Hardware for new build



  • I have been lurking for a while, and have finally decided to try and take security/performance of my router/firewall seriously. I am still not fully versed in all that pfsense can do, but like most people, who wants to build an under-powered setup…. I plan to do packet sniffing and some caching, intrusion detection etc but in all honesty currently I live by myself, so won't have THAT many devices hitting the router all at once. That being said, "future proof" makes sense, and I have a 200/20 connection that I don't want any issue with saturating, as well as possible VPN in the future.

    I am trying to decide how to precede, either throw some parts together from a NAS I currently have which is about to be deprecated and upgraded to a full on supermicro server. The NAS hardware I have is :i3-2120T (low power unit, 2.6 ghz and Sandy Bridge, so not the newest IPC, and doesn't have AES-NI), 8 gigs of low power RAM, a sweet ITX Lian Li case, but will require purchasing a new PSU to fit said Lian Li case, and a quad Intel Nic, so say ~100-150 bucks just to get this old rig going.

    Or, instead of that, I have seen people using these mini computers with decent success, the Qotom Q190G4 which would also require I pick up some RAM for it: https://www.amazon.com/gp/product/B019Z8T9J0/ref=ox_sc_sfl_title_4?ie=UTF8&psc=1&smid=A14HQ326MGQ4AS

    In either case, I have a 120 gig Samsung 840 Evo laying around from an "old" build, so I have an SSD to pop in whichever route I go.

    Like previously stated, I am not sure what all PFsense can REALLY do for me going into the future. I plan to use squid, squidguard (I think, still not 100% clear what that does), snort and not sure what else as of yet. But I will probably not be doing anything any more crazy than the average user, so whatever performance is usually acceptable shouldn't really be an issue.



  • Go for the i3.



  • Even though either path will probably require the same initial investment to get them started, while knowing the little mini PC would use much less electricity?

    I actually don't know exactly how many watts the low power i3 uses at idle. I should probably look into that before I "worry" about the cost to run it 24/7.



  • @Asterix:

    Go for the i3.

    Agreed.  The  3215U doesn't have AES-NI either.  The i3 will simply be faster and have longer legs than the Celeron.  The NIC can be cheap; just look for older server class NICS; can be had for ~$40 for a quad port, if you really need 4 ports. 2 port Intel server NICs are around ~$20 on Amazon or Ebay.  It would probably take you years to make back the $ you spend on a new low power box based on power savings alone.  The best hardware, IMO, is what you already have, provided it will get the job done, and yours will.



  • @whosmatt:

    @Asterix:

    Go for the i3.

    Agreed.  The  3215U doesn't have AES-NI either.  The i3 will simply be faster and have longer legs than the Celeron.  The NIC can be cheap; just look for older server class NICS; can be had for ~$40 for a quad port, if you really need 4 ports. 2 port Intel server NICs are around ~$20 on Amazon or Ebay.  It would probably take you years to make back the $ you spend on a new low power box based on power savings alone.  The best hardware, IMO, is what you already have, provided it will get the job done, and yours will.

    Yea, this is probabably true.

    I guess my only worry is, is a "low power" sandy bridge i3 fast enough to do lots of fun stuff? I assume it has to be. I have read people deploying Pfsense of c2d e8200's or 6600's which this chip should run circles around. Just not sure if it will have the legs to do more than just the basics on a 200/20 connection. Any idea?



  • @LIGISTX:

    I guess my only worry is, is a "low power" sandy bridge i3 fast enough to do lots of fun stuff? I assume it has to be. I have read people deploying Pfsense of c2d e8200's or 6600's which this chip should run circles around. Just not sure if it will have the legs to do more than just the basics on a 200/20 connection. Any idea?

    I think you'll be just fine. FWIW I'm running a 150/10 connection on a very slow Sempron 2650 (dual 1.45GHz) with a dual Intel NIC and it handles the connection just fine; only place it falls down is with VPN, and even then it's not too bad.

    I'll put it this way:  if you're starting out with pfSense with that hardware and a 200/20 connection you'll be able to do pretty much anything.  The only place it might slow you down a bit is with VPN, but topping 200Mbps there takes some serious CPU power; more than you'll get out of any appliance anywhere near the price range to get your current hardware up and running.  Build on what you have, get a used server NIC, and have fun.



  • @whosmatt:

    @LIGISTX:

    I guess my only worry is, is a "low power" sandy bridge i3 fast enough to do lots of fun stuff? I assume it has to be. I have read people deploying Pfsense of c2d e8200's or 6600's which this chip should run circles around. Just not sure if it will have the legs to do more than just the basics on a 200/20 connection. Any idea?

    I think you'll be just fine. FWIW I'm running a 150/10 connection on a very slow Sempron 2650 (dual 1.45GHz) with a dual Intel NIC and it handles the connection just fine; only place it falls down is with VPN, and even then it's not too bad.

    I'll put it this way:  if you're starting out with pfSense with that hardware and a 200/20 connection you'll be able to do pretty much anything.  The only place it might slow you down a bit is with VPN, but topping 200Mbps there takes some serious CPU power; more than you'll get out of any appliance anywhere near the price range to get your current hardware up and running.  Build on what you have, get a used server NIC, and have fun.

    Yea, actually looks like I had the i3's number wrong, but after looking up the correct chip, it has about the same passmark score as a q6600. Sure, they are very dofferent chips but I guess being on par with a q6600 should mean it really should have plenty of power for average Pfsense use.

    Thanks!



  • @LIGISTX:

    Yea, actually looks like I had the i3's number wrong, but after looking up the correct chip, it has about the same passmark score as a q6600. Sure, they are very dofferent chips but I guess being on par with a q6600 should mean it really should have plenty of power for average Pfsense use.

    Thanks!

    What's the i3 model number?  Out of curiosity.



  • @whosmatt:

    @LIGISTX:

    Yea, actually looks like I had the i3's number wrong, but after looking up the correct chip, it has about the same passmark score as a q6600. Sure, they are very dofferent chips but I guess being on par with a q6600 should mean it really should have plenty of power for average Pfsense use.

    Thanks!

    What's the i3 model number?  Out of curiosity.

    It's a 2120t, http://ark.intel.com/m/products/53427/Intel-Core-i3-2120T-Processor-3M-Cache-2_60-GHz

    I'm also about to buy the Nic, but I'm just afraid whatever I buy on Amazon is an imitation lol. So far this looks pretty much up my alley, HP NC364T PCIe 4Pt Gigabit Server Adptr https://www.amazon.com/dp/B000P0NX3G/ref=cm_sw_r_cp_api_g9FZxbX44EX30



  • @LIGISTX:

    It's a 2120t, http://ark.intel.com/m/products/53427/Intel-Core-i3-2120T-Processor-3M-Cache-2_60-GHz

    I'm also about to buy the Nic, but I'm just afraid whatever I buy on Amazon is an imitation lol. So far this looks pretty much up my alley, HP NC364T PCIe 4Pt Gigabit Server Adptr https://www.amazon.com/dp/B000P0NX3G/ref=cm_sw_r_cp_api_g9FZxbX44EX30

    That NC364T is exactly what you want.  Cheap, but tried and true, uses a well supported Intel chipset and driver.  The CPU will also be fine.  Yeah, it's a little older, but who cares?  It will handle your connection and more.



  • @whosmatt:

    @LIGISTX:

    It's a 2120t, http://ark.intel.com/m/products/53427/Intel-Core-i3-2120T-Processor-3M-Cache-2_60-GHz

    I'm also about to buy the Nic, but I'm just afraid whatever I buy on Amazon is an imitation lol. So far this looks pretty much up my alley, HP NC364T PCIe 4Pt Gigabit Server Adptr https://www.amazon.com/dp/B000P0NX3G/ref=cm_sw_r_cp_api_g9FZxbX44EX30

    That NC364T is exactly what you want.  Cheap, but tried and true, uses a well supported Intel chipset and driver.  The CPU will also be fine.  Yeah, it's a little older, but who cares?  It will handle your connection and more.

    Yea. I actually purchased it as I typed that. I did see its on Intel Nic, looks like it is natively supported so should be just right!

    And for 40 bucks, can't really complain! I'll have to look around if I have a PSU that will fit my case, if not I'll get a super small one in case I end up swapping to a more low profile itx case just cuz. Should be a fun little build!



  • @LIGISTX:

    Yea. I actually purchased it as I typed that. I did see its on Intel Nic, looks like it is natively supported so should be just right!

    And for 40 bucks, can't really complain! I'll have to look around if I have a PSU that will fit my case, if not I'll get a super small one in case I end up swapping to a more low profile itx case just cuz. Should be a fun little build!

    Nice.  I have the 2 port version of the same NIC and pfSense loves it.  Enjoy your build!  You're starting at a much higher point (hardware-wise) than I did. Hope you have fun tinkering with it.



  • @whosmatt:

    @LIGISTX:

    Yea. I actually purchased it as I typed that. I did see its on Intel Nic, looks like it is natively supported so should be just right!

    And for 40 bucks, can't really complain! I'll have to look around if I have a PSU that will fit my case, if not I'll get a super small one in case I end up swapping to a more low profile itx case just cuz. Should be a fun little build!

    Nice.  I have the 2 port version of the same NIC and pfSense loves it.  Enjoy your build!  You're starting at a much higher point (hardware-wise) than I did. Hope you have fun tinkering with it.

    Thanks!



  • and if you ever have the need to increase the connection speed via VPN client, you might try the solution provided in this thread
    https://forum.pfsense.org/index.php?topic=115992.msg652957#msg652957