Overkill pfsense hardware?



  • I've been lurking this forum for a while now and finally decided to build my own pfsense-rig since I live in Europe and shipping from the US will be too expensive.

    This is what I plan on going with hardware-wise:

    A1SRi-2558F-B (Atom Rangley C2558) in a SC101S chassi

    2x4GB Kingston DDR3L ECC 1600MHz

    SuperDOM 16GB SATADOM

    All in all it will cost me about $650 plus domestic shipping.

    Would you say this setup is overkill for home use by one person on a 100/100 connection? below are the applications I'll use pfsense for.

    Firewall, Snort, Squid, pfBlocker-NG and SquidGuard

    OpenVPN with 100Mbps throughput

    External ac-AP



  • In my opinion it depends on the number of connected devices and on their use.
    From the information you provided, for that kind of connection with just one user, the first overkill thing I can see is the price.
    Here is full of cheaper hardware solutions and if you are lurking this forum from a while, you shalt have already seen several.
    Personally I have your type of Internet connection and I bought a miniPC with the N3150 CPU, 8GB RAM, 120GB SSD and two Realtek Nics.
    It's capable to run snort, pfBlocker and a couple of OpenVPN clients smooth as silk and the price is a third of what you wrote.



  • It's only overkill if you're budget constrained.  Server class hardware is certainly more expensive, the advantages of ECC for a home pfSense build might be negligible, but hey, if you're a hobbyist like many of us (at least in the home lab arena), why not?

    Anecdotally, though, I have a coworker who bought a SuperMicro ITX board (I believe the A1SRi-2758F) for a FreeNAS build and it failed on him. Warranty repair has taken over 3 months; he still does not have the board back but told me today that it is at least back in the USA after repair overseas and looks to get it in the next week or so.  Something to keep in mind; certainly something I didn't expect from a well-regarded company like SuperMicro.  Components fail, I get it.  But 3 months and overseas shipping rather than a simple replacement with a new or refurbished product seems, well, ridiculous.  YMMV.



  • @mauroman33:

    Personally I have your type of Internet connection and I bought a miniPC with the N3150 CPU, 8GB RAM, 120GB SSD and two Realtek Nics.
    It's capable to run snort, pfBlocker and a couple of OpenVPN clients smooth as silk and the price is a third of what you wrote.

    I'm looking at the Gigabyte N3150N D3V and it doesn't have a PCIe-slot so no way to add a dual Gbit Intel nic. No problems getting the Realtek nics to work with pfsense nowadays?

    @whosmatt:

    Anecdotally, though, I have a coworker who bought a SuperMicro ITX board (I believe the A1SRi-2758F) for a FreeNAS build and it failed on him. Warranty repair has taken over 3 months; he still does not have the board back but told me today that it is at least back in the USA after repair overseas and looks to get it in the next week or so.

    Yeah, I've read that the 2758-board has some problems. Maybe it's a good idea to stay away from SuperMicro altogether.



  • @microtrike:

    @mauroman33:

    Personally I have your type of Internet connection and I bought a miniPC with the N3150 CPU, 8GB RAM, 120GB SSD and two Realtek Nics.
    It's capable to run snort, pfBlocker and a couple of OpenVPN clients smooth as silk and the price is a third of what you wrote.

    I'm looking at the Gigabyte N3150N D3V and it doesn't have a PCIe-slot so no way to add a dual Gbit Intel nic. No problems getting the Realtek nics to work with pfsense nowadays?

    I'm running the latest version of pfSense and everything is fine. It may be that this also depends on the fact that I do not guests any server.
    It could be useful if someone more experienced will tell you why many are contrary to the Realtek NICs, but honestly I haven't seen a single packet loss in five months.
    So the only thing I can say is that, for my needs, these cards do not give any problem.



  • @mauroman33:

    It could be useful if someone more experienced will tell you why many are contrary to the Realtek NICs, but honestly I haven't seen a single packet loss in five months.

    These days it's mostly about performance at the edge of what the hardware is capable of.  I have plenty of Realtek NICs on my network and they're all capable of passing traffic at wire speed.  But they're all paired with full power desktop CPUs as well.  When you get an embedded system with relatively limited CPU power and try to push 1Gbps of NAT traffic across it, you're going to want server class NICs (mostly means Intel around here), mostly because they have lower CPU overhead in the drivers; they do in hardware what the Realtek (and other desktop class chipsets) do in software.



  • @whosmatt:

    @mauroman33:

    It could be useful if someone more experienced will tell you why many are contrary to the Realtek NICs, but honestly I haven't seen a single packet loss in five months.

    These days it's mostly about performance at the edge of what the hardware is capable of.  I have plenty of Realtek NICs on my network and they're all capable of passing traffic at wire speed.  But they're all paired with full power desktop CPUs as well.  When you get an embedded system with relatively limited CPU power and try to push 1Gbps of NAT traffic across it, you're going to want server class NICs (mostly means Intel around here), mostly because they have lower CPU overhead in the drivers; they do in hardware what the Realtek (and other desktop class chipsets) do in software.

    Thanks whosmatt.
    So, if I have not misunderstood, I might reasonably say that because I'm not hosting any service in my LAN, even the Realtek NICs do their dirty work.
    And that would explain why even with the attached configuration, I have not encountered any problems.
    I think the opener has now one more element to help him in his choice.




  • It's definitely overkill.
    For a 100Mbps , you can use a ThinClient with
    1x 1Gb onboard nic
    2x 1Gb addon nic
    16Gb mSata SSD
    2Gb DDR3 Ram
    and running a full version of pfSense for less then $150 (shipping included)
    With this setup, you have a troughput of + 500Mbps between the onboard nic and one of the nic's from the addon nic,
    and a troughput of + 200Mbps between the 2 nic's of the addon.

    If you are interested, i have these ThinClients for sale on Ebay.

    Grtz
    DeLorean



  • @mauroman33:

    Thanks whosmatt.
    So, if I have not misunderstood, I might reasonably say that because I'm not hosting any service in my LAN, even the Realtek NICs do their dirty work.
    And that would explain why even with the attached configuration, I have not encountered any problems.
    I think the opener has now one more element to help him in his choice.

    The best analogy I can come up with is relating the Realtek NICs to the Winmodems of old:  https://en.wikipedia.org/wiki/Softmodem, which relied on software (drivers) do do much of the work that was handled in hardware in more expensive modems.

    I think that the Realtek NICs work fine for you because you're not asking them to do much.  I would expect them to continue to work fine as you increase your throughput, up to a point where the CPU will become increasingly burdened with tasks that a server NIC would handle on its own.  There's an anecdote floating around (and I can't call it up just now) about the pfSense team testing a particular embedded box with Realtek vs Intel NICs and achieving about 600Mbps on Realtek vs close to wire speed on Intel with otherwise identical hardware.  It's not about packet loss or errors or anything like that.

    TL;DR You'd have to have a much faster WAN connection or be trying to route wire speed between LANs or VLANs for Realtek NICs to be causing any problem, and then only in throughput.  IMO.  Others may correct me.

    And to keep this thread on topic:  To OP, don't go with a thin client if you wish to use OpenVPN at anywhere near your connection speed.  As I said before, your hardware choice is only overkill because it's expensive relative to the performance.  You'll need a decently beefy CPU for sure.  The C2558 seems to fit the bill there, with AES-NI and QuickAssist.  ECC, not so much.  I'll say this:  If I had the money to spend, I'd go the server class hardware route just for IPMI.  That would be my deciding factor.



  • @whosmatt:

    @mauroman33:

    Thanks whosmatt.
    So, if I have not misunderstood, I might reasonably say that because I'm not hosting any service in my LAN, even the Realtek NICs do their dirty work.
    And that would explain why even with the attached configuration, I have not encountered any problems.
    I think the opener has now one more element to help him in his choice.

    The best analogy I can come up with is relating the Realtek NICs to the Winmodems of old:  https://en.wikipedia.org/wiki/Softmodem, which relied on software (drivers) do do much of the work that was handled in hardware in more expensive modems.

    I think that the Realtek NICs work fine for you because you're not asking them to do much.  I would expect them to continue to work fine as you increase your throughput, up to a point where the CPU will become increasingly burdened with tasks that a server NIC would handle on its own.  There's an anecdote floating around (and I can't call it up just now) about the pfSense team testing a particular embedded box with Realtek vs Intel NICs and achieving about 600Mbps on Realtek vs close to wire speed on Intel with otherwise identical hardware.  It's not about packet loss or errors or anything like that.

    TL;DR You'd have to have a much faster WAN connection or be trying to route wire speed between LANs or VLANs for Realtek NICs to be causing any problem, and then only in throughput.  IMO.  Others may correct me.

    And to keep this thread on topic:  To OP, don't go with a thin client if you wish to use OpenVPN at anywhere near your connection speed.  As I said before, your hardware choice is only overkill because it's expensive relative to the performance.  You'll need a decently beefy CPU for sure.  The C2558 seems to fit the bill there, with AES-NI and QuickAssist.  ECC, not so much.  I'll say this:  If I had the money to spend, I'd go the server class hardware route just for IPMI.  That would be my deciding factor.

    I totally agree, it all depends on the required load to the device.
    I replied to opener based on the data he has provided and also because I remembered that a user who has a device like mine wrote that with pfSense 2.3 he has no problem getting the full 1Gbps throughput.
    https://forum.pfsense.org/index.php?topic=114945.msg639418#msg639418
    Anyway, because of my needs, I never personally tried.



  • @DeLorean:

    It's definitely overkill.
    For a 100Mbps , you can use a ThinClient with
    1x 1Gb onboard nic
    2x 1Gb addon nic
    16Gb mSata SSD
    2Gb DDR3 Ram
    and running a full version of pfSense for less then $150 (shipping included)
    With this setup, you have a troughput of + 500Mbps between the onboard nic and one of the nic's from the addon nic,
    and a troughput of + 200Mbps between the 2 nic's of the addon.

    Agree completely.

    I'm new to pfsense/BSD but an ex-sysadmin Linux veteran from the 90's. I've observed a trend of younger *nix users not understanding how optimised these OS's are on relatively low performance computers. The challenge to sys admins back then (at least within my circle) was to build servers that would comfortably sit below a load avg of 0.5 during high traffic periods.

    Just to put things into perspective, consumer all-in-one routers typically have 64MB RAM and it's sufficient for most households with 2-4 people (unless of course all 4 people are torrenting on a daily basis). So…. 64MB vs 8GB ECC RAM for 1 person? I understand that it always depends on load but it's irresponsible to give that response as general advice given the specs.



  • @ziggyblur:

    Agree completely.

    I'm new to pfsense/BSD but an ex-sysadmin Linux veteran from the 90's. I've observed a trend of younger *nix users not understanding how optimised these OS's are on relatively low performance computers. The challenge to sys admins back then (at least within my circle) was to build servers that would comfortably sit below a load avg of 0.5 during high traffic periods.

    Just to put things into perspective, consumer all-in-one routers typically have 64MB RAM and it's sufficient for most households with 2-4 people (unless of course all 4 people are torrenting on a daily basis). So…. 64MB vs 8GB ECC RAM for 1 person? I understand that it always depends on load but it's irresponsible to give that response as general advice given the specs.

    Show me a consumer router that can push 100Mbps of OpenVPN encrypted traffic while running Snort.  That's the difference here.  It's not the routing, it's the VPN and packet sniffing.  Those simply require adequate CPU resources.  I agree 8GB is overkill and ECC for any home router is unnecessary. I personally feel kind of dumb running a quad core pfSense box, but on my platform (AMD AM1), it's what I had to do to get 150+ Mbps of OpenVPN throughput.    I used to use a thin client (an older one with a Via 800MHz CPU with crypto acceleration) and 512MB of RAM; it was fine until my WAN connection topped  50Mbps. Then it was marginal just with NAT, nevermind any sort of crypto.  We're not comparing apples to apples here.  Yes, I realize many of the consumer routers run the Linux kernel.. I don't know if they're on ARM now; it's been a while since I used one, and the recent emergence of pfSense on ARM might make for a better comparison if that's true.  But as of now, we really can't draw much of a comparison between the two, IMO.



  • Would you say this setup is overkill for home use by one person on a 100/100 connection? below are the applications I'll use pfsense for.

    Would be ok

    Firewall, Snort, Squid, pfBlocker-NG and SquidGuard

    The amount of devices that must be served is counting here more then other things, also
    the used protocols and services might be counting too.

    OpenVPN with 100Mbps throughput

    It might be something less than 100 pointed to your 100/100 Internet connection line speed.

    External ac-AP

    Might be better as an internal because ac isn´t supported yet.