CPU for Specific Packages and WAN Speed

  • Right now, I've got a 100Mb/20Mb package through Comcast.  My current pfSense box is getting long in the tooth.  It's probably 7 years old by now.  Supermicro 1U Atom 330, 2GB RAM, dual Samsung 840Pro SSDs in GEOM mirror and Intel "em" dual port NICs.  I'm getting consistent crashes every week or so.  I think this is due to thermal damage of the motherboard.  There was a small fan on the CPU heatsink and it went out for a while.  I'm sure it was out for months (or more) and I never knew.  These crashes are also seeing the GEOM mirror rebuilding itself.

    I'm currently running the following:

    3 OpenVPN clients to PIA
    1 OpenVPN server for our laptops and mobile devices (5 or 6 in all)
    pfBlockerNG installed but not configured for ad-blocking
    2 Aerohive APs with 8 wireless devices (will be adding more home automation in the future)
    2 people + whatever guests we have.

    The OpenVPN client is using about 1.45 CPU time during load.  I'm only getting about 3-3.5MBps down.  I'm wasting my speed with hardware that can't support what I want to do.

    What I'd like to cover with a new build:

    All of the above + possibility for 1Gb WAN from CenturyLink (I know of the PPPoE issue with the igb driver.  Maybe I could keep the em Intel NIC for WAN)
    Possible IPsec VPN for work.
    Separate guest network.  Aerohive APs are already broadcasting a guest SSID, but I have't trunked the interface from the pfSense to my Cisco 3750E switch.  Aerohive's can also present a captive portal and do QoS on the SSID.
    Suricata looks interesting!
    ClamAV could be nice for inbound file scanning

    I've been reading the Hardware forum and I can't see anyone calling out these specific packages and requesting assistance in picking a CPU.  I'm wondering if the Intel Atom C2758 with 8GB of RAM would accommodate my needs and wishlist.  I'll swap out the Samsung SSDs for Micron 550 SSDs.  I had read that TRIM was not supported for Samsung SSDs in Linux/Unix.  Is that true?  Will pfSense create a ZFS mirrored boot device?  I know that AES-NI and QuickAssist will be great things to have to offload some of the VPN stress.  I also read that OpenVPN 2.4 (when it comes out) take greater advantage of AES-NI.  This will still be in a 1U rackmount chassis.  Am I hoping that the C2758 will do more than its capable of?  Thanks for the advice!

  • If you're in a 1U chassis, all sorts of options are open to you.

    Without giving specific recommendations, I can list what I'd prioritize. I'm not going to go for embedded solution answers due to your 1U preference, though the pfsense store does have 1U appliances that will likely crush your workload.

    1.  High clock speed, and at least four cores (not 2 cores with SMT). OpenVPN tunnels are currently single threaded.  You have three, as do I, so each can use a single logical core, but the raw speed of that core will ultimately determine the throughput of each tunnel.
    2.  AES-NI will help now. QuickAssist for the future.
    3. Ultimate future-proofing would be a socketed (and therefore likely NOT fanless) motherboard, but having a 1U chassis where you can swap the board without replacing the entire system second best.
    4.  Upgradeable RAM.  4GB is probably fine for your use case.  But for the future…  ECC if you're especially concerned with uptime.  Likely you'll be upgrading and therefore rebooting far more often than is warranted by ECC.
    5. A combination of embedded Intel NICs and a PCI-e x4 slot to add more (or to use your older NIC with the em driver).

    As for your storage questions, I'll leave those for others to answer.  I'd love to see pfsense run from rpool with the ability to add a mirror.

Log in to reply