Do Threads Work Like Cores for pfsense?

VAMike

@darkarn:

And yeah, too bad that most of the dual-NIC motherboards are just one Intel and one [insert other brand here]

Most of the newer intel desktop chipsets have an integrated NIC (that's why there are so many intel NICs all of the sudden–they're free; note that this isn't a particularly special NIC, it's functionally identical to a later-model RTL8111.) The second NIC is a discrete component, and in a business where margins are thin the RTL interfaces have a much more attractive price point and most people in the world do not care (since they are functionally equivalent parts). I've heard that freebsd may finally be getting its realtek drivers under control, which would be nice. (Even openbsd hasn't had the stability problems on re(4) that freebsd has.) There's also a driver from realtek itself that some freebsd users have had good success with, but I don't know if anyone's managed to get it to work with pfsense.

darkarn

@VAMike:

@darkarn:

And yeah, too bad that most of the dual-NIC motherboards are just one Intel and one [insert other brand here]

Most of the newer intel desktop chipsets have an integrated NIC (that's why there are so many intel NICs all of the sudden–they're free; note that this isn't a particularly special NIC, it's functionally identical to a later-model RTL8111.) The second NIC is a discrete component, and in a business where margins are thin the RTL interfaces have a much more attractive price point and most people in the world do not care (since they are functionally equivalent parts). I've heard that freebsd may finally be getting its realtek drivers under control, which would be nice. (Even openbsd hasn't had the stability problems on re(4) that freebsd has.) There's also a driver from realtek itself that some freebsd users have had good success with, but I don't know if anyone's managed to get it to work with pfsense.

Hmm so in terms of performance, in the context of home usage, are these NICs the same?

darkarn

Hmm. After speaking to some people, I think I will like to hold off the planning for now as Kaby Lake is just next month; I may either use that or at least get Skylake for cheaper

Meanwhile, let me use a spare XPS 420, one dual port Intel NIC and another single port Intel NIC and see how that goes

darkarn

So far so good, am into my first 24hrs of pfsense now

The XPS 420's Q6600 (2.40Ghz Quad Core) and 8GB of RAM seems decent but I noticed a slight reduction of net throughput. I have tried some packages but I keep accidentally blocking the entire Internet lol so I decided to remove most of them and then reinstall them on a need-to-use basis (e.g. going with either squid or HAProxy for reverse proxy)

I noticed that pfsense has a very steep learning curve as compared to other custom router firmwares

Taiidan

@darkarn:

@VAMike:

@darkarn:

And yeah, too bad that most of the dual-NIC motherboards are just one Intel and one [insert other brand here]

Most of the newer intel desktop chipsets have an integrated NIC (that's why there are so many intel NICs all of the sudden–they're free; note that this isn't a particularly special NIC, it's functionally identical to a later-model RTL8111.) The second NIC is a discrete component, and in a business where margins are thin the RTL interfaces have a much more attractive price point and most people in the world do not care (since they are functionally equivalent parts). I've heard that freebsd may finally be getting its realtek drivers under control, which would be nice. (Even openbsd hasn't had the stability problems on re(4) that freebsd has.) There's also a driver from realtek itself that some freebsd users have had good success with, but I don't know if anyone's managed to get it to work with pfsense.

Hmm so in terms of performance, in the context of home usage, are these NICs the same?

Benchmark a "gigabit" realtek or broadcom you get at best 70MB/s with intel desktop LOM from 10 years ago you get 115MB/s, server network interfaces theoretically have lower CPU usage, slightly faster speeds and they of course have more features such as SR-IOV, iSCSI boot and or acceleration, etc.

You can pick up server pulls nics for cheap on ebay, such as the silicom 6 port intel chipset (no sr-iov fyi) or mellanox-connectx2 - there are a lot of options and not all of them are intel however anything from broadcom or realtek is garbage.

If you want SRIOV don't buy dell rebrands as they disable that because reasons, and if you want to run it in a vm you want SR-IOV for performance and security (although you need chipset with IOMMU and the like as well, pm me if you want help with finding hardware that works with this)

VAMike

@Taiidan:

Benchmark a "gigabit" realtek or broadcom you get at best 70MB/s

That's simply not true, so the rest can be safely ignored.

dreamslacker

@darkarn:

Ah, sorry, I forgot to put out my requirements, let's see if this is ok:

1. 5 permanent users (me + family members); need to be able to scale up to 25 users in case of visitors
2. 20 permanent devices (7 PC/laptops, 13 mobile devices); need to be able to scale up to 50 devices in case of visitors
3. Undecided on packages due to inexperience with pfSense; pending further evaluation
4. Internet Types: 1Gbps up/down fiber internet + 100Mbps up/down cable internet (see: https://www.starhub.com/personal/broadband/dual-broadband-plan/price-plans.html#Dual-Broadband) => Dual WAN features like failover required
5. Possibility of VPN usage (e.g. outside computer connecting to a certain PC in network)
6. Possibility of cryptography features if any => AES-NI desired
7. LAN: 1 8-port TP-Link Smart Switch (TL-SG2008), Wifi: Asus AC66u as Wireless Access Point (connected via Sineoji PL1800EP as it will be placed in a different room for house-wide access)

Number of devices doesn't matter as long as your edge devices (access points, switch uplinks etc) can handle the load.

A Core i5 will easily handle what you need, just get a little more memory (8GB or more depending on the packages you eventually run).
For reference, I'm using a Pentium G3220 (Haswell Generation Dual Core 3.0GHz) with my ViewQwest 1G connection and it's only loading to about 30% across both cores when I max out my downloads.
I've previously ran Snort and Suricata (separate occasions) for testing and it still wasn't CPU limited.

Dual-WAN failover is easy to setup using Gateway group(s) and PBR through the Firewall rules.

AFAIK, Suckhub doesn't use PPPoE for their residential FTTH. You do need to take note that they deliver IPTV through port 2 on the ONT and it's VLAN tagged traffic (VID 1091 when I did the setup for a customer last month). You don't want to be parsing this through pfSense - let VLAN capable switches handle this or just directly port it to the outlet that the STB will connect to.

Supermicro is distributed by Taknet here. They do have the SYS-E200-9B but it will set you back a pretty penny - I just deployed one unit for my customer to run pfSense with dual WAN.
The system with 4GB of RAM, a 120GB mSATA SSD, and 3 years NBD on-site hardware replacement is over S$1000. That's just the hardware and doesn't include any delivery or services of any sort.

You don't need HAVP if you are running SQUID. SQUID 3 already includes the option for scanning - however, I'd still recommend using a decent antivirus instead. Sophos Home is free and allows you to manage up to 10 devices remotely using the online dashboard.
Honestly, I wouldn't bother running SQUID with connections as fast as we get here unless there is a need to filter websites.

There is no need to install any special DNS packages. pfSense already allows you to setup multiple DNS servers and comes with DNS Resolver activated by default. In fact, setting up multiple DNS servers is actually a requirement to run multi-WAN (at least 1 per WAN connection). I'd highly recommend using OpenDNS and/ or Google DNS - lest Suckhub's DNS servers get DDoS into oblivion again.

darkarn

@Taiidan:

@darkarn:

@VAMike:

@darkarn:

And yeah, too bad that most of the dual-NIC motherboards are just one Intel and one [insert other brand here]

Most of the newer intel desktop chipsets have an integrated NIC (that's why there are so many intel NICs all of the sudden–they're free; note that this isn't a particularly special NIC, it's functionally identical to a later-model RTL8111.) The second NIC is a discrete component, and in a business where margins are thin the RTL interfaces have a much more attractive price point and most people in the world do not care (since they are functionally equivalent parts). I've heard that freebsd may finally be getting its realtek drivers under control, which would be nice. (Even openbsd hasn't had the stability problems on re(4) that freebsd has.) There's also a driver from realtek itself that some freebsd users have had good success with, but I don't know if anyone's managed to get it to work with pfsense.

Hmm so in terms of performance, in the context of home usage, are these NICs the same?

Benchmark a "gigabit" realtek or broadcom you get at best 70MB/s with intel desktop LOM from 10 years ago you get 115MB/s, server network interfaces theoretically have lower CPU usage, slightly faster speeds and they of course have more features such as SR-IOV, iSCSI boot and or acceleration, etc.

You can pick up server pulls nics for cheap on ebay, such as the silicom 6 port intel chipset (no sr-iov fyi) or mellanox-connectx2 - there are a lot of options and not all of them are intel however anything from broadcom or realtek is garbage.

If you want SRIOV don't buy dell rebrands as they disable that because reasons, and if you want to run it in a vm you want SR-IOV for performance and security (although you need chipset with IOMMU and the like as well, pm me if you want help with finding hardware that works with this)

I have heard of SRIOV but I don't think I will need it seeing that after some usage, I prefer pfSense to be by itself and not as a VM

@VAMike:

@Taiidan:

Benchmark a "gigabit" realtek or broadcom you get at best 70MB/s

That's simply not true, so the rest can be safely ignored.

Hmm I don't know; I just noticed that an old integrated Atheros NIC can be easily beaten by an Intel NIC on a PCIe card in transferring stuff to and back from a NAS

@dreamslacker:

@darkarn:

Ah, sorry, I forgot to put out my requirements, let's see if this is ok:

1. 5 permanent users (me + family members); need to be able to scale up to 25 users in case of visitors
2. 20 permanent devices (7 PC/laptops, 13 mobile devices); need to be able to scale up to 50 devices in case of visitors
3. Undecided on packages due to inexperience with pfSense; pending further evaluation
4. Internet Types: 1Gbps up/down fiber internet + 100Mbps up/down cable internet (see: https://www.starhub.com/personal/broadband/dual-broadband-plan/price-plans.html#Dual-Broadband) => Dual WAN features like failover required
5. Possibility of VPN usage (e.g. outside computer connecting to a certain PC in network)
6. Possibility of cryptography features if any => AES-NI desired
7. LAN: 1 8-port TP-Link Smart Switch (TL-SG2008), Wifi: Asus AC66u as Wireless Access Point (connected via Sineoji PL1800EP as it will be placed in a different room for house-wide access)

Number of devices doesn't matter as long as your edge devices (access points, switch uplinks etc) can handle the load.

A Core i5 will easily handle what you need, just get a little more memory (8GB or more depending on the packages you eventually run).
For reference, I'm using a Pentium G3220 (Haswell Generation Dual Core 3.0GHz) with my ViewQwest 1G connection and it's only loading to about 30% across both cores when I max out my downloads.
I've previously ran Snort and Suricata (separate occasions) for testing and it still wasn't CPU limited.

Dual-WAN failover is easy to setup using Gateway group(s) and PBR through the Firewall rules.

AFAIK, Suckhub doesn't use PPPoE for their residential FTTH. You do need to take note that they deliver IPTV through port 2 on the ONT and it's VLAN tagged traffic (VID 1091 when I did the setup for a customer last month). You don't want to be parsing this through pfSense - let VLAN capable switches handle this or just directly port it to the outlet that the STB will connect to.

Supermicro is distributed by Taknet here. They do have the SYS-E200-9B but it will set you back a pretty penny - I just deployed one unit for my customer to run pfSense with dual WAN.
The system with 4GB of RAM, a 120GB mSATA SSD, and 3 years NBD on-site hardware replacement is over S$1000. That's just the hardware and doesn't include any delivery or services of any sort.

You don't need HAVP if you are running SQUID. SQUID 3 already includes the option for scanning - however, I'd still recommend using a decent antivirus instead. Sophos Home is free and allows you to manage up to 10 devices remotely using the online dashboard.
Honestly, I wouldn't bother running SQUID with connections as fast as we get here unless there is a need to filter websites.

There is no need to install any special DNS packages. pfSense already allows you to setup multiple DNS servers and comes with DNS Resolver activated by default. In fact, setting up multiple DNS servers is actually a requirement to run multi-WAN (at least 1 per WAN connection). I'd highly recommend using OpenDNS and/ or Google DNS - lest Suckhub's DNS servers get DDoS into oblivion again.

Wow, nice to see a fellow Singaporean here! Let's see…

1. Thanks, then I guess my current edge devices are ok for home usage
2. Hmm my Q6600 is about 12% load at idle... It looks like that an i3 would be sufficient? (I am seeing very interesting deals in Carousell that use i5 though)
3. I am unsure about Snort and Suricata as of now; I kept accidentally locking my entire home network out of the Internet entirely! I have success with pfBlockerNG though in blocking ads router-side
4. No worries about the IPTV; my TV and landline are using separate cable modems
5. Supermicro stuff look really tempting to me too! Too expensive unfortunately... And just wondering, what are you working as?
6. I just realised that HAVP is not longer available in pfSense. I have also tried SQUID and like what you said, realised that it did not help as the connections are fast enough (and also the websites that me and family members go to are quite diverse anyway). Thanks for recommending Sophos Home, I will take a look at it.
7. Yep, that DDoS incident was pretty much the last straw. Funny part is, my family is not affected as I have already set up OpenDNS on router-side for years to block out some unwanted websites. I decided to go with pfSense instead of Asus-Merlin to pre-empt situations where OpenDNS will go down, leaving me with no other DNS left. pfSense's ability to use multiple DNSes won me over in this aspect!

dreamslacker

@darkarn:

Wow, nice to see a fellow Singaporean here! Let's see…

1. Thanks, then I guess my current edge devices are ok for home usage
2. Hmm my Q6600 is about 12% load at idle... It looks like that an i3 would be sufficient? (I am seeing very interesting deals in Carousell that use i5 though)
3. I am unsure about Snort and Suricata as of now; I kept accidentally locking my entire home network out of the Internet entirely! I have success with pfBlockerNG though in blocking ads router-side
4. No worries about the IPTV; my TV and landline are using separate cable modems
5. Supermicro stuff look really tempting to me too! Too expensive unfortunately... And just wondering, what are you working as?
6. I just realised that HAVP is not longer available in pfSense. I have also tried SQUID and like what you said, realised that it did not help as the connections are fast enough (and also the websites that me and family members go to are quite diverse anyway). Thanks for recommending Sophos Home, I will take a look at it.
7. Yep, that DDoS incident was pretty much the last straw. Funny part is, my family is not affected as I have already set up OpenDNS on router-side for years to block out some unwanted websites. I decided to go with pfSense instead of Asus-Merlin to pre-empt situations where OpenDNS will go down, leaving me with no other DNS left. pfSense's ability to use multiple DNSes won me over in this aspect!

1. As long as you are not trying to use powerline adapters. Those things are horrendous in practical use despite the marketing claims. I only deploy these as a pure last ditch effort -  for customers who rent and can't run structure cabling or get any decent wireless connection.

2. For strict firewalling/ NAT/ traffic shaping, even a C2D would suffice for a 1 Gbps connection. Running the Q6600 is sufficient but it's horrendously power inefficient compared to the current offerings.

3. When setting up Snort or Suricata, you should not enable blocking initially. Monitor the flags and logs over a period of at least a fortnight to determine what rules and/ or categories you need to disable before you enable the blocking mode.

4. Starhub is replacing the coax based units with IPTV. Their 20 year lease on the coax infrastructure is coming to an end. New subscribers are now forced to use IPTV provisioned over fibre. As are any old subscribers who need to replace their STB.

5. I work for an SI. In short, I'm the bao kar liao guy for technical there.

darkarn

@dreamslacker:

@darkarn:

Wow, nice to see a fellow Singaporean here! Let's see…

1. Thanks, then I guess my current edge devices are ok for home usage
2. Hmm my Q6600 is about 12% load at idle... It looks like that an i3 would be sufficient? (I am seeing very interesting deals in Carousell that use i5 though)
3. I am unsure about Snort and Suricata as of now; I kept accidentally locking my entire home network out of the Internet entirely! I have success with pfBlockerNG though in blocking ads router-side
4. No worries about the IPTV; my TV and landline are using separate cable modems
5. Supermicro stuff look really tempting to me too! Too expensive unfortunately... And just wondering, what are you working as?
6. I just realised that HAVP is not longer available in pfSense. I have also tried SQUID and like what you said, realised that it did not help as the connections are fast enough (and also the websites that me and family members go to are quite diverse anyway). Thanks for recommending Sophos Home, I will take a look at it.
7. Yep, that DDoS incident was pretty much the last straw. Funny part is, my family is not affected as I have already set up OpenDNS on router-side for years to block out some unwanted websites. I decided to go with pfSense instead of Asus-Merlin to pre-empt situations where OpenDNS will go down, leaving me with no other DNS left. pfSense's ability to use multiple DNSes won me over in this aspect!

1. As long as you are not trying to use powerline adapters. Those things are horrendous in practical use despite the marketing claims. I only deploy these as a pure last ditch effort -  for customers who rent and can't run structure cabling or get any decent wireless connection.

2. For strict firewalling/ NAT/ traffic shaping, even a C2D would suffice for a 1 Gbps connection. Running the Q6600 is sufficient but it's horrendously power inefficient compared to the current offerings.

3. When setting up Snort or Suricata, you should not enable blocking initially. Monitor the flags and logs over a period of at least a fortnight to determine what rules and/ or categories you need to disable before you enable the blocking mode.

4. Starhub is replacing the coax based units with IPTV. Their 20 year lease on the coax infrastructure is coming to an end. New subscribers are now forced to use IPTV provisioned over fibre. As are any old subscribers who need to replace their STB.

5. I work for an SI. In short, I'm the bao kar liao guy for technical there.

1. I have no choice though; had to put my AC66U in center part of the house for proper coverage but not allowed to do Ethernet drop

2. That's why I looking around, especially when there are much powerful CPUs for much lower power consumption

3. Thanks for the tip, I will try this out

4. Whoa, thanks, I will keep a look out for this issue too

5. Sorry, what's an SI?

VAMike

@darkarn:

@VAMike:

@Taiidan:

Benchmark a "gigabit" realtek or broadcom you get at best 70MB/s

That's simply not true, so the rest can be safely ignored.

Hmm I don't know; I just noticed that an old integrated Atheros NIC can be easily beaten by an Intel NIC on a PCIe card in transferring stuff to and back from a NAS

I can't sustain a gigabit on my old 3c905 either, which has exactly zero relevance to whether no current realtek or broadcom chipset can achieve more than 70MB/s. That claim is easily disproven and utter nonsense. (Just as ridiculous is continuing the meme that every "realtek" is the same any more than every "intel" is the same. If someone wants to talk about NICs at the very least specify a chipset.)

dreamslacker

@darkarn:

1. I have no choice though; had to put my AC66U in center part of the house for proper coverage but not allowed to do Ethernet drop

2. That's why I looking around, especially when there are much powerful CPUs for much lower power consumption

3. Thanks for the tip, I will try this out

4. Whoa, thanks, I will keep a look out for this issue too

5. Sorry, what's an SI?

1. Wife/ Parents acceptance factor? If so, tough luck.

2. I'd just go for the Core i3 Skylake in a Mini-ITX and add on an Intel PCI-e network adapter.

3. Systems Integrator. Except in my case, we do practically everything with the sole exception of programming. The running joke has been that if it runs on electricity, we can do it or find someone to do it. Even had a case where we sold and installed replacement batteries for our customer's van.

darkarn

@VAMike:

@darkarn:

@VAMike:

@Taiidan:

Benchmark a "gigabit" realtek or broadcom you get at best 70MB/s

That's simply not true, so the rest can be safely ignored.

Hmm I don't know; I just noticed that an old integrated Atheros NIC can be easily beaten by an Intel NIC on a PCIe card in transferring stuff to and back from a NAS

I can't sustain a gigabit on my old 3c905 either, which has exactly zero relevance to whether no current realtek or broadcom chipset can achieve more than 70MB/s. That claim is easily disproven and utter nonsense. (Just as ridiculous is continuing the meme that every "realtek" is the same any more than every "intel" is the same. If someone wants to talk about NICs at the very least specify a chipset.)

That 3c905 reminds me of an old Realtek PCI NIC I saw in one of my friends' PCs!

@dreamslacker:

@darkarn:

1. I have no choice though; had to put my AC66U in center part of the house for proper coverage but not allowed to do Ethernet drop

2. That's why I looking around, especially when there are much powerful CPUs for much lower power consumption

3. Thanks for the tip, I will try this out

4. Whoa, thanks, I will keep a look out for this issue too

5. Sorry, what's an SI?

1. Wife/ Parents acceptance factor? If so, tough luck.

2. I'd just go for the Core i3 Skylake in a Mini-ITX and add on an Intel PCI-e network adapter.

3. Systems Integrator. Except in my case, we do practically everything with the sole exception of programming. The running joke has been that if it runs on electricity, we can do it or find someone to do it. Even had a case where we sold and installed replacement batteries for our customer's van.

1. Yep, my parents lol

2. I have actually specced up two different i3 builds but using micro-ATX instead. I may want to wait until next month due to Kaby Lake though

5. Ah I see, and whoa, I didn't know it's possible for an IT company to do auto repair work too lol