide array of CPU and motherboard configuration provided that incorporate the Intel Communication Chipset 89xx. Thusly, intel quickassist is a feature of a specific NIC chipset. Has little to do with the CPU.
Finally, I should probably caveat all of this by saying that it has always been my understanding of out it should theoretically work.
Your response raises more issues :(
The above link shows chipset 89xx yet Intel DQ77KB has chipset Q77. Sandy Bridge Xeon CPUs do not support either AES-NI or QuickAssist Technology. Which "wide array of CPU" support OP requirements? Link please?
Define "stumbling under high loads" because there are no tests or links to research. Link please?
No reason for an additional failure point such a NIC expansion card.
I do not calculate cost savings buying an older M/B that lacks OP's requirements because the DQ77KB has too many deficiencies. It may be an adequate HTPC platform however it does not meet OP's requirements.
-
You know, I did just that. All quick assist is, is a platform that uses increased security measures with out sacrificing bandwidth. Plain and simple. For my gaming board, while it may not say specifically it has something called Intel Quickassist; it does have a software set that does what Quickassist does.
If you go to Intel's own website for this, http://www.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html , you can see a snap shot of it. Again, while other boards may not say Quickassist exactly, they have the same feature under a different title.
I would suggest that you take a peak over the link I provided. You will find that quick assist covers a wide array of CPU and motherboard configuration provided that incorporate the Intel Communication Chipset 89xx. Thusly, intel quickassist is a feature of a specific NIC chipset. Has little to do with the CPU.
Finally, I should probably caveat all of this by saying that it has always been my understanding of out it should theoretically work.
Your response raises more issues :(
The above link shows chipset 89xx however Intel DQ77KB has chipset Q77. Sandy Bridge Xeon CPUs do not support either AES-NI or QuickAssist Technology. Which "wide array of CPU" support OP requirements? Link please?
Define "stumbling under high loads" because there are no tests or links to research. Link please?
No reason for an additional failure point such a NIC expansion card.
I do not calculate cost savings buying an older M/B that lacks OP's requirements because the DQ77KB has too many deficiencies. It may be adequate HTPC platform however it does not meet OP's requirements.
I'm done arguing with you. You speak with the point of view of not open to any other point of view. All i'm suggesting is there is cheaper way to accomplish what he wants yet you are defending is as if it is the only possibility when clearly it is not. I've never said, you need to buy this. What I have stated is that the Atom CPU is a value level CPU placed in an industrial board; therefor making it dare a say lack luster. It has far fewer capabilities than a Celeron for crying out loud. Please watch this video, it is explained here.
https://www.youtube.com/watch?v=b1OBnn2pKzgHere is an interesting benchmark concerning the current Atom vs an i3
http://cpuboss.com/cpus/Intel-Core-i3-4130T-vs-Intel-Atom-C2758 -
Core i3 4130T doesn't support Quickassist. Again, research Quickassist a bit more before you post comparisons like that.
-
You know, I did just that. All quick assist is, is a platform that uses increased security measures with out sacrificing bandwidth. Plain and simple. For my gaming board, while it may not say specifically it has something called Intel Quickassist; it does have a software set that does what Quickassist does.
If you go to Intel's own website for this, http://www.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html , you can see a snap shot of it. Again, while other boards may not say Quickassist exactly, they have the same feature under a different title.
I would suggest that you take a peak over the link I provided. You will find that quick assist covers a wide array of CPU and motherboard configuration provided that incorporate the Intel Communication Chipset 89xx. Thusly, intel quickassist is a feature of a specific NIC chipset. Has little to do with the CPU.
Finally, I should probably caveat all of this by saying that it has always been my understanding of out it should theoretically work.
Your response raises more issues :(
The above link shows chipset 89xx however Intel DQ77KB has chipset Q77. Sandy Bridge Xeon CPUs do not support either AES-NI or QuickAssist Technology. Which "wide array of CPU" support OP requirements? Link please?
Define "stumbling under high loads" because there are no tests or links to research. Link please?
No reason for an additional failure point such a NIC expansion card.
I do not calculate cost savings buying an older M/B that lacks OP's requirements because the DQ77KB has too many deficiencies. It may be adequate HTPC platform however it does not meet OP's requirements.
I'm done arguing with you. You speak with the point of view of not open to any other point of view. All i'm suggesting is there is cheaper way to accomplish what he wants yet you are defending is as if it is the only possibility when clearly it is not. I've never said, you need to buy this. What I have stated is that the Atom CPU is a value level CPU placed in an industrial board; therefor making it dare a say lack luster. It has far fewer capabilities than a Celeron for crying out loud. Please watch this video, it is explained here.
https://www.youtube.com/watch?v=b1OBnn2pKzgHere is an interesting benchmark concerning the current Atom vs an i3
http://cpuboss.com/cpus/Intel-Core-i3-4130T-vs-Intel-Atom-C2758I want 14:26 returned after watching that UselessTube (get it?) video. There is no test data and no results for comparison only his opinion that the Celeron should be faster because it's "8x faster than the Atom". That is detailed analysis (sarcasm).
The Celeron G1620 does not support either AES-NI or QuickAssist Technology. UselessTube guy admitted in the Comments section that VPN would suffer without the "AES stuff".
The i3-4130T is Socket 1150 and doesn't fit the DQ77KB.
My responses have addressed the OP's requirements. I am open to different configurations yet your responses have been about cost and did not address OP's requirements.
-
You know, I did just that. All quick assist is, is a platform that uses increased security measures with out sacrificing bandwidth. Plain and simple. For my gaming board, while it may not say specifically it has something called Intel Quickassist; it does have a software set that does what Quickassist does.
If you go to Intel's own website for this, http://www.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html , you can see a snap shot of it. Again, while other boards may not say Quickassist exactly, they have the same feature under a different title.
I would suggest that you take a peak over the link I provided. You will find that quick assist covers a wide array of CPU and motherboard configuration provided that incorporate the Intel Communication Chipset 89xx. Thusly, intel quickassist is a feature of a specific NIC chipset. Has little to do with the CPU.
Finally, I should probably caveat all of this by saying that it has always been my understanding of out it should theoretically work.
Your response raises more issues :(
The above link shows chipset 89xx however Intel DQ77KB has chipset Q77. Sandy Bridge Xeon CPUs do not support either AES-NI or QuickAssist Technology. Which "wide array of CPU" support OP requirements? Link please?
Define "stumbling under high loads" because there are no tests or links to research. Link please?
No reason for an additional failure point such a NIC expansion card.
I do not calculate cost savings buying an older M/B that lacks OP's requirements because the DQ77KB has too many deficiencies. It may be adequate HTPC platform however it does not meet OP's requirements.
I'm done arguing with you. You speak with the point of view of not open to any other point of view. All i'm suggesting is there is cheaper way to accomplish what he wants yet you are defending is as if it is the only possibility when clearly it is not. I've never said, you need to buy this. What I have stated is that the Atom CPU is a value level CPU placed in an industrial board; therefor making it dare a say lack luster. It has far fewer capabilities than a Celeron for crying out loud. Please watch this video, it is explained here.
https://www.youtube.com/watch?v=b1OBnn2pKzgHere is an interesting benchmark concerning the current Atom vs an i3
http://cpuboss.com/cpus/Intel-Core-i3-4130T-vs-Intel-Atom-C2758I want 14:26 returned after watching that UselessTube (get it?) video. There is no test data and no results for comparison only his opinion that the Celeron should be faster because it's "8x faster than the Atom". That is detailed analysis (sarcasm).
The Celeron G1620 does not support either AES-NI or QuickAssist Technology. UselessTube guy admitted in the Comments section that VPN would suffer without the "AES stuff".
The i3-4130T is Socket 1150 and doesn't fit the DQ77KB.
My responses have addressed the OP's requirements. I am open to different configurations yet your responses have been about cost and did not address OP's requirements.
AES and AES-NI are one in the same. AES-NI provides 7 additional instructions to AES to improve performance. AES-NI is not a new separate encryption algorithm and even with it, your machine is still using AES. It only help your CPU process it quicker.
http://www.intel.com/content/www/us/en/architecture-and-technology/advanced-encryption-standard–aes-/data-protection-aes-general-technology.html"""Intel
AES New Instructions (Intel AES NI) is a new encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in the Intel Xeon processor family and the Intel Core
processor family.Comprised of seven new instructions, Intel
AES-NI gives your IT environment faster, more affordable data protection and greater security; making pervasive encryption feasible in areas where previously it was not."""Another article explains AES-NI even further to the point that it bears no significance to internet only traffic:
http://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538.html
"""However, TLS and SSL are cryptographic protocols for secure communication, while AES is a general-purpose encryption standard. It can be used to encrypt individual files, data containers, archive files, entire drives (including thumb drives), and even multi-drive volumes. AES can be implemented in software, and there are products based on hardware acceleration as well, since encryption/decryption represent a rather significant workload. Solutions like TrueCrypt or Microsoft’s BitLocker, which is part of Windows Vista and Windows 7 Ultimate, are capable of encrypting entire partitions on the fly."""
This says to me that for the purpose of a router, AES-NI will only affect the system files the pfsense writes to disk; not traffic going in and out of it. Not sure how a routing solution will truly benefit from it; or IPSEC and VPN either.
After a great deal of reading, I've found that it usually lies on the lower end CPU or ones that have a low TDP of 20 watts or so. Lower wattage processors use less electricity but sacrifice computing power since heat is side affect of processing.
Intel quickassist again is specifically an add on to enable quicker encryption and decryption. It also available as a rather costly add on card for servers that utilize low TDP CPU's.
http://www.intel.com/content/www/us/en/network-adapters/quickassist-adapter-8950-brief.htmlIn the case of the Atom, which is a 20w TDP CPU, it is a perfect fit for to make it viable.
Summary. Looking all over the spectrum, to me it strongly points that intel added these features to specific low end CPU's for a reason. Obviously, low end cpu's under high network load will show their low power abilities. Adding expanded encryption algorithm will free up some of the load to the CPU but a bottle neck still exists. Enter the quickassist chip that helps the CPU out by offloading more of the encryption decryption process. All in all, you get a small performance increase to help these low TDP CPU's keep up with there much faster CPU's brothers.
My Opinion, the reason I believe these things are not in higher end CPU's is because they are not needed. AES takes quite of bit CPU power to crunch. If you have a high power CPU that can handle AES well, the need to accelerate it is simply not there.
For the OP's original requirements, what I have been trying to do is explain why they may be potentially not necessary. I care a lot about network security and data security. So much, that I took additional classes through completing my bachelors of computer science in Network Security and Cryptography. After all, in my spare bedroom I operate a rather beefy server cabinet included a Dell PowerEdge 1950, a Dell PowerEdge 2950 and a Dell PowerVault MD3000 with 30TB of storage. Overall, the thing to remember is Data Security and Communications security are wholly separate animals. Neither of which intertwine. Data security only applies to data stored on the machine. Communications security only applies to data being transmitted to and from that machine. The OP's requirements, only address data security which in a nutshell is not as necessary for a router as communications security would be. His main focus should be such that include high end NIC interfaces that offer better controllers that provide better traffic handling and security, expanded memory to increase network efficiency and higher overall through put. I don't knock AES-NI and Quickassist because they are wonderful technologies. Personally, I think they are mostly applicable to large network databases accessed by high number of computer connections to ensure the database itself is secure. Again, his requirements don't address securing his network; only securing his systems hard disc. The question may come up that "What if this is his requirement?" I would answer that with a better CPU to handle the load of pure AES alone while implementing a TPM device to protect the hard disc and it's content. Both still give you and encrypted disc while not sacrificing power. Now i'm not saying that you should jump on an i7 but I think an earlier commenter was on the right track with is statement about an i3 which support AES and plenty of hardware acceleration instruction to really make you pfsense box powerful. I would personally just look for a 45 to 65W TDP version with a high quality cooler.
-
I ended up ordering a ZOTAC ZBOX RI531 with 16GB of RAM and 120GB SSD. Thanks for all of your input.
