Pfsense hardware for home
-
Hello,
I would like a firewall for private use (–> small network).
- 1 Gbit firewall throughput
- 100 Mbit VPN throughput
- low power consumption
- optimally: >= 3 network ports
- price max: 300 - 400 Euro
Does anyone have any recommendations? :)
-
Intel Core i3 mini-ITX system.
-
Qotom Q190G4
http://www.aliexpress.com/item/Mini-pc-X86-4-Lan-Qotom-Q190G4-with-celeron-J1900-quad-core-2-usb-VGA-firewall/32598483952.html
-
-
Hello,
I would like a firewall for private use (–> small network).
- 1 Gbit firewall throughput
- 100 Mbit VPN throughput
- low power consumption
- optimally: >= 3 network ports
- price max: 300 - 400 Euro
Does anyone have any recommendations? :)
try to take a look here, maybe it helps ;)
https://forum.pfsense.org/index.php?topic=115673.0 -
thank you very much for answers.
I'm found https://geizhals.de/gigabyte-brix-gb-bsi3hal-6100-a1426577.html
Does this have enough power? -
thank you very much for answers.
I'm found https://geizhals.de/gigabyte-brix-gb-bsi3hal-6100-a1426577.html
Does this have enough power?needs dual nics, and this one does n ot have same. you dont need an i3, a celeron n3150 is sufficient.
look up the zoltac ci323 for an all in one
or for matx, gigabyte GA-N3150N-D3V
-
-
https://www.amazon.de/GIGABYTE-N3150N-D3V-Intel-DDR3-16GB/dp/B01ALSQA2W
add 8gb+ and a 120gb ssd, and done
3+nics is better, but 2 is sufficient as it is all that is required for a single internet setup.
-
Have a look at the SG-2440 or, if that's too expensive, an SG-2220 together with a managed switch.
Unfortunately, this is too expensive for me as student.
needs dual nics, and this one does n ot have same. you dont need an i3, a celeron n3150 is sufficient.
look up the zoltac ci323 for an all in one
is the zoltac ci323 really a good decision? https://forum.pfsense.org/index.php?topic=103841.msg618595#msg618595
The Gigabyte is a desktop PC with only one (1) NIC. Where are the other two you demanded?
Gigabyte Brix has two NIC (onboard and addtional card).
I changed my opinion from three to two network ports, because of the costs.https://www.amazon.de/GIGABYTE-N3150N-D3V-Intel-DDR3-16GB/dp/B01ALSQA2W
I would not like to build a complete system, but only adding ram and hdd would be okay.
-
https://www.amazon.de/GIGABYTE-N3150N-D3V-Intel-DDR3-16GB/dp/B01ALSQA2W
I would not like to build a complete system, but only adding ram and hdd would be okay.
I bought this one:
http://www.aliexpress.com/store/product/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/1383581_32354251046.htmlAt home I have a fiber connection 100/100
I'm really satisfied, it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk. -
At home I have a fiber connection 100/100
Remember what OP has:
@user09:- 1 Gbit firewall throughput
- 100 Mbit VPN throughput
That's 10x your speed (or your speed on VPN alone). This isn't trivial to do with off the shelf hardware.
Unless OP adapts his wishes to monetary resources this is not going to work reliably. -
does pfsense need so much power (cpu & ram) or why are the costs so high?
if i compare it with other routers (for example the LANCOM 1781EF+ router)
(https://www.lancom-systems.de/en/products/network-connectivity/routers-vpn-gateways/lancom-1781ef-plus/overview/):- costs: 470 Euro
- Firewall: 930 MBit/s
- VPN: 330 Mbit/s
-
At home I have a fiber connection 100/100
Remember what OP has:
@user09:- 1 Gbit firewall throughput
- 100 Mbit VPN throughput
That's 10x your speed (or your speed on VPN alone). This isn't trivial to do with off the shelf hardware.
Unless OP adapts his wishes to monetary resources this is not going to work reliably.I had read it, and the device fits almost perfectly to his requirements with the exception of three network ports.
Another user has confirmed:
https://forum.pfsense.org/index.php?topic=114945.msg639418#msg639418 ( Reply #7) -
does pfsense need so much power (cpu & ram) or why are the costs so high?
That's regular i386/x64 hardware you're looking at. It is not a purpose built ASIC, FPGA or such that does the work.
https://forum.pfsense.org/index.php?topic=86732.0
https://forum.pfsense.org/index.php?topic=113862.msg634832#msg634832 -
does pfsense need so much power (cpu & ram) or why are the costs so high?
if i compare it with other routers (for example the LANCOM 1781EF+ router)
(https://www.lancom-systems.de/en/products/network-connectivity/routers-vpn-gateways/lancom-1781ef-plus/overview/):- costs: 470 Euro
- Firewall: 930 MBit/s
- VPN: 330 Mbit/s
Don't take manaufacturer's performance claims at face value.
They quote performance specs under ideal test conditons which you will never see.
What was the packet size in their test?
Can it do 330 vpn and 930 overall at the same time?
Did they have any rules running?
Can it do full logging at 930?
If you are looking for a one trick pony that will just move packets quickly, it will probably do half what they claim.
If you also want sophisticated UTM type features, well - it's just not going to do that.
At your price point, you'll have to choose one or the other.
If you can tolerate high noise, pick up a short depth 2u server from ebay.
http://www.ebay.com/itm/Rackable-Tyan-2U-Low-Noise-Home-VMWare-Server-2x-E5620-Quad-Core-48GB-8x-2-5-/131891130624?hash=item1eb552f100:g:H-MAAOSwx-9WxSXE
-
What was the packet size in their test?
I found in https://www.lancom.de/fileadmin/download/documentation/Techpaper/TP-Routing-Performance-9.10-EN.pdf some tables (tcp and udp) with paket size, but I don't know which is a normal paket size.
http://www.ebay.com/itm/Rackable-Tyan-2U-Low-Noise-Home-VMWare-Server-2x-E5620-Quad-Core-48GB-8x-2-5-/131891130624?hash=item1eb552f100:g:H-MAAOSwx-9WxSXE
Unfortunately, this is no option, because of the power usage.
-
so I decided… for me pfSense is a really great firewall :)
back to hardware:thank you very much for answers.
I'm found https://geizhals.de/gigabyte-brix-gb-bsi3hal-6100-a1426577.html
Does this have enough power?needs dual nics, and this one does n ot have same.
it is a Intel I219-LM and a Intel I210-AT.
why is that a problem?The advantage of the Gigabyte Brix is that I don't have to assembly of parts (only ram and ssd).
https://www.amazon.de/GIGABYTE-N3150N-D3V-Intel-DDR3-16GB/dp/B01ALSQA2W
or is this the best option for me? are there problems with this mainboard and pfSense? (https://forum.pfsense.org/index.php?topic=115567.0 ??)
Are the Realtek Lans a disadvantages? -
Are the Realtek Lans a disadvantages?
For a 1Gbps WAN connection, probably. For that reason alone I would not consider a solution with Realtek NICs. If you can stomach a mini ITX system with at least a PCIe x4 slot your options become wide open since you can add a cheap (used) server class dual or quad Intel NIC. Otherwise you'll have to search for a board with integrated Intel NICs. And Intel is not the only option in server class NIC hardware, just the most common. I've had good luck with Broadcom as well but you're not likely to find those in a small form factor board.
-
my build below only ran me about 400 dollars and it runs extremely smooth on my internet with snort, pfBlocker and OpenVPN for my 150/150 mbit connection.
pfSense i7-4510U + 2x Intel 82574 + 2x Intel i350 (miniPCIE) Mini-ITX Build
https://forum.pfsense.org/index.php?topic=113610.0 -
would this a good configuration for pfsense?
- Case: SC101i (Supermicro)
- Intel Pentium Processor N3700
- X11SBA-LN4F Supermicro
- 8 GB S0-DDR3
- Kingston SV300S37A/60G SSDNow V300 interne SSD-Festplatte 60GB
-
would this a good configuration for pfsense?
- Case: SC101i (Supermicro)
- Intel Pentium Processor N3700
- X11SBA-LN4F Supermicro
- 8 GB S0-DDR3
- Kingston SV300S37A/60G SSDNow V300 interne SSD-Festplatte 60GB
You will be able to push gigabit speeds with this setup, but you wont be able to get 100mbits over OpenVPN (most likely).
-
pfSense i7-4510U + 2x Intel 82574 + 2x Intel i350 (miniPCIE) Mini-ITX Build
did you test the power usage?
You will be able to push gigabit speeds with this setup, but you wont be able to get 100mbits over OpenVPN (most likely).
thanks! Is 50 Mbits OpenVPN possible?
Another configuration (which is available in Germany and without assemble):
- Intel Celeron N2930 4-Core 2,16 GHz 2MB
- 2x 1 GBit/s LAN (RJ-45) Intel 82583V
- 8 GB DDR3 1600 LV SO-DIMM ATP
- 80 GB SATA III Intel SSD MLC 2,5“ (DC S3510)
–> Unfortunately, no AES
Is that better?
-
pfSense i7-4510U + 2x Intel 82574 + 2x Intel i350 (miniPCIE) Mini-ITX Build
did you test the power usage?
You will be able to push gigabit speeds with this setup, but you wont be able to get 100mbits over OpenVPN (most likely).
thanks! Is 50 Mbits OpenVPN possible?
Another configuration (which is available in Germany and without assemble):
- Intel Celeron N2930 4-Core 2,16 GHz 2MB
- 2x 1 GBit/s LAN (RJ-45) Intel 82583V
- 8 GB DDR3 1600 LV SO-DIMM ATP
- 80 GB SATA III Intel SSD MLC 2,5“ (DC S3510)
–> Unfortunately, no AES
Is that better?
50mbps over openvpn should be possible.
OpenVPN does not support AES yet anyway - it should support it soon.
I built a similar machine with an i7 for less than 500 usd.
https://forum.pfsense.org/index.php?topic=113610.msg631641#msg631641
-
You might want to take a look at the current APU2:
http://pcengines.ch/apu2c4.htmIt doesn't reach wire speed when forwarding with rules, but around 650Mbit.
It easiely does 100Mbit openvpn. -
Maybe you'd consider sth like this:
Barebone:
http://geizhals.de/shuttle-xpc-slim-xh110v-pib-xh110v11-a1408110.htmlCPU (i3 Dual-Core with SMT):
http://geizhals.de/intel-core-i3-6100-bx80662i36100-a1329935.html?hloc=at&hloc=deRAM (dual rank 2x4GB):
2x http://geizhals.de/crucial-so-dimm-4gb-ct51264bf160b-a673173.html?hloc=at&hloc=deand f.i. a 120 GB MLC SSD (240GB+ would be even better looking at current GB-per-€ ratio…all depends on how much you are willing to spend):
http://geizhals.de/sandisk-plus-120gb-sdssda-120g-g25-a1218323.html?hloc=at&hloc=deTotal: ca. € 380,-
If you go for a 2-core CPU without SMT, like an Intel G3900 (supports AES-NI as well), you'd be at € 300,- total.
Small, easy to install, PSU included, 2x Intel NIC included...I would have bought sth like that, if I'd build it from scratch. Or at least sth in the same size.
-
You might want to take a look at the current APU2:
…
It easiely does 100Mbit openvpn.is the "AMD Embedded G series GX-412TC, 1 GHz quad" for openvpn better than as an Intel Pentium Processor N3700?
CPU (i3 Dual-Core with SMT):
http://geizhals.de/intel-core-i3-6100-bx80662i36100-a1329935.html?hloc=at&hloc=deUnfortunately, the TDP is very high (TDP: 51W)
I've found the Supermicro A1SRi-2358F and X11SBA-LN4F Mainboard:
Supermicro A1SRi-2358F ( Intel Atom processor C2358):
- 1,7 - 2 Ghz
- 2 Core
- Intel QuickAssist
- AES-NI
- ECC Ram possible
Supermicro X11SBA-LN4F (Intel Pentium Processor N3700)
- 1.6 GHz - 2.4 GHz
- 4 Core
- no Intel QuickAssist
- no ECC RAM
so which Mainboard should I use for my configuration?
-
is the "AMD Embedded G series GX-412TC, 1 GHz quad" for openvpn better than as an Intel Pentium Processor N3700?
I have a hard time believing that the AMD would be faster. Even at the same clock speed, the Intel chip will beat the AMD in pretty much any task. Both CPUs support AES-NI.
For reference I'm running an AMD CPU with 2 Jaguar (same architecture as the GX-412TC) cores at 1.45GHz. I'm still tweaking, but currently getting about 80Mbps over OpenVPN. That's with AES-NI enabled. I think it should do better, but that's the best I've achieved so far. OpenVPN is single threaded, so the core count doesn't matter in this case.
-
I've found the Supermicro A1SRi-2358F and X11SBA-LN4F Mainboard:
Supermicro A1SRi-2358F ( Intel Atom processor C2358):
- 1,7 - 2 Ghz
- 2 Core
- Intel QuickAssist
- AES-NI
- ECC Ram possible
Supermicro X11SBA-LN4F (Intel Pentium Processor N3700)
- 1.6 GHz - 2.4 GHz
- 4 Core
- no Intel QuickAssist
- no ECC RAM
so which Mainboard should I use for my configuration?
Between those two I'd choose the X11SBA-LN4F. ECC isn't really necessary for an application like pfsense. QuickAssist support is on the radar but won't help you now. I'd choose the N3700 for the higher turbo clock speed and additional cores.
-
Between those two I'd choose the X11SBA-LN4F. ECC isn't really necessary for an application like pfsense. QuickAssist support is on the radar but won't help you now. I'd choose the N3700 for the higher turbo clock speed and additional cores.
thank you very much! Did you test the openvpn performance?
-
Is a SG-4860 enough for 250 Mbit openvpn throughput ?
-
Between those two I'd choose the X11SBA-LN4F. ECC isn't really necessary for an application like pfsense. QuickAssist support is on the radar but won't help you now. I'd choose the N3700 for the higher turbo clock speed and additional cores.
thank you very much! Did you test the openvpn performance?
I don't own the N3700, so no. I'm just going on what I know about OpenVPN. The N3700 is a faster CPU than the C2358 and thus will provide better OpenVPN performance. I can't say in absolute terms how well it will perform, though.
-
Is a SG-4860 enough for 250 Mbit openvpn throughput ?
take a look here: https://forum.pfsense.org/index.php?topic=115673.0
I dont think it will safely push that much bandwidth. Based on the PassMark benchmark, its about half the capacity of the i7-4510U - I can push about 300mbps OpenVPN theoretically when my CPU is set to CMax (turbo at 3.0ghz)
i7-4510U PassMark: https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i7-4510U+%40+2.00GHz
C2558 Atom CPU PassMark: http://www.cpubenchmark.net/cpu.php?cpu=Intel+Atom+C2558+%40+2.40GHz -
- Intel Pentium Processor N3700
- X11SBA-LN4F Supermicro
- 8 GB S0-DDR3
- Kingston SV300S37A/60G SSDNow V300 interne SSD-Festplatte 60GB
is it possible to use Snort with this config?
-
-
- Intel Pentium Processor N3700
- X11SBA-LN4F Supermicro
- 8 GB S0-DDR3
- Kingston SV300S37A/60G SSDNow V300 interne SSD-Festplatte 60GB
is it possible to use Snort with this config?
I got a miniPC with the Celeron N3150 as home router with a fiber connection 100/100
I've added 8GB RAM and a 120GB SSD (not easy to find less). Total cost was about $220.
It has two Realtek NICs, maybe I'm lucky but I've never seen lost packets in four months.
I'm really satisfied, it's capable to run snort, pfBlocker and the OpenVpn client to PIA smooth as silk.
No problem to reach the full line speed in OpenVPN.
Intel N3700 it's a little more performant than N3150 so I think you should easily reach 130Mbs in OpenVPN. -
Just a note with the N3700… while it doesn't have QuickAssist support, it does still have AES-NI support. I did some digging and see that about 6 months ago, OpenVPN added support for AES-GCM (ticket 301), so if you can set it up to use that, you might find much faster VPN performance. Not sure if it's set to take advantage of the Intel AES-NI or not, but it might help.
If pfSense doesn't have that option for OpenVPN, then going with IPSEC using AES-GCM should also be accelerated. Of course, that's a much larger change to be making.
-
@virgiliomi:
Just a note with the N3700… while it doesn't have QuickAssist support, it does still have AES-NI support. I did some digging and see that about 6 months ago, OpenVPN added support for AES-GCM (ticket 301), so if you can set it up to use that, you might find much faster VPN performance. Not sure if it's set to take advantage of the Intel AES-NI or not, but it might help.
If pfSense doesn't have that option for OpenVPN, then going with IPSEC using AES-GCM should also be accelerated. Of course, that's a much larger change to be making.
currently pfSense only supports AES acceleration via IPsec, not through OpenVPN. I believe the developers are looking to add support for AES with OpenVPN on the next release.
-
@virgiliomi:
Just a note with the N3700… while it doesn't have QuickAssist support, it does still have AES-NI support. I did some digging and see that about 6 months ago, OpenVPN added support for AES-GCM (ticket 301), so if you can set it up to use that, you might find much faster VPN performance. Not sure if it's set to take advantage of the Intel AES-NI or not, but it might help.
If pfSense doesn't have that option for OpenVPN, then going with IPSEC using AES-GCM should also be accelerated. Of course, that's a much larger change to be making.
currently pfSense only supports AES acceleration via IPsec, not through OpenVPN. I believe the developers are looking to add support for AES with OpenVPN on the next release.
Ok, good to know. But that's still a plus that the N3700 will offer, when the update comes. That will bring even more value to the N3700 system then!
-
currently pfSense only supports AES acceleration via IPsec, not through OpenVPN
You sure?
Do you know that OpenSSL, which is part of OpenVPN, will automatically use AES-NI when available on SOC?
No need to enable anything in pfSense in that case, as in, do not load any module, to take advantage of it.It does very well support AES through OpenVPN, no doubt about it.
The problem is more the hashing that takes place which will be "kind of history" when GCM comes with OpenVPN 2.4.Just do
env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-cbc
for speedtest without AES-NI, and
openssl speed -elapsed -evp aes-256-cbc
with AES-NI.
See the (big) difference?