Looking to move pfsense from vm to hardware - solutions under $300?



  • Hi,
    I have been using PFsense on my homelab esxi vm. I am having an issue with the pfsense vm cpu getting going to 100% when my freepbx vm is running - both should be pretty low cpu items.

    Anyway I think maybe moving pfsense to a dedicated physical box might be a better long term solution.

    I would love it to be under $300 & use less than 10 watts at idle. Any suggestions / recommendations?

    A bonus would be if it had intel nics.

    Thanks, Rich



  • PC Engines APU2C4 (bundle)
    Jetway NF9HG-2930 (self made)
    pfSense SG-2440 (bundle)
    A1SRi-2358/2558/2758 (self made)


  • Rebel Alliance Global Moderator

    where are you seeing sg-2440 for under 300, its 500 on the pfsense store.



  • I think it's very important to include your internet speed/bandwidth plus the package you'll be using.
    I recently purchased Ci323 nano ( comes with 2x Gbps Realtek NIC port ) and found out that it can route only ~300-400 Mbps on my 1000Mbps line and also Snort load really slow compared to i3 Skylake box I have.

    Just my 2 cents.



  • I have a 100 meg connection for the WAN & 1000gb on the LAN.  I would rather get something a little more future proof which is why i cant tell if something like this:

    https://www.amazon.com/Firewall-Micro-Appliance-Intel-PFSense/dp/B01AJEJG1A/ref=sr_1_1?ie=UTF8&qid=1468435409&sr=8-1&keywords=pfsense

    Quad Core Celeron J1900 Bay Trail 2.0GHz, 2MB L2 Cache
    4 Gigabit ethernet Intel NIC ports
    4GB DDR3 RAM
    8GB mSATA SSD
    Fanless and silent operation

    Would have the 'ommph' i am looking for?



  • Yes.  Just installed two. $256 with 8GB RAM, 128GB mSATA drive. : https://forum.pfsense.org/index.php?topic=114202.0

    We run snort on 3 interfaces, squid, squidguard etc.  Max CPU load I've seen is 37% at 50Mbit



  • interesting topic.

    I'm interested in the same question, about to move from VM to HW and looking for a cheap solution 64-bit capable…

    the Celeron J1900 seems to catch a lot nowadays...how about missing AES-NI?



  • I can recommend Partaker B5, a Celeron N3150 based mini-PC i got a few months ago. It's got dual gigabit NICs, and the CPU has AES-NI, so it has no problems shovelling ~100Mbps OpenVPN traffic back and forth.

    The only "downside" to it is that it has RealTek NICs. I say that in quotes since I can't really tell if it actually is a downside anymore. Since pfSense 2.3, I have no problem getting the full 1Gbps throughput.

    You can pick it up from Aliexpress or similar for roughly 200 USD.



  • @albatorsk:

    I can recommend Partaker B5, a Celeron N3150 based mini-PC i got a few months ago. It's got dual gigabit NICs, and the CPU has AES-NI, so it has no problems shovelling ~100Mbps OpenVPN traffic back and forth.

    The only "downside" to it is that it has RealTek NICs. I say that in quotes since I can't really tell if it actually is a downside anymore. Since pfSense 2.3, I have no problem getting the full 1Gbps throughput.

    You can pick it up from Aliexpress or similar for roughly 200 USD.

    interesting option…I'm just not too attracted in buying from aliexpress because of long delivery time (if you don't choose a courier) and duty expenses....correct?



  • AliExpress shipping time depends on the vendor, the Qotom shop on AliExpress selling the J1900 boxes actually gauranteed 9 day delivery which sounded great, better than the usual 1 to 2 month wait time from AliExpress.



  • Exactly. Now I don't remember what vendor I got mine from, but I selected DHL shipping, and had it in my hands a week after ordering.



  • @albatorsk:

    Exactly. Now I don't remember what vendor I got mine from, but I selected DHL shipping, and had it in my hands a week after ordering.

    yeah DHL shipping should do the trick…it just cost a little (around 30$ depending on vendor)...

    what aboud customs?



  • Totally agree with albatorsk.

    I've just ordered the second one for the summer house; the first one was delivered in 5 days:
    http://www.aliexpress.com/store/product/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/1383581_32354251046.html

    I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.



  • Can recommend this one… Fast delivery, nice little box, intel nics works well.
    https://forum.pfsense.org/index.php?topic=113308.0



  • @richtj99:

    I have a 100 meg connection for the WAN & 1000gb on the LAN.  I would rather get something a little more future proof which is why i cant tell if something like this:

    https://www.amazon.com/Firewall-Micro-Appliance-Intel-PFSense/dp/B01AJEJG1A/ref=sr_1_1?ie=UTF8&qid=1468435409&sr=8-1&keywords=pfsense

    Quad Core Celeron J1900 Bay Trail 2.0GHz, 2MB L2 Cache
    4 Gigabit ethernet Intel NIC ports
    4GB DDR3 RAM
    8GB mSATA SSD
    Fanless and silent operation

    Would have the 'ommph' i am looking for?

    take a look at my recent build. I have a 150/150 mbit FiOS Fiber connection and Gigabit LAN

    https://forum.pfsense.org/index.php?topic=113610.0

    It is future proof for your needs and exceeds the speeds you currently have. I can OpenVPN into my network and download/upload at my full WAN speeds (150/150)



  • @mauroman33:

    Totally agree with albatorsk.

    I've just ordered the second one for the summer house; the first one was delivered in 5 days:
    http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURn

    I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

    What about CPU missing AES-NI?
    How much did you pay for customs?



  • @icest0rm:

    @mauroman33:

    Totally agree with albatorsk.

    I've just ordered the second one for the summer house; the first one was delivered in 5 days:
    http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURn

    I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

    What about CPU missing AES-NI?
    How much did you pay for customs?

    There is the AES-NI support because the CPU is the Celeron N3150.
    I did'nt pay customs fee because they have declared a value of USD30.



  • If by future proofing you mean speed wise, check this out…

    1. This thread says a Zotac CI323 nano will do 3-400mbps
    2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
    3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
    4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.

    So the conclusion I'm reaching is
    1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
    2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
    3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.

    Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

    Of course, price is also a consideration..

    100-150 US gets you a J1900 or N3150
    300 US gets you an i7-4500U
    350-500 US gets you Atom C2xxx systems.



  • @duren:

    If by future proofing you mean speed wise, check this out…

    1. This thread says a Zotac CI323 nano will do 3-400mbps
    2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
    3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
    4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.

    So the conclusion I'm reaching is
    1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
    2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
    3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.

    Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

    Of course, price is also a consideration..

    100-150 US gets you a J1900 or N3150
    300 US gets you an i7-4500U
    350-500 US gets you Atom C2xxx systems.

    Sorry, I don't agree with the first two points of your conclusions because as albatorsk said "Since pfSense 2.3, I have no problem getting the full 1Gbps throughput."
    So when you write "If you want 100mbps…" that's only an OpenVPN matter for CPUs like J1900, N3150 or 4500U.



  • @duren:

    So the conclusion I'm reaching is
    1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do.
    2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
    3. If you want 1gpbs over OpenVPN, AES-NI is KEY….......
    See the OpenVPN tests in 4.

    Have Gigabyte N3150N-D3V here, so cannot write about the others.
    2x Realtec 8111G nics.

    1. Yes
    2. No, it will happily saturate 1 Gbps (948 Mbps), maybe even more but I no have faster network to test.
    3a. That article from Jan Just Keijzer (who wrote some very nice books about OpenVPN) was written at least 5 year ago. Not all is current info.
    3b. OpenVPN:
    Following test was done in a client to client scenario. Meaning, on the OpenVPN server there is an extra decrypt+encrypt going on compared to client to server, Because of the packets flowing between two clients. Client to server scenario, I haven't tested yet but I would think that throughput would go up.
    My tests with following settings:
    Server:

    
    Remote Access (SSL/TLS+User Auth)
    udp
    tun
    tls static key 2048
    Diffie Hellman 2048
    Certs 2048
    Encryption AES-256-CBC
    Auth digest SHA512
    prng RSA-SHA512 32
    fast-io
    comp-lzo no
    tls-version-min 1.2 or-highest
    
    

    Both clients:

    
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA512
    tls-client
    client
    resolv-retry infinite
    remote 192.168.11.200 1194 udp
    lport 0
    verify-x509-name "OVPN-SERVER-CERT" name
    auth-user-pass
    ns-cert-type server
    comp-lzo no
    prng RSA-SHA512 32
    tls-version-min 1.2 or-highest
    
    

    The iperf result was 160 Mbps.

    When encryption is disabled, "auth none" "cipher none", throughput is 270 Mbps. I did not test with other crypto settings. Here one gets an idea for what impact crypto/hashing has.

    The second idea is the difference between 948 Mbps normal and 270 Mbps OpenVPN (unencrypted). Mainly caused by packets travelling between kernel and userland, and OpenVPN`s internal fragmenting and defragmenting, here CPU power (of single core!!!) comes into play.

    When version OpenVPN 2.4 is ready, bringing AES-GCM, it is expected that throughput will go up.

    Once OpenVPN supports AES-NI

    See 3a above.
    It does already or more accurate OpenSSL does. When AESNI is supported then one no needs to set any hardware crypto options in pfSense/OpenVPN. OpenSSL will automatically use it when available.

    The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

    I see no problems with the 2 RT nics 8111G on my board. I left settings at default because fiddling with them brought no benefit in my case.
    Off course I have no comparison to this board with Intel nics but I have a feeling it would not be very different.



  • mauroman, thank you for the correction. I scanned through the thread too fast  :-[

    Pippin, thank you for the confirmation, much appreciated.



  • Welcome.

    One thing to add, keep in mind that this was without any other packages installed and no other traffic flowing.



  • @mauroman33:

    There is the AES-NI support because the CPU is the Celeron N3150.
    I did'nt pay customs fee because they have declared a value of USD30.

    I sent you a PM



  • @icest0rm:

    @mauroman33:

    There is the AES-NI support because the CPU is the Celeron N3150.
    I did'nt pay customs fee because they have declared a value of USD30.

    I sent you a PM

    I answered you



  • @Pippin:

    The second idea is the difference between 948 Mbps normal and 270 Mbps OpenVPN (unencrypted). Mainly caused by packets travelling between kernel and userland, and OpenVPN`s internal fragmenting and defragmenting, here CPU power (of single core!!!) comes into play.

    When version OpenVPN 2.4 is ready, bringing AES-GCM, it is expected that throughput will go up.

    The other issue probably related to process threading, the "pf" is now capable to support multi-threading, while as what I remember OpenVPN doesn't, for those low end ATOM devices we usually need 1-2 core's power to have NAT running at 1Gbps throughput, which means if we allow only single core operation the NAT probably will be cap at ~700Mbps, and OpenVPN will have more impact because it's adding burden on the CPU as well.