Hardware for 20 man office



  • Hi there

    I've looking for new Hardware for our Office.

    Currently we are using an APU1D4, but sadly it's keep crashing for unknown reasons. But I'm not sure if it powerfull enough for what we are using it.
    So I thought I'd ask what you would recommend.

    What we have is

    • 80/8 Mbit connection
    • 4x VLANs (Main, Guest, VOIP, DMZ)
    • 20 People in office (only Exchange, Backups and a little surfing)
    • About 30 Devices internal
    • 16 IPSEC connections to remote sites (each with 2x P2 entries) (for AD and two or three little applications, not so much traffic)
    • planning to have 10 Roadwarrior VPNs (not certain on which basis, probably L2TP/IPSEC or OpenVPN)
    • pfblockerng

    Maybe for the future I will implement Snort and very maybe Squid, but that is not yet decided
    Towards that we will be implementing about 10 VOIP channels in the near future.

    Is the current hardware powerfull enough or would you recommend something like SG-4860?

    Thanks for your input



  • You don't have much WAN bandwidth requirement. Just get an i3 CPU based config with 4-6GB RAM and a multiport Intel network card and be done with it.



  • i3 might not be a good idea, seems there is no consumer grade i3 processor coming with AES-NI?
    OP has higher requirement on VPN, getting AES acceleration probably be a better idea, I believe he can build with N3150/3160/3700/3710 CPU + multiport Intel LAN card, 2-4GB ram is more than enough already.

    @Asterix:

    You don't have much WAN bandwidth requirement. Just get an i3 CPU based config with 4-6GB RAM and a multiport Intel network card and be done with it.



  • FYI, i3 models come with AES-NI since haswell (4xxx series and later) and the N-series cpus will get their butts kicked by a mainstream i3, totally different power class. 4-7W vs 25-65W TDPs, though unless your electricity is stupid expensive you won't notice.

    Also OpenVPN likes high clockspeed over more cores, but the 4860 has plenty of power for 80/8 and then some.



  • Is the current hardware powerfull enough or would you recommend something like SG-4860?

    Would be nice in that case and matching the most things you named here. But for a nearly fully featured UTM
    and 16 IPSec and 10 VPNs for road warriors on top it should be more in that direction of a Intel Coer i3 or i5
    with 4 cores and if there should be more power saving as an option also a Xeon E3-12xxv3 will match fine.



  • Do you have an isolated server room?  Is power and noise a concern?  I ask because in your situation I'd focus more on getting server class hardware mostly for reliability reasons.  Obviously if this is sitting on a shelf where everyone can hear it or see it you'd want something small and fanless, but if you have the room you can get older 1U hardware with dual power supplies pretty cheaply, and it will crush your workload.  Quad core CPU, couple of decent NICs and 4GB of RAM should get the job done.



  • Thanks guys for the input!

    It is in a server room.
    The load on the VPN connections is quit low, thats why I'm honestly thinking about getting the SG-8860 with an SSD (would you reccomend Intel or Micron?)

    Should have enough power left and costwise much more attractive than a i3 or so. I wouldn't mind building one from scratch, but as it's for business I prefere having a vendor behind it.

    This is the one I'm looking into
    https://shop.voleatech.de/shop/sg-8860-1u/



  • @geocast:

    Hi there

    I've looking for new Hardware for our Office.

    Currently we are using an APU1D4, but sadly it's keep crashing for unknown reasons. But I'm not sure if it powerfull enough for what we are using it.
    So I thought I'd ask what you would recommend.

    What we have is

    • 80/8 Mbit connection
    • 4x VLANs (Main, Guest, VOIP, DMZ)
    • 20 People in office (only Exchange, Backups and a little surfing)
    • About 30 Devices internal
    • 16 IPSEC connections to remote sites (each with 2x P2 entries) (for AD and two or three little applications, not so much traffic)
    • planning to have 10 Roadwarrior VPNs (not certain on which basis, probably L2TP/IPSEC or OpenVPN)
    • pfblockerng

    Maybe for the future I will implement Snort and very maybe Squid, but that is not yet decided
    Towards that we will be implementing about 10 VOIP channels in the near future.

    Is the current hardware powerfull enough or would you recommend something like SG-4860?

    Thanks for your input

    I believe my setup that I am building this week will have more than enough power handle your bandwidth requirements: https://forum.pfsense.org/index.php?topic=113610.0



  • @geocast:

    Should have enough power left and costwise much more attractive than a i3 or so.

    A custom built i3 would be more powerful and cost effective than a Rangely Atom build.



  • In a long run, somehow we also need to think about the durability of hardware when it's for commercial use, Rangely platform are considered as "server grade" while a custom build i3 is not, and passive cooling is also a pro for a device running 24x7 since we don't need to worry about the fault of cpu fan.

    But personally I don't think you need Rangely as the expected workload is small, that's why I suggest the cheaper option like N3700/N2930 (I just build one 4xLAN pfSense with N2930 which costs less than 250 USD)

    @Asterix:

    @geocast:

    Should have enough power left and costwise much more attractive than a i3 or so.

    A custom built i3 would be more powerful and cost effective than a Rangely Atom build.



  • @edwardwong:

    In a long run, somehow we also need to think about the durability of hardware when it's for commercial use, Rangely platform are considered as "server grade" while a custom build i3 is not, and passive cooling is also a pro for a device running 24x7 since we don't need to worry about the fault of cpu fan.

    But personally I don't think you need Rangely as the expected workload is small, that's why I suggest the cheaper option like N3700/N2930 (I just build one 4xLAN pfSense with N2930 which costs less than 250 USD)

    @Asterix:

    @geocast:

    Should have enough power left and costwise much more attractive than a i3 or so.

    A custom built i3 would be more powerful and cost effective than a Rangely Atom build.

    IMHO passive cooling is not a pro for a device running 24x7. A CPUs longevity is in how cool it's kept during processing or even when its just on and not doing much work. Passive cooling is always warmer than fans. The only pro I see if is of course no fan noise but you can get silent fans which can be as effective.



  • IMHO passive cooling is not a pro for a device running 24x7. A CPUs longevity is in how cool it's kept during processing or even when its just on and not doing much work. Passive cooling is always warmer than fans. The only pro I see if is of course no fan noise but you can get silent fans which can be as effective.

    50% : 50% in my eyes! If there is a climate server room and an active cooled rack (4 fans on top
    and bottom) it might be running well and if cooling will be a urgent need mostly this boards can
    also be mounted inside of 19" 1U rack mount cases and this cases can also be sorted with fans too!



  • Not really, I worked in data center for a couple years, I've been seeing CPU's core temp in around 70C most of the time and they run well.
    Server/industrial grade components are usually allowed to run in more harsh condition, sometimes you might see that the specification says: Tjunction 105C, so max allowed is 105C, running it at 70C is definitely fine.

    There is a misconception that we need to keep everything as cool as possible, as long as all components working within their specs then they should exhibit a normal life span. Just like my NAS HDD, they are always running at 50-55C, and the specs mentioned 60C as limit, my HDDs were serving 4.5years (> 38000hrs) without any problem.

    And there is another reason mentioned by Bluekobold, which is also true for branded servers. Open up the HP/Dell servers, even with a high TDP Xeon you'll see CPUs equipped with extraordinary large heat sinks, with ventilation fans spinning much slower than a normal CPU heatsink w/fan combo, why? Because the CPU doesn't rely on the fan for cooling most of the time, fans are mechanical devices that will fail much easier than you think, think about our home PCs, what if the i7 cpu fan breaking down now? Temperature rises and might cause thermal shutdown quickly at high load, you might not even have a chance to do a proper shutdown in such case.

    And to me, passive cooling =/= not doing any other cooling. I owned Asrock C2550D4i for NAS server, which is also passive cooling mobo, I only need to add a decent case fan to help cooling down the system. My case fan broke down once, without fan the core temperature rise up to about 60C and still…...everything alright, I am able to get notification + do proper shutdown by myself to replace it, this is the real advantage of passive cooling.

    @Asterix:

    @edwardwong:

    In a long run, somehow we also need to think about the durability of hardware when it's for commercial use, Rangely platform are considered as "server grade" while a custom build i3 is not, and passive cooling is also a pro for a device running 24x7 since we don't need to worry about the fault of cpu fan.

    But personally I don't think you need Rangely as the expected workload is small, that's why I suggest the cheaper option like N3700/N2930 (I just build one 4xLAN pfSense with N2930 which costs less than 250 USD)

    IMHO passive cooling is not a pro for a device running 24x7. A CPUs longevity is in how cool it's kept during processing or even when its just on and not doing much work. Passive cooling is always warmer than fans. The only pro I see if is of course no fan noise but you can get silent fans which can be as effective.



  • @Asterix:

    IMHO passive cooling is not a pro for a device running 24x7. A CPUs longevity is in how cool it's kept during processing or even when its just on and not doing much work. Passive cooling is always warmer than fans. The only pro I see if is of course no fan noise but you can get silent fans which can be as effective.

    Modern CPUs are pretty effective at limiting heat related damage.  They will throttle themselves, etc.  The rest of the hardware might be at risk though.

    My recommendation for server class hardware was mostly about price/performance and reliability.  Think about it; a 8 year old 1U server with a quad core Xeon, dual power supplies, 4GB of ECC, and a pair of SAS or SATA HDDs in RAID1 is practically useless in a modern environment… unless you turn it into a firewall.  Then it becomes a beast. It's cheap, has plenty of resources for the application, and with dual PSUs, RAID1, and out of band management, it will outclass anything for the price except in power consumption and noise.  When I'm the admin and am not paying the power bill, and the machine is in a rack in an isolated room, I'll take that any day over a fanless low power box.



  • Server class & low power (passive cooling) is not mutual exclusive, just like those Avoton/Rangeley motherboard, they are also server motherboard with CPU in passive cooling. I don't know how many year can a firewall serve when it's been running for 8 years before, but if I have another set of new server grade hardware, I would probably bet on the new one because expected lifetime should probably be longer.

    And to avoid failover, if mission critical, building one more set of firewall and let them work in CARP failover model would be definitely better than running only 1 firewall.

    @whosmatt:

    @Asterix:

    IMHO passive cooling is not a pro for a device running 24x7. A CPUs longevity is in how cool it's kept during processing or even when its just on and not doing much work. Passive cooling is always warmer than fans. The only pro I see if is of course no fan noise but you can get silent fans which can be as effective.

    Modern CPUs are pretty effective at limiting heat related damage.  They will throttle themselves, etc.  The rest of the hardware might be at risk though.

    My recommendation for server class hardware was mostly about price/performance and reliability.  Think about it; a 8 year old 1U server with a quad core Xeon, dual power supplies, 4GB of ECC, and a pair of SAS or SATA HDDs in RAID1 is practically useless in a modern environment… unless you turn it into a firewall.  Then it becomes a beast. It's cheap, has plenty of resources for the application, and with dual PSUs, RAID1, and out of band management, it will outclass anything for the price except in power consumption and noise.  When I'm the admin and am not paying the power bill, and the machine is in a rack in an isolated room, I'll take that any day over a fanless low power box.



  • @edwardwong:

    And to avoid failover, if mission critical, building one more set of firewall and let them work in CARP failover model would be definitely better than running only 1 firewall.

    Absolutely.  I run 6 pfsense firewalls at work.  Four sites, with only 2 of them having enough IP addresses for CARP.  Where it's available, it's invaluable.