Parts for building router for Gbit speeds



  • This will be my first post in this forum. But i have been here for a while. And i have used pfsense Before, but that whas some years ago now.

    Now, i search here and there but i dont find answers. I have uppgraded my speed at home to 1000/1000. So i will now build my own router again. But when i search for hardware options that are capable to deliver solid Gbit speeds, almost all threads move on features that i dont use.

    To the Point then…
    Will a motherboard with newer onboard Celerons or Pentiums be able to delivier solid 1Gbit both ways with NAT and some basic Firewall options that are found on standard routers? Or must i chose a standard motherboard and a Core i3/i5 to make this workable?
    I have 3 PCs and some portables that uses internet if that is important. And i go to lanpartys, so it would be great if my build could handle up to 40 PCs on a 100/100 and above lines without hickups.



  • I  have seen talk on the DSLReports forum that to get gigabit speed one needs a four-core CPU having 3.5GHz. Of course its under debate there, and I have not had time to verify whether its true or not. One has added that for the motherboard, additional requirement is either onboard Intel dual-port, or dual-port Intel NIC on a x4 PCIe slot. Again I have not verified this, but you may want to look into it.



  • i5 @3.2ghz+ (the skylake non-k) cpus can be overclocked

    16gb ddr4

    120gb ssd

    dual intel lan cards (single x2 or one dual)



  • @Demnos:

    I  have seen talk on the DSLReports forum that to get gigabit speed one needs a four-core CPU having 3.5GHz. Of course its under debate there, and I have not had time to verify whether its true or not. One has added that for the motherboard, additional requirement is either onboard Intel dual-port, or dual-port Intel NIC on a x4 PCIe slot. Again I have not verified this, but you may want to look into it.

    I will look into it. I suspected it would take i quite strong CPU, but i had hoped for it work with one in the middle.

    @messerchmidt:

    i5 @3.2ghz+ (the skylake non-k) cpus can be overclocked

    16gb ddr4

    120gb ssd

    dual intel lan cards (single x2 or one dual)

    Well… no, not anymore! Intel fixed this in the microcode in early summer this year. I have an i5-6400 and a Z170 motherboard and i can not oc it. My PC resets the BC on boot. But when it did oc them, some features in them stopped working after your oc.
    But back to the subject. Is 16GB realy required for those speeds? Or are the number of PCs that increases the amount of memory?



  • If you use PPPoE you should be getting a Intel Core i3, i5 or i7 with >2,0GHz in normal mode,
    but if you are not using PPPoE, you might be able to archive 1 GBit/s at the WAN with smaller
    appliances likes the Jetway NF9HG-2930 + mSATA + 8 GB RAM + WiFi card!

    40 users with 100/100 should be able to archive with the APU2C4, APU3A2 or
    Jetway NF9HG-2930 but this must be answered by yours first what kind of
    Internet connection you are using.

    If you want to be on the sure and safe side go an buy a Intel Core I cpu with 3,0GHz and
    four cpu cores to be able to route that 1 GBit/s surely.



  • @BlueKobold:

    If you use PPPoE you should be getting a Intel Core i3, i5 or i7 with >2,0GHz in normal mode,
    but if you are not using PPPoE, you might be able to archive 1 GBit/s at the WAN with smaller
    appliances likes the Jetway NF9HG-2930 + mSATA + 8 GB RAM + WiFi card!

    40 users with 100/100 should be able to archive with the APU2C4, APU3A2 or
    Jetway NF9HG-2930 but this must be answered by yours first what kind of
    Internet connection you are using.

    If you want to be on the sure and safe side go an buy a Intel Core I cpu with 3,0GHz and
    four cpu cores to be able to route that 1 GBit/s surely.

    No, i dont use PPPoE.
    I have looked at APU2C4 and APU3A2. But im not convinced that they will handle this. The motherboard from Jetway is interesting. Is there any tests on what it is capable of?
    Both my home and the locals that we are using have fiber installed. So that means that the slowest internet this build will face is 100/100.
    I could do that. But i am not after total overkill if a Celeron or Pentium makes it. And that is my big question that for some reason is so hard to answer. People just dont use pfsense machines as simple routers. Well, they dont write about it.



  • @Evronius:

    But back to the subject. Is 16GB realy required for those speeds? Or are the number of PCs that increases the amount of memory?

    No, 16GB is not required.  4GB will be way more than enough, even if you have a lot of client PCs (and by a lot, I mean hundreds).  2 Intel server class NICs are all you need for a simple single LAN single WAN firewall.  That's one physical card with 2 ports or 2 ports on the motherboard, whatever.  CPU should be multiple cores, as fast as you can get them, but no need to go overboard.  I'd wager even the most meager Skylake Pentium will do for just NAT and firewall rules.  More CPU horsepower comes into play with things like packet inspection and VPN.



  • No, i dont use PPPoE.

    If so your WAN connection will be cpu single threaded and mostly slower, but if not you may be happy
    with that Jetway NF9HG-2930 Board. It pulls for a forum user here, from HongKong nearly 1 GBit/s
    at the WAN interface.



  • @Demnos:

    I  have seen talk on the DSLReports forum that to get gigabit speed one needs a four-core CPU having 3.5GHz. Of course its under debate there, and I have not had time to verify whether its true or not. One has added that for the motherboard, additional requirement is either onboard Intel dual-port, or dual-port Intel NIC on a x4 PCIe slot. Again I have not verified this, but you may want to look into it.

    That's simply ridiculous.



  • If your're in the US newegg has a sale going right now on a HP server for $179 that would fit your needs perfectly. It's not a low power solution like some of the embedded options but it's complete and all you'd have to do is install pfsense and configure it. Better hurry though it's only on sale for 2 days.

    http://www.newegg.com/Product/Product.aspx?Item=2RC-001A-000S2&utm_medium=Email&utm_source=EXPRESS120316&cm_mmc=EMC-EXPRESS120316--EMC-120316-Index--ServerWorkstationSystems-_-2RC-001A-000S2-S1A1A&ignorebbr=1



  • @whosmatt:

    @Evronius:

    But back to the subject. Is 16GB realy required for those speeds? Or are the number of PCs that increases the amount of memory?

    No, 16GB is not required.  4GB will be way more than enough, even if you have a lot of client PCs (and by a lot, I mean hundreds).  2 Intel server class NICs are all you need for a simple single LAN single WAN firewall.  That's one physical card with 2 ports or 2 ports on the motherboard, whatever.  CPU should be multiple cores, as fast as you can get them, but no need to go overboard.  I'd wager even the most meager Skylake Pentium will do for just NAT and firewall rules.  More CPU horsepower comes into play with things like packet inspection and VPN.

    4GB is nice. 16GB feels overkill.
    That will be expensive cards if i would use dual port NICs that can handle those speeds. Most of the cards that i can buy are only in PCI-E 1x version 1, and that will bottleneck. Those card with 4x are way of my budget. So i would go for two single port cards, if the build wont have 2 NICs from Intel.

    @BlueKobold:

    No, i dont use PPPoE.

    If so your WAN connection will be cpu single threaded and mostly slower, but if not you may be happy
    with that Jetway NF9HG-2930 Board. It pulls for a forum user here, from HongKong nearly 1 GBit/s
    at the WAN interface.

    Nearly 1Gbit isnt quite good enough. Well, it depends on what nearly is in real world. My goal is rock solid 1Gbit up and down. I understand that some overhead can make this impossible. But i belive that if i use the right parts i would hit the sweatspot of a total 2Gbit throughput on wan - lan. I mean, it is possible to do 10Gbit on copper and i seen networks that works in 40Gbit…

    @VAMike:

    @Demnos:

    I  have seen talk on the DSLReports forum that to get gigabit speed one needs a four-core CPU having 3.5GHz. Of course its under debate there, and I have not had time to verify whether its true or not. One has added that for the motherboard, additional requirement is either onboard Intel dual-port, or dual-port Intel NIC on a x4 PCIe slot. Again I have not verified this, but you may want to look into it.

    That's simply ridiculous.

    Elaborate please.

    @Jailer:

    If your're in the US newegg has a sale going right now on a HP server for $179 that would fit your needs perfectly. It's not a low power solution like some of the embedded options but it's complete and all you'd have to do is install pfsense and configure it. Better hurry though it's only on sale for 2 days.

    http://www.newegg.com/Product/Product.aspx?Item=2RC-001A-000S2&utm_medium=Email&utm_source=EXPRESS120316&cm_mmc=EMC-EXPRESS120316--EMC-120316-Index--ServerWorkstationSystems-_-2RC-001A-000S2-S1A1A&ignorebbr=1

    Thats cheap. But no. I live in Sweden so newegg is a no go.



  • @Evronius:

    @VAMike:

    @Demnos:

    I  have seen talk on the DSLReports forum that to get gigabit speed one needs a four-core CPU having 3.5GHz. Of course its under debate there, and I have not had time to verify whether its true or not. One has added that for the motherboard, additional requirement is either onboard Intel dual-port, or dual-port Intel NIC on a x4 PCIe slot. Again I have not verified this, but you may want to look into it.

    That's simply ridiculous.

    Elaborate please.

    I don't care if someone said it on DSLReports, that's wildly excessive for routing a single gigabit–which isn't very much bandwidth these days. You also don't need a particularly fancy NIC, again, this isn't a hard requirement to meet in 2016.

    The bigger issue is that if you actually are trying to sustain 1Gbps transfer rate that's almost impossible on a 1Gbps ethernet because you'll have a certain level of inefficiency when the medium saturates. If 900Mbps plus or minus isn't good enough then you need either a channel bonding solution or 10Gbps. You can also get a couple more percent utilization with jumbo frames, but that's not particularly useful for internet traffic.



  • @Evronius:

    I live in Sweden so newegg is a no go.

    Then Tradera or ebay is your best bet. A dual port server NIC can usually be found for 200-300SEK.



  • Dual port Intel chipset NICs can be had for $20 or $30 USD used.  I use an HP NC360T (dual 1Gbps Intel, PCIe x4) and it works perfectly.



  • @VAMike:

    The bigger issue is that if you actually are trying to sustain 1Gbps transfer rate that's almost impossible on a 1Gbps ethernet because you'll have a certain level of inefficiency when the medium saturates. If 900Mbps plus or minus isn't good enough then you need either a channel bonding solution or 10Gbps. You can also get a couple more percent utilization with jumbo frames, but that's not particularly useful for internet traffic.

    I agree, but if the ISP is handing off the connection with a single 1Gbps ethernet port it doesn't matter what OP uses above and beyond that; the ISP port would be the bottleneck if link aggregation or a 10Gbps NIC is used.

    I'd just try and match whatever the ISP is handing off to you with a quality NIC of the same speed.



  • Nearly 1Gbit isnt quite good enough. Well, it depends on what nearly is in real world.

    936 MBit/s + TCP/IP overhead + time to proceed pf (firewall rules) is nearly 1 GBit/s



  • If you're just looking for a router then this may be a fun read:

    http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

    If not, still a fun read.



  • Sorry for late answer.

    @VAMike:

    @Evronius:

    @VAMike:

    @Demnos:

    I  have seen talk on the DSLReports forum that to get gigabit speed one needs a four-core CPU having 3.5GHz. Of course its under debate there, and I have not had time to verify whether its true or not. One has added that for the motherboard, additional requirement is either onboard Intel dual-port, or dual-port Intel NIC on a x4 PCIe slot. Again I have not verified this, but you may want to look into it.

    That's simply ridiculous.

    Elaborate please.

    I don't care if someone said it on DSLReports, that's wildly excessive for routing a single gigabit–which isn't very much bandwidth these days. You also don't need a particularly fancy NIC, again, this isn't a hard requirement to meet in 2016.

    The bigger issue is that if you actually are trying to sustain 1Gbps transfer rate that's almost impossible on a 1Gbps ethernet because you'll have a certain level of inefficiency when the medium saturates. If 900Mbps plus or minus isn't good enough then you need either a channel bonding solution or 10Gbps. You can also get a couple more percent utilization with jumbo frames, but that's not particularly useful for internet traffic.

    Many routers i could by will stop beetwen 750 and 900Mbps and that is not good in my Eyes. If it needs 10Gbit card to avoid as much overhead and other things as possible thats hit the performance, i could think of buying those. But it also depends on how much CPU perfomance i need. And still, this is not settled.

    @AndyC:

    @Evronius:

    I live in Sweden so newegg is a no go.

    Then Tradera or ebay is your best bet. A dual port server NIC can usually be found for 200-300SEK.

    Checking in there time to time and hasnt find a great deal yet. But it could happen.

    @whosmatt:

    Dual port Intel chipset NICs can be had for $20 or $30 USD used.  I use an HP NC360T (dual 1Gbps Intel, PCIe x4) and it works perfectly.

    If i find one that are cheap i would do it. But i need te settle my hardware first so i dont buy something thats bottlenecks.

    @whosmatt:

    @VAMike:

    The bigger issue is that if you actually are trying to sustain 1Gbps transfer rate that's almost impossible on a 1Gbps ethernet because you'll have a certain level of inefficiency when the medium saturates. If 900Mbps plus or minus isn't good enough then you need either a channel bonding solution or 10Gbps. You can also get a couple more percent utilization with jumbo frames, but that's not particularly useful for internet traffic.

    I agree, but if the ISP is handing off the connection with a single 1Gbps ethernet port it doesn't matter what OP uses above and beyond that; the ISP port would be the bottleneck if link aggregation or a 10Gbps NIC is used.

    I'd just try and match whatever the ISP is handing off to you with a quality NIC of the same speed.

    You mean that the ISP could bottleneck? Is it so that the mediaconverter it self could lower the speeds?

    @BlueKobold:

    Nearly 1Gbit isnt quite good enough. Well, it depends on what nearly is in real world.

    936 MBit/s + TCP/IP overhead + time to proceed pf (firewall rules) is nearly 1 GBit/s

    I could live with 950Mbps both ways, but i whas hoping to achive and get as close to 1Gbit as possible.

    @gbl88:

    If you're just looking for a router then this may be a fun read:

    http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

    If not, still a fun read.

    I read this. But i still want to build my router :)



  • Many routers i could by will stop beetwen 750 and 900Mbps and that is not good in my Eyes.

    Then you should be buying a router that is really capable to handle nearly 1 GBit/s.

    • Intel Xeon E3 v3 (dual or quad core pending on the installed packets and running services)
    • Intel Core i3, i5 or i7 (dual or quad core pending on the installed packets and running services)
    • Intel Celeron G3260 (if it can handle all the installed packets it might be also running well for you)

    If it needs 10Gbit card to avoid as much overhead and other things as possible thats hit the performance, i could think of buying those. But it also depends on how much CPU performance i need. And still, this is not settled.

    XG-1541 or Supermicro Intel Xeon D-15x1 series will be coming with 1 GBit/s and 10 GbE Port
    by default.

    I could live with 950Mbps both ways, but i was hoping to archive and get as close to 1Gbit as possible.

    Don´t get me wrong please, but you will archive at a 1 GBit/s LAN port really 1 GBit/s + TCP/IP
    overhead and time for working out the pf (packet filter)? How should this work? Then perhaps
    you will buy a 10 GBit/s card for getting your straight 1 GBit/s? Perhaps you spend the money
    for a nice appliance and all is right for you!



  • @Evronius:

    You mean that the ISP could bottleneck? Is it so that the mediaconverter it self could lower the speeds?

    It just depends on the media they hand off to you. All I'm saying is that if they give you a 1Gbps copper port, a 10Gbps port on your router won't make your connection any faster since it will only negotiate at 1Gbps.



  • So, i finaly started purchase parts.

    Core i3 6320
    ASRock C236WS I
    8GB Corsair Vengance LPX 2133MHz CL13
    120GB Samsung 750 EVO

    I will start with this Core i3 and see if it can handle the spreds. If not i go for a i5 or a Xeon.

    I will return and share the results i will have form this router.



  • Sooo, how did the i3 work out?



  • @Evronius:

    I will start with this Core i3 and see if it can handle the spreds. If not i go for a i5 or a Xeon.

    You only need ~2,000 passmark for gigabit speeds, the Core i3 is about 2x - 3x faster than necessary.



  • @bshurilla:

    Sooo, how did the i3 work out?

    Sorry for late answer. The build started with a bad motherboard that burned the memory and CPU. But the warranty checked so i got new parts quite fast. The i3 is holding up quite well. I dont have pick to share, But i get around 980Mpbs down and around 975Mbps up. Total WAN to LAN throughput landing on around 1890Mbps, and that speed om not happy with. But I think it only needs some more tuning. But one thing dont work well. I have turned of HT on it. When several units whas online the CPU used HT threads and not the physical cores and that draged the throughput down alot.

    @coolspot:

    @Evronius:

    I will start with this Core i3 and see if it can handle the spreds. If not i go for a i5 or a Xeon.

    You only need ~2,000 passmark for gigabit speeds, the Core i3 is about 2x - 3x faster than necessary.

    But still i cant use the whole CPU. With HT on i get really bad performance.



  • @Evronius:

    @bshurilla:

    Sooo, how did the i3 work out?

    Sorry for late answer. The build started with a bad motherboard that burned the memory and CPU. But the warranty checked so i got new parts quite fast. The i3 is holding up quite well. I dont have pick to share, But i get around 980Mpbs down and around 975Mbps up. Total WAN to LAN throughput landing on around 1890Mbps, and that speed om not happy with. But I think it only needs some more tuning. But one thing dont work well. I have turned of HT on it. When several units whas online the CPU used HT threads and not the physical cores and that draged the throughput down alot.

    @coolspot:

    @Evronius:

    I will start with this Core i3 and see if it can handle the spreds. If not i go for a i5 or a Xeon.

    You only need ~2,000 passmark for gigabit speeds, the Core i3 is about 2x - 3x faster than necessary.

    But still i cant use the whole CPU. With HT on i get really bad performance.

    Im using also an i3(7320) with HT on, and i dont notice any perfomance issue, as far as i know.
    2 cores along with 2 threads doing ok.

    What services have you running in your pfsense box?



  • @datum:

    @Evronius:

    @bshurilla:

    Sooo, how did the i3 work out?

    Sorry for late answer. The build started with a bad motherboard that burned the memory and CPU. But the warranty checked so i got new parts quite fast. The i3 is holding up quite well. I dont have pick to share, But i get around 980Mpbs down and around 975Mbps up. Total WAN to LAN throughput landing on around 1890Mbps, and that speed om not happy with. But I think it only needs some more tuning. But one thing dont work well. I have turned of HT on it. When several units whas online the CPU used HT threads and not the physical cores and that draged the throughput down alot.

    @coolspot:

    @Evronius:

    I will start with this Core i3 and see if it can handle the spreds. If not i go for a i5 or a Xeon.

    You only need ~2,000 passmark for gigabit speeds, the Core i3 is about 2x - 3x faster than necessary.

    But still i cant use the whole CPU. With HT on i get really bad performance.

    Im using also an i3(7320) with HT on, and i dont notice any perfomance issue, as far as i know.
    2 cores along with 2 threads doing ok.

    What services have you running in your pfsense box?

    Now this i should have answered earlier on. But work had the best of me.
    The problems with the HT on the CPU whas all BIOS. I did revert to an older BIOS, and then uppdate it again.
    The short answer is none. I use stock pfsense thats configured as a router. Only NAT and SPI are a bit changed in rules.
    But i will do some tests on my machine quite soon. My dads business is in dire need for a better network security solution. And we are about to test both Firewall and VPN performance with my machine. If it is up to the task, i am going to build one for his company. With that in mind, i will be much much more in this forum very very soon!


  • Banned

    @messerchmidt:

    i5 @3.2ghz+ (the skylake non-k) cpus can be overclocked

    16gb ddr4

    120gb ssd

    It is common on here that when someone asks for hardware recommendations for gigabit WAN to recommend they buy a router that is much faster than the average desktop computer.

    The hardware recommendations are generally about the same whether the user wants to use a lot of packages & VPN or just the very basic features of pfSense (like you).

    It might be true, but I doubt it because it just doesn't make sense.

    I suspect that the reason for this is because like you stated most people don't report back with their actual performance once they buy hardware. Until that starts happening people will keep recommending heavy duty CPUs to NAT gigabit WAN, even for home use, even for no packages.

    There is sense in why this happens though, if someone gets recommended underpowered hardware and it doesn't work out they are liable to lose their minds because they wasted money and it didn't do what they wanted.
    If someone gets recommended to buy a little supercomputer to NAT gigabit WAN, buys it and surprise surprise it works. They still wasted their money, but at least it worked.

    I suspect that this can be done with a modern passively cooled celeron, but I'm also not in the IT or networking profession so you can take my opinions with a grain of salt.

    Thank you for reporting back with your findings! It is very helpful for future users to know that:

    • Celeron XYZ works for full gigabit w/ NAT only & light firewalling @ x% CPU

    • Celeron XYZ maxes out at XXXMbps w/ NAT only & light firewalling

    • Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

    • Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

    • i5-XXXX works for full gigabit w/ X packages and Y firewalling @ x% CPU

    • etc.

    Basically all the feedback you can give on the forums will be invaluable, not many people have gigabit WAN to test hardware out on!

    @Evronius:

    The i3[-6320 @ 2x3.90GHz w/ HT disabled] is holding up quite well… ...i get around 980Mpbs down and around 975Mbps up. Total WAN to LAN throughput landing on around 1890Mbps... ...But one thing doesn't work well. I have turned of HT on it. When several units were online the CPU used HT threads and not the physical cores and that dragged the throughput down a lot.

    @Evronius:

    But still i cant use the whole CPU. With HT on i get really bad performance

    This is great feedback, thank you! Can you share what kind of system usage you're getting when the system is under load on WAN, LAN, WAN & LAN?
    How many clients is this supporting?
    It's valuable to know that you were getting gigabit with only 2 cores.

    The more detailed info you can share the better!  ;D



  • @pfBasic:

    not many people have gigabit WAN to test hardware out on!

    new users can test their new rig before using by connecting WAN inside existing (or easy to create) 1GbE LAN. imho this should be done always, if not  speed testing, it's kind of part for burning in router, including letting network interface to run fullduplex 24/3 (via iperf or some P2P disk speed).
    this is what i did and still do with H270M-ITXac + 7100T (#10, #12, #16 on that thread) i just cannot afford to put this router in prod while untested and unconfigured 100%. haven't gotten to snort yet (and surely will report back on that thread) but, hey, i3-7100T as for now gives 1GbE for "normal" traffic without a drop, which shows that cheaper Pentiums do also (does not have AVX2 though).

    /ranting
    one could argue, that testing means much hardware, time and effort - sure, but what environments pfsense is for then? plug and play at home? if one does not have hardware or time to test such router, does he/she actually need x64 based monster or should stick with OpenWRT on high-end-consumer TPLINK? i have deployed real time network intensive installations (basically never ending TCP & UDP stream) 24/7/200 interactive w/ all traffic through OpenVPN on the latter. subjectively, OpenWRT performs on not-the-cheapest TPLINKs (~60 EUR) really good.


  • Banned

    @kroko:

    @pfBasic:

    not many people have gigabit WAN to test hardware out on!

    …does he/she actually need x64 based monster or should stick with OpenWRT on high-end-consumer TPLINK? i have deployed real time network intensive installations (basically never ending TCP & UDP stream) 24/7/200 interactive w/ all traffic through OpenVPN on the latter. subjectively, OpenWRT performs on not-the-cheapest TPLINKs (~60 EUR) really good.

    That's good to know about the testing on LAN!

    For myself, I started looking for an alternative to SOHO routers because my wife kept calling me telling me that the internet was down on our Archer C2 with a 15Mbps connection on a very small home network doing not much of anything. She had to unplug it and reboot several times a month.
    I looked into DD-WRT, but it carries the risk of bricking your router. I don't know how high it is but it was a small deterrent. I also was occasionally using VPN's while travelling but was annoyed with having to connect and disconnect it on each client I wanted to use it on. So I liked the idea of VPN on my router providing the service to a whole network all the time, and even high end SOHO routers are not great at this, and they cost nearly $300.
    That's how I came around to pfSense, it was much cheaper than a high end SOHO router, is dramatically more capable and carries no risk of bricking my device. My Archer C2 has performed without a hitch as an AP.

    All that to say that there are reasons to choose pfSense over DD-WRT, Open-WRT, Tomato, etc. Cost and risk of bricking being the two that standout for a home user. All of that goes out the window when people start recommending ix-core CPU's, Xeons, etc. for home users. (Gigabit is a little different but it's looking more and more like modern passively cooled celerons can NAT @ gigabit speeds).



  • this is really going offtopic. i quickly went through my memories and have to say have flashed, reflashed routers with Open/DD-WRT more than few hundred times. flashin since late 2000's. just last year i have reflashed about 30 routers for different project needs. it is the very first thing i do to any router that has been bought for project needs (this is a way we can strip down networking costs - take consumer grade router that is supported or known to work, flash it) or any personal needs (friend asks for advice, i recommend something that can be flashed and immidiately do it). i have never ever bricked one of them through last 10 years. but i always choose only linksys (ah, the infamous wrt56gl @ mid last decade) or for past ~5 years always TPLINK (TL WDR3600 w/ Atheros @0.5Ghz being bang for the buck)



  • Many of new users are seeing mostly and only that there are some packets available to install on their pfSense box, but in
    real life if they are installing IDS, (Snort or Suricata), a proxy (Squid), Antispam (DansGuardian) and AVScan (ClamAV)
    we are talking then about a fully featured UTM device that should be delivering at least nearly 1 GBit/s at the WAN port!

    What do you think you must pay at SonicWall or Sophos for their SG or WXA seris to get 1 GBit/s out after the AVScan?
    Then we are in the 1000 - 2000 Euro region or area and the license fee must be counted on top of this, so in my eyes to
    get one real GBit/s at the WAN for a pfSense firewall only must not be paid so hard for sure, but installing all packets
    together with 1 GBit/s at the WAN will be also not on the same stage as a lazy ~$60 router that is only doing SPI/NAT!

    Where is their the captive portal and all the other packets available to install? So it might be pointed to many things
    and not only to one or two points in that game here, as I see it right, or am I wrong now?

    For a guy in Honkong with 1 GBit/s FTTH fiber connection without PPPoE this set up is working great for ~360 Euros
    and delivering ~936 MBit/s as throughput in total to the LAN and this absolutely silent!

    • Jetway NF9HG-2930 ~$200
    • M350 mini-ITX case ~$50
    • 30 GB mSATA SSD ~$50
    • 8 GB DDR3 RAM ~$40
    • PSU ~$15

    So for sure if this might be all (firewall & VPN) this unit will do the job a bit longer as I see it right and together with a
    Radius Server, Captive Portal and OpenLDAP server it might be offering a really good matching security to smaller networks.


  • Banned

    @BlueKobold:

    Many of new users are seeing mostly and only that there are some packets available to install on their pfSense box, but in
    real life if they are installing IDS, (Snort or Suricata), a proxy (Squid), Antispam (DansGuardian) and AVScan (ClamAV)
    we are talking then about a fully featured UTM device that should be delivering at least nearly 1 GBit/s at the WAN port!

    What do you think you must pay at SonicWall or Sophos for their SG or WXA seris to get 1 GBit/s out after the AVScan?
    Then we are in the 1000 - 2000 Euro region or area and the license fee must be counted on top of this, so in my eyes to
    get one real GBit/s at the WAN for a pfSense firewall only must not be paid so hard for sure, but installing all packets
    together with 1 GBit/s at the WAN will be also not on the same stage as a lazy ~$60 router that is only doing SPI/NAT!

    Where is their the captive portal and all the other packets available to install? So it might be pointed to many things
    and not only to one or two points in that game here, as I see it right, or am I wrong now?

    For a guy in Honkong with 1 GBit/s FTTH fiber connection without PPPoE this set up is working great for ~360 Euros
    and delivering ~936 MBit/s as throughput in total to the LAN and this absolutely silent!

    • Jetway NF9HG-2930 ~$200
    • M350 mini-ITX case ~$50
    • 30 GB mSATA SSD ~$50
    • 8 GB DDR3 RAM ~$40
    • PSU ~$15

    So for sure if this might be all (firewall & VPN) this unit will do the job a bit longer as I see it right and together with a
    Radius Server, Captive Portal and OpenLDAP server it might be offering a really good matching security to smaller networks.

    @Evronius:

    deliver solid 1Gbit both ways with NAT and some basic Firewall options that are found on standard routers

    The OP stated that he doesn't want any of those things.

    Also, that's a €355/$380… for a celeron.... that's three years old. Horrible recommendation IMO unless the user absolutely must have SFF and is willing to pay a lot for it.



  • The OP stated that he doesn't want any of those things.

    He want 1 GBit/s at the WAN in both directions and some basic firewall rules. SPI is done in another way inside of pf (packet filter)
    and NAT is done in another higher stage inside of pf (packet filter), so what is now your problem? And where I was not hitting the
    goal? This is an industrial board from Jetway with support to 2019 and all is solid rocking soldered on the board, only the RAM and
    mSATA must be inserted in! No turning parts, silent and quiet running and no used consumer parts from eBay!

    • 4 Intel NICs
    • max. 8 GB RAM
    • industrial grade of hardware
    • Achieve 1 GBit/s without PPPoE

    Also, that's a €355/$380… for a celeron.... that's three years old.

    If you use amazon.com you will be able to get it right for something around ~$320 as I was seeing it right today!
    And it is delivering the asked throughput (without PPPoE) and no consumer parts.

    Horrible recommendation IMO unless the user absolutely must have SFF and is willing to pay a lot for it.

    Here in Germany the APU2C4 (as a bundle) and this Jetway Board (for more speed & packets) are the best running both
    units on the market and for sure more often used then refurbished consumer parts from the (e)Bay. Nothing fancy but
    solid running and strong enough and on top silent without turning parts.



  • This really got a bit sideways :) But it is going back on track, sort of…

    @pfBasic:

    @messerchmidt:

    i5 @3.2ghz+ (the skylake non-k) cpus can be overclocked

    16gb ddr4

    120gb ssd

    It is common on here that when someone asks for hardware recommendations for gigabit WAN to recommend they buy a router that is much faster than the average desktop computer.

    The hardware recommendations are generally about the same whether the user wants to use a lot of packages & VPN or just the very basic features of pfSense (like you).

    It might be true, but I doubt it because it just doesn't make sense.

    I suspect that the reason for this is because like you stated most people don't report back with their actual performance once they buy hardware. Until that starts happening people will keep recommending heavy duty CPUs to NAT gigabit WAN, even for home use, even for no packages.

    There is sense in why this happens though, if someone gets recommended underpowered hardware and it doesn't work out they are liable to lose their minds because they wasted money and it didn't do what they wanted.
    If someone gets recommended to buy a little supercomputer to NAT gigabit WAN, buys it and surprise surprise it works. They still wasted their money, but at least it worked.

    I suspect that this can be done with a modern passively cooled celeron, but I'm also not in the IT or networking profession so you can take my opinions with a grain of salt.

    Thank you for reporting back with your findings! It is very helpful for future users to know that:

    • Celeron XYZ works for full gigabit w/ NAT only & light firewalling @ x% CPU

    • Celeron XYZ maxes out at XXXMbps w/ NAT only & light firewalling

    • Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

    • Xeon XYZ works for full gigabit w/ NAT only and light firewalling @ x% CPU

    • i5-XXXX works for full gigabit w/ X packages and Y firewalling @ x% CPU

    • etc.

    Basically all the feedback you can give on the forums will be invaluable, not many people have gigabit WAN to test hardware out on!

    @Evronius:

    The i3[-6320 @ 2x3.90GHz w/ HT disabled] is holding up quite well… ...i get around 980Mpbs down and around 975Mbps up. Total WAN to LAN throughput landing on around 1890Mbps... ...But one thing doesn't work well. I have turned of HT on it. When several units were online the CPU used HT threads and not the physical cores and that dragged the throughput down a lot.

    @Evronius:

    But still i cant use the whole CPU. With HT on i get really bad performance

    This is great feedback, thank you! Can you share what kind of system usage you're getting when the system is under load on WAN, LAN, WAN & LAN?
    How many clients is this supporting?
    It's valuable to know that you were getting gigabit with only 2 cores.

    The more detailed info you can share the better!  ;D

    I have 4 PCs now, and if i use all of them on the network the CPU usage pending between 26 and 35%. This is on WAN to LAN usage. I will do more testing and tweaking and i hope to lower this usage.

    This is a bit offtopic, but i think it have a part of this as well. I am a bit worried about the upcomming LAN event i will host. Some tests i did between 2 PCs with 10Gbit cards had a really high CPU usage. One machine has an i5-3550. The other one has an i3-4130 and its really having problems to get 10Gbit speeds. Both up and down wont go over 4Gbit. After much tweaking i got maxed out at 5.8Gbit and the CPU usage on the i3-4130 is 100%. If i switch from the i3-4130 to i5-6400 or my new i7-7700 i get 10Gbit speeds. I checked for answers all over the internet and i find some interesting stuff here. To keep it simple, 2 Windows 10 klients on 10Gbit needs 4 cores, and these will have a high CPU usage when going full 10Gbit! This got me to think and wonder over alot of things.

    Here is a few questions i have.
    1: Does this apply to DIY and prebuild pfsense riggs as well?
    2: Is there any performance info on DIY pfsense riggs compared to prebuild ones?
    3: Does a prebuild pfsense box have benefits in performance and hardware over DIY ones?

    Do i need to elaborate here, or are you all with me on where i am going with this?


  • Banned

    @Evronius:

    I have 4 PCs now, and if i use all of them on the network the CPU usage pending between 26 and 35%. This is on WAN to LAN usage. I will do more testing and tweaking and i hope to lower this usage.

    Thank you very much! Does that CPU usage change much between 1 & 4 clients? Is that utilizing the full potential of the WAN?

    @Evronius:

    This is a bit offtopic, but i think it have a part of this as well.

    It is your topic my friend!  ;)

    @Evronius:

    I am a bit worried about the upcomming LAN event i will host. Some tests i did between 2 PCs with 10Gbit cards had a really high CPU usage. One machine has an i5-3550. The other one has an i3-4130 and its really having problems to get 10Gbit speeds. Both up and down wont go over 4Gbit. After much tweaking i got maxed out at 5.8Gbit and the CPU usage on the i3-4130 is 100%. If i switch from the i3-4130 to i5-6400 or my new i7-7700 i get 10Gbit speeds. I checked for answers all over the internet and i find some interesting stuff here. To keep it simple, 2 Windows 10 klients on 10Gbit needs 4 cores, and these will have a high CPU usage when going full 10Gbit! This got me to think and wonder over alot of things.

    Here is a few questions i have.
    1: Does this apply to DIY and prebuild pfsense riggs as well?
    2: Is there any performance info on DIY pfsense riggs compared to prebuild ones?
    3: Does a prebuild pfsense box have benefits in performance and hardware over DIY ones?

    Do i need to elaborate here, or are you all with me on where i am going with this?

    10Gbit LAN is a totally different ball game. What were the tests you were using?
    I would imagine that 10Gbit WAN would be very resource intensive, but wouldn't know. I would have thought 10Gbit LAN would more or less just need good 10Gbit NICs and a good 10Gbit switch? I've read that Intel is actually not necessarily the best in town for 10Gbit NICs yet, it sounds like Chelsio is the winner in that category for now but I couldn't expound on that at all and it may not even be true anymore.

    Performance wise the pre-built boxes sold by pfSense don't have any edge over DIY, you could buy and build the exact same specs yourself if you wanted to. Generally speaking you will get a lot more performance for your money DIY than prebuilt.
    pfSense is exceptional at running on old used hardware and still providing features previously only found in very expensive industrial grade equipment.

    What the pre built pfSense units do have is a stamp of approval that they will work as intended for the rated specs and they come with a year of support from the pfSense team!
    These things are very valuable if you are applying pfSense in a professional environment to a paying customer.
    They can also be very valuable if you are looking to learn pfSense as you get a year of Gold access.
    It's up to you to decide if it's worth it to you or not for personal use, the prebuilt hardware absolutely has advantages but they won't necessarily be any faster than what you can build yourself. In fact you can very likely build a much faster unit for less money if that's the only goal.

    @BlueKobold:

    The OP stated that he doesn't want any of those things.

    …industrial board from Jetway... ...soldered on the board, only the RAM and
    mSATA must be inserted in... ...no used consumer parts from eBay!

    ...no consumer parts...

    You are likely an IT Pro and probably a very good one. You make great hardware recommendations for other IT Pro's, but you don't seem to adjust your recommendations for non-professional environments.

    You place a lot of value in "industrial" equipment. You're right, it's better but it's also a lot more expensive. That would be warranted if pfSense were known to have issues with pieced together hardware, or if it were common for used consumer grade to crap out.
    But pfSense works great on cobbled together machines, and while sure used consumer grade parts do occasionally crap out, it's not common and if they do, it's cheap to replace.
    With so many people successfully running pfSense on cheap used consumer grade hardware for years on end where is the sense in recommending they pay a lot more for premium stuff? You could also buy industrial grade SLC USB flash drives for $40/GB and it would be a lot better than the consumer stuff but where is the sense in that for a consumer level application?

    You recommend great stuff but you aren't matching your recommendations to the use case. Money matters to people.



  • @pfBasic:

    @Evronius:

    I have 4 PCs now, and if i use all of them on the network the CPU usage pending between 26 and 35%. This is on WAN to LAN usage. I will do more testing and tweaking and i hope to lower this usage.

    Thank you very much! Does that CPU usage change much between 1 & 4 clients? Is that utilizing the full potential of the WAN?

    @Evronius:

    This is a bit offtopic, but i think it have a part of this as well.

    It is your topic my friend!  ;)

    @Evronius:

    I am a bit worried about the upcomming LAN event i will host. Some tests i did between 2 PCs with 10Gbit cards had a really high CPU usage. One machine has an i5-3550. The other one has an i3-4130 and its really having problems to get 10Gbit speeds. Both up and down wont go over 4Gbit. After much tweaking i got maxed out at 5.8Gbit and the CPU usage on the i3-4130 is 100%. If i switch from the i3-4130 to i5-6400 or my new i7-7700 i get 10Gbit speeds. I checked for answers all over the internet and i find some interesting stuff here. To keep it simple, 2 Windows 10 klients on 10Gbit needs 4 cores, and these will have a high CPU usage when going full 10Gbit! This got me to think and wonder over alot of things.

    Here is a few questions i have.
    1: Does this apply to DIY and prebuild pfsense riggs as well?
    2: Is there any performance info on DIY pfsense riggs compared to prebuild ones?
    3: Does a prebuild pfsense box have benefits in performance and hardware over DIY ones?

    Do i need to elaborate here, or are you all with me on where i am going with this?

    10Gbit LAN is a totally different ball game. What were the tests you were using?
    I would imagine that 10Gbit WAN would be very resource intensive, but wouldn't know. I would have thought 10Gbit LAN would more or less just need good 10Gbit NICs and a good 10Gbit switch? I've read that Intel is actually not necessarily the best in town for 10Gbit NICs yet, it sounds like Chelsio is the winner in that category for now but I couldn't expound on that at all and it may not even be true anymore.

    Performance wise the pre-built boxes sold by pfSense don't have any edge over DIY, you could buy and build the exact same specs yourself if you wanted to. Generally speaking you will get a lot more performance for your money DIY than prebuilt.
    pfSense is exceptional at running on old used hardware and still providing features previously only found in very expensive industrial grade equipment.

    What the pre built pfSense units do have is a stamp of approval that they will work as intended for the rated specs and they come with a year of support from the pfSense team!
    These things are very valuable if you are applying pfSense in a professional environment to a paying customer.
    They can also be very valuable if you are looking to learn pfSense as you get a year of Gold access.
    It's up to you to decide if it's worth it to you or not for personal use, the prebuilt hardware absolutely has advantages but they won't necessarily be any faster than what you can build yourself. In fact you can very likely build a much faster unit for less money if that's the only goal.

    Sort of… With 1 klient running hard the CPU usage is around 11%. I think it is quite high usage, but then i do have fast internet.  I have not checked out the usage when 2 or 3 klients are going rampage on the network and internet. And yes, i utilizing the WAN 100% when i checked the CPU usage on 4 clients. I just noticed that i havnt checked the RAM usage yet. So i overlooket that. But 8GB would be more then enough.
    And here is what i whas thinking on the performance on 1Gbit vs 10Gbit test. When this box is driving the upcoming easter lanparty, it will have around 50 PCs on it. And games today are internet based. Almost no new games runs local TCP or IPX. And with so many PCS pushing both games and alot of other stuffs on the internet it would be alot of stress on the CPU. So i figured that a quick speedtest on 10Gbit would give a clue on how hard many clients would impact. But i also see why this isnt applicable here. A big miss from my side. Got sidetracked by my own hype here
    But compared to the prebuild boxes my machine would handle a high number of clients quite easy. I will now this for sure when the LAN is up and running.

    When i tested the Intel X540-T1 NICs it whas both small files and big files up to 40GB each in ordinary Windows file transfer. No programs used. These cards is for an upcoming project that is pure fun and has no other purpose than that :) But it would be quite nice to use these. But the high CPU usage when transfering files dont feel great.